Microsoft disrupted Fox Tempest, a malware-signing-as-a-service that abused Microsoft Artifact Signing to provide threat actors with short-lived, trusted certificates for signing malicious files like Rhysida ransomware and Lumma Stealer, enabling them to bypass security controls. The service, linked to threat actors including Storm-0501 and several ransomware affiliates, facilitated attacks against healthcare, government, and financial sectors. Microsoft seized the infrastructure, revoked over 1,000 certificates, and recommends implementing layered defenses.
Malware Microsoft disrupts Fox Tempest malware-signing service May 20, 2026 Share By SC Staff (Adobe Stock) Microsoft has disrupted Fox Tempest, a malware-signing-as-a-service operation that enabled cybercriminals to sign malicious software with fake trusted certificates, making it appear legitimate and easier to distribute. The operation abused Microsoft Artifact Signing and supported various ransomware and malware campaigns, based on information published by Security Affairs. Fox Tempest operated a platform called signspace[.]cloud, which allowed threat actors to obtain short-lived Microsoft-issued certificates via Artifact Signing. This service facilitated the signing of malicious files, including Rhysida ransomware, Oyster, Lumma Stealer, and Vidar, helping them bypass security controls. Microsoft seized the group's infrastructure, revoked over 1,000 code-signing certificates, and filed a lawsuit against Fox Tempest and Vanilla Tempest. The service, which charged between $5,000 and $9,000, was linked to threat actors like Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249, as well as ransomware affiliates behind INC, Qilin, and Akira. Attacks supported by Fox Tempest have targeted sectors including healthcare, education, government, and financial services globally. Microsoft recommends layered defenses to counter these threats. Source: Security Affairs SC Staff Related Malware REMUS infostealer evolves into sophisticated malware-as-a-service platform SC Staff May 18, 2026 Flare's analysis of 128 posts between February and May 2026 reveals REMUS's aggressive development cycle, mirroring structured software businesses. Malware Hackers use PyInstaller to hide XWorm malware SC Staff May 15, 2026 The attack begins with deceptive emails or fake software updates containing a seemingly harmless file. Malware Fake job interviews used to deploy JobStealer malware SC Staff May 14, 2026 The campaign involves scammers posing as recruiters and inviting victims to online interviews via custom platforms that mimic legitimate services like Cisco Webex. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware You can skip this ad in 5 seconds