CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft-disrupted Fox Tempest’s malware-signing-as-a-service infrastructure

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Microsoft’s Digital Crimes Unit (DCU), in collaboration with the FBI and Europol’s EC3, has disrupted Fox Tempest’s malware-signing-as-a-service (MSaaS) infrastructure that provided fraudulent code-signing certificates for ransomware and malware operations. The takedown involved legal action in the US District Court for the Southern District of New York, sinkholing malicious domains, disabling hundreds of virtual machines on Cloudzy, and suspending roughly 1,000 accounts. Fox Tempest’s MSaaS platform abused Microsoft’s Artifact Signing to issue short-lived certificates valid for 72 hours, sold at tiered pricing from $5,000 to $9,000. The group collaborated with multiple ransomware operations, including Rhysida (Vanilla Tempest), Storm-2501, Storm-0249, INC, Qilin, BlackByte, and Akira, with attacks targeting critical sectors across the U.S., France, India, and China. The service evolved in February 2026 to offer pre-configured Cloudzy VMs, streamlining malicious binary signing and distribution. Microsoft’s operation, codenamed OpFauxSign, includes ongoing efforts to identify and pursue the group’s operators through undercover engagements and legal mechanisms.

Timeline

  1. 19.05.2026 18:00 2 articles · 1d ago

    Microsoft disrupts Fox Tempest’s malware-signing-as-a-service infrastructure

    On May 8, 2026, Microsoft obtained a court order in the US District Court for the Southern District of New York to disrupt the operations of Fox Tempest, a cybercrime group providing malware-signing-as-a-service. The takedown involved sinkholing malicious domains, disabling hundreds of virtual machines hosted on Cloudzy, and suspending approximately 1,000 accounts. The group’s MSaaS platform abused Microsoft’s Artifact Signing to issue fraudulent code-signing certificates, sold at prices ranging from $5,000 to $9,500. Microsoft collaborated with the FBI and Europol’s EC3 to identify the group’s operators. New details from this article clarify that Fox Tempest generated short-lived certificates valid for only 72 hours, operated the SignSpace user-facing platform built on Artifact Signing, and shifted to providing pre-configured Cloudzy VMs starting February 2026 to streamline malicious binary signing. The group also collaborated with additional ransomware operations (INC, Qilin, BlackByte, Akira) and used malvertising to distribute signed malware like Oyster leading to Rhysida ransomware. Microsoft’s operation, codenamed OpFauxSign, included undercover testing of the service between February and March 2026.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Unauthorized access to GitHub internal repositories reported; TeamPCP claims data sale and expands malware campaign

GitHub confirmed the unauthorized access to internal repositories stemmed from a trojanized VS Code extension installed by an employee, affecting approximately 3,800 repos, with containment measures including removal of the malicious extension, device isolation, and critical secret rotation. TeamPCP claimed responsibility, offering the alleged GitHub data dump for sale with a minimum price of $50,000 and explicitly stating this is not a ransom operation, while also threatening free release if no buyer is found. TeamPCP expanded operations by compromising the durabletask PyPI package with a Linux infostealer targeting credentials across cloud environments and forming partnerships with extortion and ransomware actors including Lapsus$ and Vect ransomware. TeamPCP's malware campaign, known as Mini Shai-Hulud, has impacted multiple entities beyond GitHub, including Grafana Labs. Grafana Labs confirmed a breach was caused by a missed GitHub workflow token rotation following the TanStack npm supply-chain attack, resulting in the exfiltration of operational information such as business contact names and email addresses. No customer production systems or operations were compromised, and the company stated that the codebase was not modified and users are not required to take any action.

Open in new tab

Multi-actor campaigns abuse Microsoft Teams for initial access and data theft

A phishing campaign targeting financial and healthcare organizations uses Microsoft Teams to impersonate IT staff and trick victims into granting remote access via Quick Assist, deploying the A0Backdoor malware. The campaign, linked to the BlackBasta ransomware group, uses sophisticated TTPs including digitally signed MSI installers, DNS MX-based C2 communication, and DLL sideloading with legitimate Microsoft binaries. A separate intrusion attributed to UNC6692 leverages Microsoft Teams social engineering to deploy the 'Snow' malware suite—comprising a browser extension, tunneler, and backdoor—for credential theft and domain takeover, with post-compromise activities including reconnaissance, lateral movement via pass-the-hash, and exfiltration of Active Directory assets. The A0Backdoor campaign involves multi-stage attack chains beginning with external Teams chats impersonating IT staff to initiate Quick Assist sessions, followed by reconnaissance, DLL sideloading with signed applications, lateral movement via WinRM, and targeted exfiltration using Rclone. The Snow intrusion contrasts this approach with a modular malware suite (SnowBelt, SnowBasin, SnowGlaze), WebSocket-based C2, SOCKS proxy capabilities, and exfiltration via LimeWire, indicating distinct actor goals and tooling.

Open in new tab

Velvet Tempest leverages ClickFix and CastleRAT in ransomware operations

The threat group Velvet Tempest, also tracked as DEV-0504, has been observed using the ClickFix technique and legitimate Windows utilities to deploy DonutLoader malware and CastleRAT backdoor in a simulated environment. The group, known for deploying multiple ransomware strains, conducted Active Directory reconnaissance, credential harvesting, and environment profiling over a 12-day period. Initial access was gained through a malvertising campaign leading to a ClickFix and CAPTCHA mix. Despite their history with ransomware, Termite ransomware was not deployed in this observed intrusion.

Open in new tab

Storm-0249 Adopts Advanced Tactics for Ransomware Attacks

Storm-0249, previously known as an initial access broker, has escalated its operations by employing advanced tactics such as domain spoofing, DLL sideloading, and fileless PowerShell execution to facilitate ransomware attacks. These methods allow the threat actor to bypass defenses, infiltrate networks, maintain persistence, and operate undetected. The group has shifted from mass phishing campaigns to more precise attacks, leveraging the trust associated with signed processes for added stealth. The ultimate goal is to obtain persistent access to enterprise networks and monetize them by selling access to ransomware gangs.

Open in new tab

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware, known as OysterLoader, provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools. In early 2026, OysterLoader evolved with new C2 infrastructure and obfuscation methods, including a multi-stage infection chain and dynamic API resolution to hinder detection and analysis.

Open in new tab