Signal

Microsoft disrupts Fox Tempest malware-signing service aiding ransomware gangs

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-05-19 15:00 UTCUpdated 2026-05-20 00:45 UTC

rss

malwarethreat_actorsincident_responsesecurity_tooling

Trend in the last 24h

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (6)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (4 domains)

4 top sources shown

Microsoft disrupts malware code-signing service used by ransomware gangs

CSO Online · News · csoonline.com · 2026-05-20 00:45 UTC

Microsoft disrupts Fox Tempest malware-signing-as-a-service platform tied to ransomware gangs

The Record (Recorded Future News) · News · therecord.media · 2026-05-19 16:36 UTC

Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’

SecurityWeek · News · securityweek.com · 2026-05-19 16:06 UTC

Exposing Fox Tempest: A malware-signing service operation

Microsoft Security Blog · News · microsoft.com · 2026-05-19 15:07 UTC

View all evidence

Overview

Microsoft's Digital Crimes Unit has dismantled Fox Tempest, a cybercriminal operation providing malware-signing-as-a-service (MSaaS) that enabled ransomware groups to distribute malicious software disguised as legitimate.

Entities

MicrosoftFox TempestRhysidaVanilla TempestStorm-0501Storm-2561Storm-0249Steven Masada

Score total

1.74

Momentum 24h

6

Posts

6

Origins

6

Source types

1

Duplicate ratio

0%

Why now

Fox Tempest operated since May 2025, recently reaching over 1,000 fraudulent certificates.
Microsoft obtained a court order enabling a decisive takedown in May 2026.
Ransomware attacks continue to rise, making disruption of signing services critical.

Why it matters

Malware signed with fraudulent certificates can bypass security controls, increasing infection success.
Disrupting Fox Tempest hinders multiple ransomware groups relying on its service.
This takedown demonstrates effective public-private collaboration against cybercrime.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: high

Recurring claims

Fox Tempest operated a malware-signing-as-a-service platform that sold fraudulent code-signing certificates to cybercriminals.
Microsoft seized Fox Tempest’s infrastructure, revoked over 1,000 fraudulent certificates, and took down hundreds of Azure virtual machines to disrupt the operation.

How sources frame it

Microsoft Digital Crimes Unit: neutral

All evidence

All evidence

Microsoft disrupts malware code-signing service used by ransomware gangs

CSO Online · csoonline.com · 2026-05-20 00:45 UTC

Microsoft disrupts Fox Tempest malware-signing-as-a-service platform tied to ransomware gangs

The Record (Recorded Future News) · therecord.media · 2026-05-19 16:36 UTC

Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’

SecurityWeek · securityweek.com · 2026-05-19 16:06 UTC

Exposing Fox Tempest: A malware-signing service operation

Microsoft Security Blog · microsoft.com · 2026-05-19 15:07 UTC

Microsoft disrupts cybercrime service that abused software verification systems en masse

CyberScoop · cyberscoop.com · 2026-05-19 15:00 UTC

Microsoft Takes Down Fox Tempest for Providing Ransomware-Enabling Signing Tool

Infosecurity Magazine · infosecurity-magazine.com · 2026-05-19 15:00 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 6Origin domains: 6Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 6 / 0

Top publishers (this list)

CSO Online (1)
The Record (Recorded Future News) (1)
SecurityWeek (1)
Microsoft Security Blog (1)
CyberScoop (1)
Infosecurity Magazine (1)

Top origin domains (this list)

csoonline.com (1)
therecord.media (1)
securityweek.com (1)
microsoft.com (1)
cyberscoop.com (1)
infosecurity-magazine.com (1)