Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Microsoft Shuts Down Malware-Signing Service Linked to Ransomware

Microsoft Shuts Down Malware-Signing Service Linked to Ransomware

Posted on May 20, 2026 By CWS

On Tuesday, Microsoft announced the disruption of a malware-signing-as-a-service (MSaaS) operation that exploited its Artifact Signing system. This operation has been implicated in worldwide ransomware attacks, affecting thousands of systems globally.

Unveiling Fox Tempest’s Role

The tech giant identified the malicious activities as originating from a group it has named Fox Tempest. This entity is suspected of facilitating cybercriminals by disguising malware as legitimate software. Fox Tempest has been active since May 2025, and Microsoft’s counteroperation to dismantle this threat has been named OpFauxSign.

Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, stated that the disruption involved taking down the website signspace[.]cloud, deactivating numerous virtual machines involved in the operation, and blocking a site that hosted the malicious code.

Widespread Implications of the Operation

Fox Tempest’s operations enabled the deployment of various malware families, including Rhysida ransomware, through groups such as Vanilla Tempest. This highlights the significant influence Fox Tempest had within the cybercrime community.

The operation also revealed connections between Fox Tempest and several notorious ransomware strains like INC, Qilin, BlackByte, and Akira. These attacks have targeted sectors such as healthcare, education, government, and finance in countries including the U.S., France, India, and China.

Exploiting Artifact Signing for Cybercrime

Artifact Signing, previously known as Azure Trusted Signing, is a Microsoft service that ensures the legitimacy of software by providing end-to-end signing solutions. Fox Tempest exploited this system to generate fraudulent, short-lived code-signing certificates to distribute trusted malware.

Microsoft indicated that the threat actor likely used stolen identities from the U.S. and Canada to navigate the stringent identity verification processes required to obtain these certificates.

SignSpace, a platform built on Artifact Signing, allowed cybercriminals to upload malware for signing with these fraudulently obtained certificates. This service, priced between $5,000 and $9,000, enabled malware to masquerade as legitimate applications, such as AnyDesk and Microsoft Teams.

Adapting to Countermeasures

In February 2026, Fox Tempest adjusted its operations by offering pre-configured virtual machines hosted on Cloudzy. This allowed for easier upload of artifacts to attacker-controlled infrastructure, enhancing the delivery of signed malware.

Microsoft’s continued countermeasures, such as disabling fraudulent accounts and revoking certificates, forced Fox Tempest to explore alternative code-signing services. In their efforts, Microsoft collaborated with a cooperative source to test the illicit service, revealing insights into its operations.

Microsoft emphasized the importance of this disruption, stating, “When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe.” The company remains committed to raising the cost of cybercrime by dismantling such services.

The Hacker News Tags:Artifact Signing, cloud security, Cybercrime, Cybersecurity, digital credentials, Fox Tempest, Malware, Microsoft, Ransomware, Rhysida ransomware

Post navigation

Previous Post: Grafana’s GitHub Hacked in Ransomware Supply Chain Attack
Next Post: Quantum Bridge Secures $8M for Quantum-Safe Cybersecurity

Related Posts

Can your SOC Save You? Can your SOC Save You? The Hacker News
Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT The Hacker News
Security Flaws in AI Tool Pose Major Risks Security Flaws in AI Tool Pose Major Risks The Hacker News
Federal Push for Post-Quantum Security by 2030 Federal Push for Post-Quantum Security by 2030 The Hacker News
Supply Chain Worm Exploits npm to Steal Developer Tokens Supply Chain Worm Exploits npm to Steal Developer Tokens The Hacker News
INTERPOL Warns of Rising Cyber Threats in Asia-Pacific INTERPOL Warns of Rising Cyber Threats in Asia-Pacific The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Government Pays $1M to Prevent Data Leak by Kairos Group
  • North Korean Hackers Launch PolinRider Campaign
  • Critical ‘Bad Epoll’ Flaw Risks Linux and Android Security
  • PamStealer Targets macOS Users via Fake Clipboard Manager
  • New FatFs Vulnerabilities Threaten Embedded Devices

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Government Pays $1M to Prevent Data Leak by Kairos Group
  • North Korean Hackers Launch PolinRider Campaign
  • Critical ‘Bad Epoll’ Flaw Risks Linux and Android Security
  • PamStealer Targets macOS Users via Fake Clipboard Manager
  • New FatFs Vulnerabilities Threaten Embedded Devices

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark