ctipilot.ch

Fox Tempest

actor · actor:fox-tempest single-source

Fox Tempest — financially motivated MSaaS operator; signspace[.]cloud seized 2026-05-19

Coverage timeline
3
first 2026-05-18 → last 2026-06-09
Entries
3
3 distinct days
Sources cited
4
3 hosts
Sections touched
3
active-threats, research, weekly-long-running
Co-occurring entities
1
see Related entities below
2026-05-183 appearances2026-06-09

Story timeline

  1. 2026-06-09Microsoft Threat Intelligence: AI-brand impersonation drives Lumma Stealer and Vidar delivery via signed binaries
    researchMicrosoft Threat Intelligence: AI-brand impersonation drives Lumma Stealer and Vidar delivery via signed binaries
  2. 2026-05-20Microsoft DCU disrupts Fox Tempest malware-signing-as-a-service feeding Rhysida, INC, Qilin and Akira ransomware operations
    active-threatsMicrosoft DCU disrupts Fox Tempest malware-signing-as-a-service feeding Rhysida, INC, Qilin and Akira ransomware operations
  3. 2026-05-18Fox Tempest — Microsoft DCU disrupts the malware-signing service feeding Rhysida, INC, Qilin and Akira
    weekly-long-runningFox Tempest — Microsoft DCU disrupts the malware-signing service feeding Rhysida, INC, Qilin and Akira

Where this entity is cited

  • weekly-long-running1
  • active-threats1
  • research1

Source distribution

  • microsoft.com2 (50%)
  • blogs.microsoft.com1 (25%)
  • therecord.media1 (25%)

Related entities

Entries about Fox Tempest (3)

2026-06-09 · view entry permalink →

Microsoft Threat Intelligence: AI-brand impersonation drives Lumma Stealer and Vidar delivery via signed binaries

notable research discovered 2026-06-09 05:00 UTC

Microsoft Threat Intelligence documents a campaign by Storm-3075 (initial-access broker) and Fox Tempest (malware-signing-as-a-service operator) that weaponises public enthusiasm for AI tools, impersonating ChatGPT, Claude, DeepSeek and Microsoft Copilot through SEO poisoning, malvertising and multi-stage redirection chains (Rebrandly → CAPTCHA gate → credential-harvesting landing) (Microsoft, 2026-06-08). Downloaded binaries are code-signed with certificates obtained through Fox Tempest's MSaaS operation (T1553.002), suppressing initial detection; payloads include Lumma Stealer, Vidar, Hijack Loader and Oyster, with fraudulent GitHub repositories used for payload staging. Microsoft's separate analysis details the Fox Tempest malware-signing-as-a-service operation that supplies the certificates (Microsoft, 2026-05-19).

Why it matters to us: Code-signing is no longer a trust anchor here — a valid Authenticode signature on a fresh "AI tool" installer is consistent with this chain. Detection concepts: Sysmon EID 1 for browser-parented processes spawning infostealer-family command lines; EDR process-injection alerts for Hijack Loader. Phish-resistant MFA (FIDO2/passkeys) removes the downstream AiTM credential-replay value even when an endpoint is seeded.

infostealer phishing ai-abuse organized-crime supply-chain global

2026-05-20 · view entry permalink →

Microsoft DCU disrupts Fox Tempest malware-signing-as-a-service feeding Rhysida, INC, Qilin and Akira ransomware operations

high threat discovered 2026-05-20 05:00 UTC

Microsoft Threat Intelligence published a detailed exposure of "Fox Tempest" on 2026-05-19, concurrent with the Microsoft Digital Crimes Unit unsealing a U.S. District Court (SDNY) civil action and seizing the signspace[.]cloud infrastructure (The Record, 2026-05-19). The actor operated a malware-signing-as-a-service (MSaaS) since at least May 2025, abusing Microsoft Artifact Signing (formerly Azure Trusted Signing) to mint short-lived (72-hour) code-signing certificates tied to stolen US and Canadian identities (Microsoft Threat Intelligence). Customers uploaded malicious binaries — masquerading as AnyDesk, Teams, PuTTY, Webex — and received Microsoft-signed executables that bypassed AV/EDR signing checks. Microsoft's write-up details the service's commercialisation: short-lived signing certificates sold to ransomware affiliates per signing run, with infrastructure transitioning in February 2026 to VM-based delivery on Cloudzy-hosted hosts that accepted customer binaries and returned signed outputs.

Confirmed downstream customers: Vanilla Tempest (deploying Rhysida ransomware via Microsoft-signed MSTeamsSetup.exe carrying the Oyster/Broomstick backdoor), Storm-0501, Storm-2561, Storm-0249, and ransomware families Rhysida, INC, Qilin, Akira, plus commodity loaders Oyster, Lumma Stealer, and Vidar. Microsoft revoked 1,000+ fraudulent code-signing certificates, disabled hundreds of Cloudzy-hosted VMs that Fox Tempest used as its delivery surface, and rolled identity-validation controls into Artifact Signing. Microsoft's blog notes confirmed affected sectors include healthcare, education, government, and financial services across the US, France, India, and China.

Why it matters to us: European public-sector and healthcare organisations are explicit downstream victims of the affiliates Fox Tempest serviced (Rhysida, Qilin, Akira have all hit EU targets). Hunt for Microsoft-signed PE binaries with certificate validity ≤72 hours issued by "Trusted Signing" intermediaries after 2025-05-01 where the signing CN does not match a known organisational EV entity. Where Teams.exe / AnyDesk.exe / PuTTY / Webex installers spawn cmd.exe / powershell.exe / rundll32 / regsvr32 without the expected Microsoft installer ancestry (Sysmon EID 1 with parent-image filter), treat as Oyster/Broomstick suspect. Restrict Artifact Signing tenant creation; require phishing-resistant MFA + compliant device for Azure subscription management; alert in Defender for Cloud Apps on rapid certificate creation from newly enrolled tenants (Add-AzKeyVaultCertificate).

ransomware supply-chain law-enforcement organized-crime identity global europe us

2026-05-18 · view entry permalink →

Fox Tempest — Microsoft DCU disrupts the malware-signing service feeding Rhysida, INC, Qilin and Akira

notable synthesis discovered 2026-05-18 05:00 UTC single-source

Microsoft Threat Intelligence and the Digital Crimes Unit disrupted Fox Tempest, a malware-signing-as-a-service operation that supplied code-signing to multiple ransomware operations (daily 2026-05-20). Status: disrupted via combined intelligence exposure and a sealed US legal action. The defender takeaway is that code-signing trust on binaries attributable to Rhysida/INC/Qilin/Akira tooling should not be treated as a benign signal — the signing pipeline was a criminal service.

ransomware supply-chain law-enforcement organized-crime identity global europe