Microsoft disrupted a malware-signing-as-a-service operation run by Fox Tempest, which abused Artifact Signing to produce fraudulent code-signing certificates that helped ransomware gangs and other criminals make malware look legitimate. The campaign was tied to Oyster, Lumma Stealer, Vidar, Rhysida, Akira, INC, Qilin, and BlackByte, and Microsoft seized the signspace[.]cloud domain and revoked over 1,000 certificates. #FoxTempest #signspacecloud #Oyster #LummaStealer #Vidar #Rhysida #Akira #Qilin #BlackByte #VanillaTempest #Storm0501 #Storm2561 #Storm0249
Keypoints
- Microsoft disrupted Fox Tempestβs malware-signing-as-a-service operation.
- The group abused Microsoft Artifact Signing to create fraudulent code-signing certificates.
- More than 1,000 certificates and hundreds of Azure tenants and subscriptions were created.
- The operation helped signed malware masquerade as trusted software like Microsoft Teams and AnyDesk.
- Microsoft seized signspace[.]cloud, took VMs offline, and linked the scheme to multiple ransomware crews.