Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
Summary
Hide ▲
Show ▼
Microsoft disrupted Fox Tempest's malware-signing service in May 2026, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain trusted code-signing certificates. The operation abused Microsoft Artifact Signing and created more than 1,000 certificates plus hundreds of Azure tenants and subscriptions. Signed payloads could appear legitimate to Windows and user-facing download flows, reducing the chance that security controls would flag them. Microsoft also seized signspace[.]cloud and blocked the infrastructure behind the service.
Related Happenings
Microsoft hit by cyberattack
Incident
H score68
First: 09.06.2026 18:42
Last: 09.06.2026 18:42
Sources 1
About this happening:
A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Microsoft hit by cyberattack
IncidentAbout this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
H score33
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal Action
H score24
First: 19.05.2026 18:00
Last: 19.05.2026 18:00
Sources 1
About this happening:
Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal ActionAbout this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
H score38
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Timeline
-
20.05.2026 00:47 2 articles · 1mo ago
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Initial DisclosureThe operation centered on a service model that sold access to code-signing certificates and pre-configured virtual machines for malware customers. That setup let attackers package malicious binaries as trusted software before Microsoft disrupted the infrastructure in **May 2026**.
Show sources
- Cybercrime service disrupted for abusing Microsoft platform to sign malware — www.bleepingcomputer.com — 20.05.2026 00:47
- Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks — thehackernews.com — 20.05.2026 17:36