Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks
Microsoft disrupts Fox Tempest malware-signing-as-a-service; ransomware families Rhysida, Oyster, and Lumma Stealer impacted.
What’s new: Microsoft has disrupted a malware-signing-as-a-service (MSaaS) operation known as Fox Tempest, which was responsible for delivering malicious code and conducting ransomware attacks globally. The operation utilized Microsoft’s Artifact Signing system to generate fraudulent code-signing certificates, allowing malware to appear as legitimate software. Microsoft seized the operation’s website and took offline hundreds of virtual machines, impacting various ransomware families including Rhysida, Oyster, and Lumma Stealer.
Who’s affected
Organizations across multiple sectors, including healthcare, education, government, and financial services in the U.S., France, India, and China, have been targeted by attacks leveraging this service. The threat actor has been active since May 2025.
What to do
- Review and enhance security measures for code-signing processes to prevent unauthorized access.
- Implement monitoring for unusual activities related to software downloads and installations.
- Educate users about the risks of downloading software from unverified sources.
- Regularly update and patch systems to mitigate vulnerabilities that could be exploited by signed malware.
