Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
Summary
Hide ▲
Show ▼
Microsoft disrupted Fox Tempest's malware-signing service in May 2026, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain trusted code-signing certificates. The operation abused Microsoft Artifact Signing and created more than 1,000 certificates plus hundreds of Azure tenants and subscriptions. Signed payloads could appear legitimate to Windows and user-facing download flows, reducing the chance that security controls would flag them. Microsoft also seized signspace[.]cloud and blocked the infrastructure behind the service.
Related Happenings
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal Action
First: 19.05.2026 18:00
Last: 19.05.2026 18:00
Sources 1
About this happening:
Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal ActionAbout this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Storm-1175 high-velocity exploit campaign
Campaign
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Timeline
-
20.05.2026 00:47 2 articles · 8d ago
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Initial DisclosureThe operation centered on a service model that sold access to code-signing certificates and pre-configured virtual machines for malware customers. That setup let attackers package malicious binaries as trusted software before Microsoft disrupted the infrastructure in **May 2026**.
Show sources
- Cybercrime service disrupted for abusing Microsoft platform to sign malware — www.bleepingcomputer.com — 20.05.2026 00:47
- Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks — thehackernews.com — 20.05.2026 17:36