Microsoft dismantled malware-signing network Fox Tempest
Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) that allowed attackers to sign malware with fake trusted certificates. Microsoft said it disrupted a cybercrime operation run by a threat actor named Fox Tempest, which helped threat actors sign malware with short-lived certificates to make malicious software appear legitimate. The service abused Microsoft Artifact Signing and supported […]
Microsoft said it disrupted a cybercrime operation run by a threat actor named Fox Tempest, which helped threat actors sign malware with short-lived certificates to make malicious software appear legitimate. The service abused Microsoft Artifact Signing and supported ransomware and malware campaigns.
Microsoft seized the infrastructure the group was running on, pulled the fraudulent accounts, and tightened up the verification processes that had been abused. It also filed a lawsuit against Fox Tempest and Vanilla Tempest, a legal move that in these kinds of operations does real practical work: it gives Microsoft the grounds to seize domains, tear down server infrastructure, and push third-party providers to pull the plug on whatever is still running.
Related breach coverage
- Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’ 2026-05-19
Fox Tempest provides a service that cybercriminals use to distribute ransomware and other malware disguised as legitimate software. The post Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’ appeared first on SecurityWeek.
- Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks2026-05-19
Attackers are increasingly abusing Microsoft’s decades-old MSHTA utility to stealthily deliver stealers, loaders, and persistent malware through phishing, fake software downloads, and LOLBIN-based attack chains. The post Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks appeared first on SecurityWeek.
- Microsoft disrupts Fox Tempest malware-signing-as-a-service platform tied to ransomware gangs2026-05-19
The company unsealed a legal case in U.S. District Court on Tuesday detailing the disruption of Fox Tempest — a popular service that has operated since May 2025 and provides cybercriminals with code signing tools.
- ‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested2026-05-22
The FBI says First VPN has been used by dozens of ransomware groups for network reconnaissance and intrusions. The post ‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested appeared first on SecurityWeek.