Cyberscoop
Microsoft Disrupts Fox Tempest Malware-Signing Service for Ransomware Gangs
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
On May 19, 2026, Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) operation that provided over 1,000 fraudulent code-signing certificates to cybercriminals, enabling them to disguise malware as legitimate software. The operation, active since May 2025, abused Microsoft's Artifact Signing service, allowing ransomware groups like Rhysida and Vanilla Tempest to deploy malware undetected. Microsoft seized the signspace[.]cloud domain, revoked the certificates, and took down hundreds of virtual machines linked to the operation. The service facilitated attacks on various sectors, including healthcare and education, across multiple countries, including the US, France, and India. The disruption was part of a broader legal case filed in the US District Court for the Southern District of New York. Microsoft is collaborating with the FBI and Europol to identify the individuals behind Fox Tempest.
Key Points: • Microsoft disrupted Fox Tempest, a major malware-signing service used by ransomware groups. • The operation provided over 1,000 fraudulent certificates, enabling malware to appear legitimate. • Fox Tempest's activities impacted various sectors globally, including healthcare and education.