{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/malware-signing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Fox Tempest"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Artifact Signing","Microsoft Teams","AnyDesk","PuTTY","Webex"],"_cs_severities":["high"],"_cs_tags":["code-signing","malware-signing","supply-chain","azure"],"_cs_type":"threat","_cs_vendors":["Microsoft","Cloudzy","AnyDesk","Webex"],"content_html":"\u003cp\u003eIn May 2026, Microsoft disrupted a malware-signing-as-a-service (MSaaS) operation run by the threat actor Fox Tempest. This operation abused the Azure Artifact Signing service (formerly Trusted Signing) to generate fraudulent code-signing certificates. These certificates were then used by cybercriminals, including ransomware gangs, to sign malware, making it appear legitimate to users and operating systems. Fox Tempest created over 1,000 certificates and hundreds of Azure tenants and subscriptions to support its operation. The service was linked to numerous malware and ransomware campaigns, including Oyster, Lumma Stealer, Vidar, Rhysida, Akira, INC, and BlackByte. The MSaaS platform was promoted on a Telegram channel named \u0026ldquo;EV Certs for Sale by SamCodeSign,\u0026rdquo; with prices ranging from $5,000 to $9,000 in Bitcoin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eFox Tempest creates hundreds of Azure tenants and subscriptions.\u003c/li\u003e\n\u003cli\u003eThe threat actor abuses the Azure Artifact Signing service to generate short-lived (72-hour) code-signing certificates.\u003c/li\u003e\n\u003cli\u003eCybercriminal customers upload malicious files to the MSaaS platform through signspace[.]cloud or pre-configured virtual machines hosted on Cloudzy infrastructure.\u003c/li\u003e\n\u003cli\u003eFox Tempest signs the uploaded malware using the fraudulently obtained certificates.\u003c/li\u003e\n\u003cli\u003eAttackers distribute signed malware, impersonating legitimate software such as Microsoft Teams, AnyDesk, PuTTY, and Webex.\u003c/li\u003e\n\u003cli\u003eUnsuspecting victims execute the falsely named installer files.\u003c/li\u003e\n\u003cli\u003eThe installers deliver a malicious loader, which installs the fraudulently signed malware, such as Oyster.\u003c/li\u003e\n\u003cli\u003eThe malware deploys ransomware, such as Rhysida, or steals credentials and sensitive information using Lumma Stealer or Vidar.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Fox Tempest MSaaS operation enabled cybercriminals to sign their malware with certificates trusted by the Windows operating system, allowing them to bypass security controls and infect systems more easily. This led to successful ransomware attacks and data theft, causing significant financial losses and reputational damage for victim organizations. Microsoft believes the operation generated millions of dollars in profits.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the domain \u003ccode\u003esignspace[.]cloud\u003c/code\u003e at the DNS resolver to prevent access to the MSaaS platform.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to your SIEM to detect the execution of signed malware installers that impersonate legitimate software.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious Azure tenant and subscription creation activities that may indicate abuse of the Artifact Signing service.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T21:48:34Z","date_published":"2026-05-19T21:48:34Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fox-tempest-msaas/","summary":"Microsoft disrupted a malware-signing-as-a-service (MSaaS) operation run by Fox Tempest that abused the Azure Artifact Signing service to generate fraudulent code-signing certificates, enabling malware to bypass security controls.","title":"Fox Tempest Malware-Signing-as-a-Service Disrupted","url":"https://feed.craftedsignal.io/briefs/2026-05-fox-tempest-msaas/"},{"_cs_actors":["Fox Tempest"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Artifact Signing","Azure"],"_cs_severities":["high"],"_cs_tags":["malware-signing","azure","defense-evasion","ransomware"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMicrosoft disrupted a cybercrime service named Fox Tempest, which has been operating a malware-signing-as-a-service (MSaaS) since at least September 2025. This service abuses Microsoft Artifact Signing to generate short-lived code-signing certificates, which are then used to sign malware, disguising it as legitimate software and helping it evade detection. Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code-signing certificates attributed to Fox Tempest. The MSaaS has been used by several ransomware groups, including Vanilla Tempest (targeted in October 2025), and has delivered ransomware families such as Rhysida, Inc, Qilin, and Akira, as well as malware families like Lumma Stealer, Oyster, and Vidar.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eFox Tempest establishes fraudulent Azure tenants and subscriptions to support its operations.\u003c/li\u003e\n\u003cli\u003eThe actor abuses Microsoft Artifact Signing to generate short-lived code-signing certificates.\u003c/li\u003e\n\u003cli\u003eCybercriminals purchase the malware-signing-as-a-service.\u003c/li\u003e\n\u003cli\u003eMalware is signed with the fraudulently obtained certificates.\u003c/li\u003e\n\u003cli\u003eSigned malware is disguised as legitimate software.\u003c/li\u003e\n\u003cli\u003eVictims are tricked into downloading and executing the signed malware.\u003c/li\u003e\n\u003cli\u003eMalware executes, potentially leading to ransomware deployment or information theft.\u003c/li\u003e\n\u003cli\u003eStolen data is exfiltrated, or systems are encrypted and held for ransom.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe downstream impact of Fox Tempest\u0026rsquo;s operations has resulted in attacks against a broad range of industry sectors, including healthcare, education, government, and financial services, impacting organizations globally including, but not limited to, the United States, France, India, and China. The service costs thousands of dollars, and Microsoft believes the threat actor made millions. Successful attacks lead to data theft, system compromise, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unusual Azure tenant and subscription creation activity, which may indicate attempts to establish infrastructure for similar MSaaS operations.\u003c/li\u003e\n\u003cli\u003eEnable and review logs for Microsoft Artifact Signing and code-signing certificate generation events to identify potential abuse.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious process execution and file creation activity associated with malware signed by certificates potentially linked to Fox Tempest.\u003c/li\u003e\n\u003cli\u003eBlock execution of known malware hashes (if available from other sources) to prevent initial compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T16:07:44Z","date_published":"2026-05-19T16:07:44Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fox-tempest-msaas-disruption/","summary":"Microsoft disrupted Fox Tempest, a threat actor running a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to generate short-lived code-signing certificates used to sign malware disguised as legitimate software, delivering ransomware and various information stealers to victims across multiple sectors.","title":"Fox Tempest Malware-Signing-as-a-Service Disrupted by Microsoft","url":"https://feed.craftedsignal.io/briefs/2026-05-fox-tempest-msaas-disruption/"}],"language":"en","title":"CraftedSignal Threat Feed — Malware-Signing","version":"https://jsonfeed.org/version/1.1"}