INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Malware-Signing Service Disrupted by Microsoft
| 2026-05-20 14:36 CRITICAL HIGHExecutive Summary AI-generated
The threat actor behind the recent malware-signing-as-a-service (MSaaS) operation, Fox Tempest, has been identified as a prominent player in the cybercrime ecosystem. With connections to several ransomware strains and affiliates associated with notable groups like INC, Qilin, BlackByte, and Akira, this group's involvement is well-documented. Their ability to masquerade legitimate software, such as Microsoft Teams and PuTTY, has been exploited by threat actors to deliver malware families like Rhysida and Oyster. The recent disruption of the MSaaS operation led by Microsoft highlights Fox Tempest's capabilities in disrupting cybercrime operations and protecting digital assets from malicious activities.
Technical Mitigations AI-generated
* Implement robust identity validation: Microsoft should implement detailed identify validation processes to prevent the use of stolen identities and ensure that legitimate signed certificates are obtained through Artifact Signing.
* Use secure file signing protocols: The company can leverage secure file signing protocols, such as those used by Microsoft's own security solutions (e.g. BitLocker), to protect against malware and ransomware attacks.
* Monitor for suspicious activity on the SignSpace website: Microsoft should continuously monitor the SignSpace website for signs of malicious activity, such as unusual traffic patterns or suspicious user behavior, to prevent potential exploitation of the MSaaS operation.
* Implement secure infrastructure updates: The threat actor's shift to providing pre-configured virtual machines (VMs) hosted on Cloudzy can be mitigated by implementing secure infrastructure update protocols that ensure timely and effective patching and security fixes.
* Enhance Azure Trusted Signing security controls: Microsoft should enhance its Azure Trusted Signing security controls, such as the use of machine learning-based threat detection and response systems, to detect and respond to potential threats associated with the MSaaS operation.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Storm-0501Storm-0501BlackByteBlackByte
QilinQilinINC RansomwareINC RansomwareLumma StealerLumma Stealer
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
educationeducation
legallegal
healthcarehealthcare
governmentgovernment
Incident Timeline
March 2025
Threat actors used Microsoft's Trusted Signing service to sign malware targeting Crazy Evil Traffers.
May 2025
Threat actors used Microsoft's signature analysis tool to target the malware-signing network.
September 2025
Threat actors used a Microsoft-signed malware to target Vanilla Tempest.
February 2026
Threat actors used Cloudzy to host pre-configured virtual machines, allowing them to upload malware and receive signed binaries.
2026/05/19
Threat actors used the Microsoft Artifact Signing platform to create short-lived certificates that allowed malware to be digitally signed and trusted as legitimate software.
Click on any entity below to view its context and source!
industry
Legal
Today, Microsoft also
unsealed a legal case
in the U.S. District Court for the Southern District of New York targeting the cybercrime operation.
organisation
the U.S.
Today, Microsoft also
unsealed a legal case
in the U.S. District Court for the Southern District of New York targeting the cybercrime operation.
organisation
District Court
Today, Microsoft also
unsealed a legal case
in the U.S. District Court for the Southern District of New York targeting the cybercrime operation.
attribution
Microsoft Threat Intelligence
According to a report published today by Microsoft Threat Intelligence, the threat actor tracked as Fox Tempest used the Microsoft Artifact Signing platform to create short-lived certificates that allowed malware to be digitally signed and trusted as legitimate software by both users and operating systems.
attribution
Fox Tempest
According to a report published today by Microsoft Threat Intelligence, the threat actor tracked as Fox Tempest used the Microsoft Artifact Signing platform to create short-lived certificates that allowed malware to be digitally signed and trusted as legitimate software by both users and operating systems.
between February and March 2026
Microsoft worked with a cooperative source to purchase and test the malware-signing network between February 2026 and March 2026.
2026/05/20
Microsoft dismantled the malware-signing network Fox Tempest.
Click on any entity below to view its context and source!
organisation
VC
"To obtain legitimate signed certificates through Artifact Signing, the requestor must pass detailed identify validation processes in keeping with industry standard verifiable credentials (VC), which suggests the threat actor very likely used stolen identities based in the United States and Canada to masquerade as a legitimate entity and obtain the necessary digital credentials for signing," Microsoft
explained
.
organisation
Microsoft
Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks.
Cybercrime service disrupted for abusing Microsoft platform to sign malware.
Microsoft dismantled malware-signing network Fox Tempest.
organisation
Artifact Signing
Microsoft on Tuesday said it disrupted a malware-signing-as-a-service (MSaaS) operation that weaponized the company's Artifact Signing system to deliver malicious code and conduct ransomware and other attacks, compromising thousands of machines and networks across the world.
Microsoft says it has disrupted a malware-signing-as-a-service (MSaaS) operation that abused the company's Artifact Signing service to generate fraudulent code-signing certificates used by ransomware gangs and other cybercriminals.
organisation
Vanilla Tempest
Microsoft noted that the operation enabled the deployment of Rhysida ransomware by threat actors such as Vanilla Tempest, along with other malware families like Oyster, Lumma Stealer, and Vidar, illustrating the crucial role played by Fox Tempest within the cybercrime ecosystem.
Microsoft says threat actors, including Vanilla Tempest (INC Ransomware members), Storm-0501, Storm-2561, and Storm-0249, used the signed malware in their attacks.
It also
filed a lawsuit
against Fox Tempest and Vanilla Tempest, a legal move that in these kinds of operations does real practical work: it gives Microsoft the grounds to seize domains, tear down server infrastructure, and push third-party providers to pull the plug on whatever is still running.
organisation
INC
In addition, connections have been uncovered between the threat actor and affiliates associated with several prominent ransomware strains, including INC, Qilin, BlackByte, and Akira.
The operation was linked to numerous malware and ransomware campaigns involving Oyster, Lumma Stealer, Vidar, as well as the Rhysida, Akira, INC, Qilin, and BlackByte ransomware operations.
threat_actor
BlackByte
In addition, connections have been uncovered between the threat actor and affiliates associated with several prominent ransomware strains, including INC, Qilin, BlackByte, and Akira.
The operation was linked to numerous malware and ransomware campaigns involving Oyster, Lumma Stealer, Vidar, as well as the Rhysida, Akira, INC, Qilin, and BlackByte ransomware operations.
organisation
AnyDesk
This, in turn, allowed malware and ransomware to masquerade as legitimate software like AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex.
organisation
Microsoft Teams
This, in turn, allowed malware and ransomware to masquerade as legitimate software like AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex.
Certificate used to sign Oyster malware installers
Source: Microsoft's complaint
These signed malware files were then used by threat actors to impersonate legitimate software such as Microsoft Teams, AnyDesk, PuTTY, and Webex, and were used to add legitimacy to the downloads.
organisation
Cisco Webex
This, in turn, allowed malware and ransomware to masquerade as legitimate software like AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex.
threat_actor
Storm-0501
Microsoft says threat actors, including Vanilla Tempest (INC Ransomware members), Storm-0501, Storm-2561, and Storm-0249, used the signed malware in their attacks.
Storm-0501
,
Storm-2561
, and Storm-0249, which used Fox Tempest-signed malware in real attacks delivered through malvertising, SEO poisoning, and fake ads.
organisation
Storm-0249
Microsoft says threat actors, including Vanilla Tempest (INC Ransomware members), Storm-0501, Storm-2561, and Storm-0249, used the signed malware in their attacks.
Storm-0501
,
Storm-2561
, and Storm-0249, which used Fox Tempest-signed malware in real attacks delivered through malvertising, SEO poisoning, and fake ads.
organisation
Microsoft Artifact Signing
The service abused Microsoft Artifact Signing and supported ransomware and malware campaigns.
organisation
Fox Tempest
Microsoft dismantled malware-signing network Fox Tempest.
The tech giant attributed the activity to a threat actor it calls
Fox Tempest
, which it said offered the MSaaS scheme to allow cybercriminals to disguise malware as legitimate software.
"Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations.
organisation
VirusTotal
[
VirusTotal
] and a Lumma Stealer
organisation
Fox Tempest's
"To disrupt the service, we seized Fox Tempest's website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code," Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit,
said
.
organisation
Digital Crimes Unit
"To disrupt the service, we seized Fox Tempest's website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code," Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit,
said
.
organisation
SignSpace
"The SignSpace website was built on Artifact Signing and enabled secure file signing through an admin panel and user page, leveraging Azure subscriptions, certificates, and a structured database for managing users and files.
financial
$5,000 $ service cost
The service cost between $5,000 and $9,000.
Customers chose plans between $5,000 and $9,000, with higher tiers getting priority access and virtual machines for signing malicious code with trusted certificates.
infrastructure
Windows
"Because the Oyster malware was signed by a certificate from Microsoft's Artifact Signing service, the Windows operating system initially recognized the malware as legitimate software, when it would otherwise be flagged as suspicious or blocked entirely by security controls in the Windows operating system.
organisation
Trusted Signing
Azure Artifact Signing
(previously Trusted Signing) is a cloud-based service launched by Microsoft in 2024 that allows developers to easily have their programs signed by Microsoft.
organisation
Telegram
The operation was actively run on Telegram, where channels advertised EV certificate access and buyers coordinated payments.
organisation
EV
The operation was actively run on Telegram, where channels advertised EV certificate access and buyers coordinated payments.
organisation
Safe Links/Attachments
Microsoft recommends layered defenses against Fox Tempest attacks, including cloud protection, Safe Links/Attachments, SmartScreen, and strong identity controls.
organisation
SmartScreen
Microsoft recommends layered defenses against Fox Tempest attacks, including cloud protection, Safe Links/Attachments, SmartScreen, and strong identity controls.
May 2026
Threat actors used Microsoft's Digital Crimes Unit to target Fox Tempest's infrastructure and access model.
Click on any entity below to view its context and source!
organisation
Fox Tempest's
"In May 2026, Microsoft's Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest's MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use.
organisation
Digital Crimes Unit
"In May 2026, Microsoft's Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest's MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use.
In May 2026, Microsoft’s Digital Crimes Unit, with industry partners, dismantled Fox Tempest’s infrastructure.
organisation
Fox Tempest’s
In May 2026, Microsoft’s Digital Crimes Unit, with industry partners, dismantled Fox Tempest’s infrastructure.
Tactical Metrics
Metrics
financial
5,000
$ Service Cost
Click for context!
The service cost between $5,000 and $9,000.
Customers chose plans between $5,000 and $9,000, with higher tiers getting priority access and virtual machines for signing malicious code with trusted certificates.
Metrics
infrastructure
Windows
Affected Product
"Because the Oyster malware was signed by a certificate from Microsoft's Artifact Signing service, the Windows operating system initially recognized the malware as legitimate software, when it would otherwise be flagged as suspicious or blocked entirely by security controls in the Windows operating system.
Intelligence Sources
BleepingComputer
2026-05-19
Security Affairs
2026-05-19
Microsoft dismantled malware-signing network Fox Tempest
Security Affairs
The Hacker News
2026-05-20
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-26T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
23x
organisation
Identified Entity
VC
entity
9x
timeline
Temporal Reference
May 2025
date
6x
attribution
Attributing Entity
Microsoft Threat Intelligence
authority
5x
target region
Target Country
France
country
4x
industry
Targeted Sector
Healthcare
sector
3x
malware
Malware Payload
Lumma Stealer
tool
2x
source region
Origin Country
United States
country
2x
tactic
Cyber Operation Type
Ransomware
tactic
2x
threat actor
APT Group
BlackByte
actor
Contextual Telemetry
Context Block
6 METRICS
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
general metric
Hours
72
hours
financial
$ Service Cost
5,000
$ service cost
infrastructure
Affected Product
Windows
software
general metric
Certificates
1,000
certificates
general metric
Surfaces
6
surfaces
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.