Find notable cyber news and cases, enriched with sources, timelines, and signals.

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
First reported
Last updated
Happening score
H score 26
2 unique sources, 2 articles

Summary

Hide ▲

Microsoft disrupted Fox Tempest's malware-signing service in May 2026, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain trusted code-signing certificates. The operation abused Microsoft Artifact Signing and created more than 1,000 certificates plus hundreds of Azure tenants and subscriptions. Signed payloads could appear legitimate to Windows and user-facing download flows, reducing the chance that security controls would flag them. Microsoft also seized signspace[.]cloud and blocked the infrastructure behind the service.

Related Happenings

Microsoft hit by cyberattack

Incident
H score68 First: 09.06.2026 18:42 Last: 09.06.2026 18:42 Sources 1

About this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
H score33 First: 19.05.2026 22:35 Last: 19.05.2026 22:35 Sources 1

About this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...

Microsoft civil action against Fox Tempest infrastructure takedown

Regulatory/Legal Action
H score24 First: 19.05.2026 18:00 Last: 19.05.2026 18:00 Sources 1

About this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
H score68 First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...

Latest development: 09.06.2026 18:42

On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
H score38 First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Timeline

  1. 20.05.2026 00:47 2 articles · 1mo ago

    Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

    Initial Disclosure

    The operation centered on a service model that sold access to code-signing certificates and pre-configured virtual machines for malware customers. That setup let attackers package malicious binaries as trusted software before Microsoft disrupted the infrastructure in **May 2026**.

    Show sources