Back

Microsoft Disrupts Fox Tempest Malware-Signing Service for Ransomware Gangs

Severity: High (Score: 71.0)

Sources: Scworld, News.Risky.Biz, Blogs.Microsoft, Cybersecuritydive, www.theblock.co

Published: 2026-05-19 · Updated: 2026-05-20

Keywords: microsoft, cybercrime, service, software, down, tempest, ransomware

Severity indicators: ransomware

Summary

On May 19, 2026, Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) operation that provided over 1,000 fraudulent code-signing certificates to cybercriminals, enabling them to disguise malware as legitimate software. The operation, active since May 2025, abused Microsoft's Artifact Signing service, allowing ransomware groups like Rhysida and Vanilla Tempest to deploy malware undetected. Microsoft seized the signspace[.]cloud domain, revoked the certificates, and took down hundreds of virtual machines linked to the operation. The service facilitated attacks on various sectors, including healthcare and education, across multiple countries, including the US, France, and India. The disruption was part of a broader legal case filed in the US District Court for the Southern District of New York. Microsoft is collaborating with the FBI and Europol to identify the individuals behind Fox Tempest. Key Points: • Microsoft disrupted Fox Tempest, a major malware-signing service used by ransomware groups. • The operation provided over 1,000 fraudulent certificates, enabling malware to appear legitimate. • Fox Tempest's activities impacted various sectors globally, including healthcare and education.

Detailed Analysis

**Impact** Fox Tempest’s malware-signing-as-a-service (MSaaS) affected thousands of machines globally, including over a dozen owned by Microsoft in the US. The operation enabled ransomware groups such as Vanilla Tempest (Rhysida), INC, Qilin, Akira, Storm-0501, Storm-2561, and Storm-0249 to deploy malware targeting sectors including healthcare, education, government, financial services, and critical infrastructure across the US, France, India, China, Brazil, Germany, Japan, the UK, Italy, and Spain. The signed malware facilitated ransomware attacks, data extortion, and credential theft, impacting organizations worldwide since May 2025. **Technical Details** Fox Tempest abused Microsoft’s Artifact Signing service (formerly Trusted Signing) by using stolen identities and fake organizations to obtain over 1,000 short-lived code-signing certificates valid for 72 hours. The group operated hundreds of Azure tenants and subscriptions, hosting a portal (signspace[.]cloud) with drag-and-drop functionality for customers to sign malicious files. Signed malware included Oyster backdoor, Lumma Stealer, Vidar infostealer, Malcert, and ransomware strains deployed by Vanilla Tempest and others. The operation enabled malware to bypass Windows security controls and Microsoft Defender SmartScreen by appearing as legitimate software such as Microsoft Teams, AnyDesk, PuTTY, and Webex. **Recommended Response** Revoke and block all certificates associated with Fox Tempest and monitor for digitally signed files using these certificates. Harden identity verification processes for code-signing services and increase scrutiny of short-lived certificates. Deploy detections for known malware families linked to this operation, including Oyster, Lumma Stealer, Vidar, and Rhysida ransomware. Monitor network traffic and endpoints for signs of SEO poisoning, malvertising, and the use of digitally signed malicious installers masquerading as legitimate enterprise software.

Source articles (22)

  • Microsoft disrupts cybercrime service that abused software verification systems en masse — Cyberscoop · 2026-05-19
    Microsoft seized infrastructure and disrupted a cybercrime service that created and sold more than 1,000 code-signing certificates that other cybercriminals used to make malware-riddled software appea…
  • Ask Fitis The Bear Real Crooks Sign Their Malware — krebsonsecurity.com · 2026-05-19
  • Exposing Fox Tempest A Malware Signing Service Operation — www.microsoft.com · 2026-05-20
  • Le Dauphine Libere — www.ledauphine.com · 2026-05-20
    En deux jours, trois des plus importants groupes touristiques français viennent de voir les données de leurs clients diffusées sur le dark web. Jusqu’à cinq millions de clients pourraient être concern…
  • VirusTotal — www.virustotal.com · 2026-05-19
  • Verus Ethereum Bridge Exploit — www.theblock.co · 2026-05-20
  • Microsoft Artifact Signing — learn.microsoft.com · 2026-05-20
  • Disrupting Fox Tempest A Cybercrime Service — blogs.microsoft.com · 2026-05-19
  • VirusTotal — www.virustotal.com · 2026-05-19
  • Microsoft disrupts Fox Tempest malware-signing service | brief — Scworld · 2026-05-20
    Microsoft has disrupted Fox Tempest, a malware-signing-as-a-service operation that enabled cybercriminals to sign malicious software with fake trusted certificates, making it appear legitimate and eas…
  • Fox Tempest Linked to Malware — Gbhackers · 2026-05-20
    Fox Tempest, a financially motivated threat actor, has been linked to a large-scale malware-signing-as-a-service (MSaaS) operation that abused Microsoft’s Artefact Signing platform to enable cybercrim…
  • Microsoft disrupts cybercrime service offering malware disguised as legitimate software — Nextgov · 2026-05-19
    Microsoft on Tuesday took actions against a “malware-signing-as-a-service” provider that has helped criminal hackers evade security defenses designed to check whether software is legitimate. The group…
  • Fox Tempest Malware — Cybersecuritynews · 2026-05-20
    A financially motivated threat actor known as Fox Tempest has been operating a sophisticated malware-signing-as-a-service (MSaaS) platform that abused Microsoft’s Artifact Signing infrastructure to ge…
  • Microsoft disrupts cybercrime operation that hid behind legitimate software — Cybersecuritydive · 2026-05-20
    The Fox Tempest malware-signing-as-a-service operation was linked to numerous ransomware attacks. Microsoft on Tuesday said it disrupted Fox Tempest , a cybercrime operation that helped ransomware gan…
  • Microsoft takes down MSaaS used by ransomware gangs — News.Risky.Biz · 2026-05-20
    Microsoft has sued and seized domains and server infrastructure belonging to SignSpaceCloud ( signspace[.]cloud ), a Russian cybercrime service that sold code signing certificates to malware and ranso…
  • Microsoft disrupts malware code — Csoonline · 2026-05-20
    Microsoft has disrupted the infrastructure powering the largest malware code-signing service used to help ransomware groups and other cybercriminals make malicious programs harder to detect on Windows…
  • Microsoft dismantled malware — Securityaffairs.Co · 2026-05-19
    Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) that allowed attackers to sign malware with fake trusted certificates. Microsoft said it disrupted a cybercrime operation run by…
  • Microsoft shuts down illegal code — Theregister · 2026-05-19
    Microsoft seized websites and took down hundreds of virtual machines running a cybercrime service that allegedly sold code-signing certificates to ransomware gangs, thus making their malware look like…
  • Microsoft disrupts Fox Tempest malware-signing-as-a — Therecord.Media · 2026-05-19
    The company unsealed a legal case in U.S. District Court on Tuesday detailing the disruption of Fox Tempest — a popular service that has operated since May 2025 and provides cybercriminals with code s…
  • Cybercrime service disrupted for abusing Microsoft platform to sign malware — Bleepingcomputer · 2026-05-19
    Microsoft says it has disrupted a malware-signing-as-a-service (MSaaS) operation that abused the company's Artifact Signing service to generate fraudulent code-signing certificates used by ransomware…
  • Microsoft Takes Down Fox Tempest for Providing Ransomware — Infosecurity-Magazine · 2026-05-19
    Microsoft has cracked down on Fox Tempest, a cyber threat actor that fueled Rhysida ransomware attacks and developed tools for major malware strains like Oyster, Lumma Stealer, and Vidar. On May 19, t…
  • Exposing Fox Tempest: A malware — Blogs.Microsoft · 2026-05-19
    Fox Tempest is a financially motivated threat actor operating a malware‑signing‑as‑a‑service (MSaaS) used by other cybercriminals, including Vanilla Tempest and Storm groups, to more effectively distr…

Timeline

  • 2025-05-01 — Fox Tempest operation begins: Fox Tempest started providing malware-signing services, abusing Microsoft's Artifact Signing system.
  • 2026-05-19 — Microsoft disrupts Fox Tempest: Microsoft seized the signspace[.]cloud domain and revoked over 1,000 fraudulent certificates used by Fox Tempest.
  • 2026-05-19 — Legal case unsealed against Fox Tempest: Microsoft filed a lawsuit in the US District Court for the Southern District of New York targeting Fox Tempest and its operations.
  • 2026-05-19 — Microsoft collaborates with law enforcement: Microsoft is working with the FBI and Europol to identify the individuals behind Fox Tempest.

CVEs

  • CVE-2024-12802
  • CVE-2026-29205
  • CVE-2026-45829

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Crazy Evil Traffers Crypto-theft Campaign (Campaign)
  • Operation Ramz (Campaign)
  • Vanilla Tempest Ransomware Operation (Campaign)
  • Salt Typhoon (Apt Group)
  • MuddyWater (Apt Group)
  • ShinyHunters (Apt Group)
  • Storm-2561 (Apt Group)
  • Vanilla Tempest (Apt Group)
  • 7-Eleven (Company)
  • Académie D’Aix-Marseille (Company)
  • AntV (Company)
  • Belambra (Company)
  • British Library (Company)
  • Collège De France (Company)
  • Gîtes De France (Company)
  • Maeva (Company)
  • Microsoft (Company)
  • Nemea (Company)
  • Pierre & Vacances (Company)
  • Pierre & Vacances-Center Parcs (Company)
  • Post Luxembourg (Company)
  • RXNT (Company)
  • Seattle-Tacoma International Airport (Company)
  • Education (Company)
  • Azure (Company)
  • Brazil (Country)
  • Canada (Country)
  • China (Country)
  • France (Country)
  • Germany (Country)
  • India (Country)
  • Italy (Country)
  • Japan (Country)
  • Jordan (Country)
  • Luxembourg (Country)
  • Romania (Country)
  • Spain (Country)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • databreaches.net (Domain)
  • dernier.la (Domain)
  • signspace.cloud (Domain)
  • Financial (Industry)
  • Financial Services (Industry)
  • Government (Industry)
  • Healthcare (Industry)
  • Retail (Industry)
  • Aurora (Platform)
  • Artefact Signing Platform (Platform)
  • DAVE Protocol (Platform)
  • GitHub (Platform)
  • Huawei Enterprise Routers (Platform)
  • PyPI (Platform)
  • Webex (Platform)
  • Windows (Platform)
  • Fox Tempest (Malware)
  • Lumma (Malware)
  • Lumma Stealer (Malware)
  • Malcert (Malware)
  • Oyster (Malware)
  • Shai-hulud (Malware)
  • Vidar (Malware)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1218.005 - Mshta (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • AnyDesk (Tool)
  • Artifact Signing (Tool)
  • Microsoft Teams (Tool)
  • Npm (Tool)
  • Putty (Tool)
  • Microsoft Code Signing Tools (Tool)
  • SamCodeSign (Tool)
  • Akira (Ransomware Group)
  • Blackbyte (Ransomware Group)
  • INC (Ransomware Group)
  • Qilin (Ransomware Group)
  • Rhysida (Ransomware Group)
  • Storm-0249 (Ransomware Group)
  • Storm-0501 (Ransomware Group)
  • Storm-2501 (Ransomware Group)
  • Vice Society (Ransomware Group)
  • Vice Spider (Ransomware Group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed