Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’
Fox Tempest provides a service that cybercriminals use to distribute ransomware and other malware disguised as legitimate software. The post Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’ appeared first on SecurityWeek.
Microsoft announced on Tuesday that it has disrupted a cybercrime service that has been helping threat actors distribute ransomware and other malware.
According to the tech giant, a threat actor it has named Fox Tempest has been running a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to generate short-lived code-signing certificates. The certificates are used to sign malware disguised as legitimate software, helping it evade detection.
“Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest,” the company explained.
Source: https://www.securityweek.com/microsoft-disrupts-malware-signing-service-run-by-fox-tempest/
Related breach coverage
- Microsoft disrupts Fox Tempest malware-signing-as-a-service platform tied to ransomware gangs2026-05-19
The company unsealed a legal case in U.S. District Court on Tuesday detailing the disruption of Fox Tempest — a popular service that has operated since May 2025 and provides cybercriminals with code signing tools.
- Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks2026-05-19
Attackers are increasingly abusing Microsoft’s decades-old MSHTA utility to stealthily deliver stealers, loaders, and persistent malware through phishing, fake software downloads, and LOLBIN-based attack chains. The post Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks appeared first on SecurityWeek.
- Microsoft dismantled malware-signing network Fox Tempest2026-05-19
Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) that allowed attackers to sign malware with fake trusted certificates. Microsoft said it disrupted a cybercrime operation run by a threat actor named Fox Tempest, which helped threat actors sign malware with short-lived certificates to make malicious software appear legitimate. The service abused Microsoft Artifact Signing and supported […]
- ‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested2026-05-22
The FBI says First VPN has been used by dozens of ransomware groups for network reconnaissance and intrusions. The post ‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested appeared first on SecurityWeek.