Microsoft said it seized domains and hundreds of VMs tied to Fox Tempest, a criminal service that abused Microsoft Artifact Signing using more than 580 fraudulent accounts created with fake identities. The operation allegedly sold code-signing certificates used to sign malware including Oyster, Lumma, Vidar, and Rhysida, and was linked to ransomware actors including Vanilla Tempest as well as INC, Qilin, and Akira affiliates.
Why it matters: Trusted code-signing helps malware bypass user suspicion and some security controls, so this service likely enabled broader, more effective intrusions. Defenders should review detections and hunting for suspicious signed binaries and malware families named by Microsoft.
2026.05.19
100% relevant
This article establishes a distinct story about Microsoft's takedown of Fox Tempest and the abuse of Artifact Signing to provide code-signing-as-a-service to ransomware and malware operators.
← Back to all stories