Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks
Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks — [https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiypJnCUStqk0SRgnT6bFPLXM
What’s new: Microsoft has disrupted a malware-signing-as-a-service (MSaaS) operation known as Fox Tempest, which exploited the company’s Artifact Signing system to deliver malicious code, including ransomware. The operation has been active since May 2025 and has compromised thousands of machines globally. Microsoft seized the service’s website and took offline hundreds of virtual machines used in the operation, which allowed cybercriminals to disguise malware as legitimate software.
Who’s affected
Organizations in healthcare, education, government, and financial services across the U.S., France, India, and China have been targeted. The operation facilitated the deployment of various malware families, including Rhysida ransomware, Oyster, Lumma Stealer, and Vidar.
What to do
- Review and enhance security measures to detect and block signed malware.
- Monitor for unusual activity related to legitimate software downloads.
- Educate users about the risks of downloading software from unverified sources.
- Implement strict identity verification processes for software signing.
