HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Microsoft & Resecurity Disrupt Fox Tempest Malware‑Signing Service, Revoking 1,000+ Fraudulent Certificates

Microsoft’s Digital Crimes Unit, with Resecurity, seized the Fox Tempest malware‑signing platform, took down its infrastructure and revoked over 1,000 fake Microsoft certificates. The takedown removes a trusted‑appearance vector that ransomware operators relied on, underscoring supply‑chain risk in code‑signing services.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Microsoft & Resecurity Disrupt Fox Tempest Malware‑Signing Service, Revoking 1,000+ Fraudulent Certificates

What Happened – Microsoft’s Digital Crimes Unit, assisted by Resecurity, seized the Fox Tempest malware‑signing‑as‑a‑service (MSaaS) infrastructure, took down the signspace.cloud website, disabled hundreds of virtual machines, and revoked more than 1,000 illicit code‑signing certificates that were being used to make ransomware and other malware appear legitimate.

Why It Matters for TPRM

  • Upstream code‑signing services are a critical “as‑a‑service” supply‑chain risk that can amplify attacks across multiple vendors and customers.
  • Disruption of the service removes a trusted‑appearance vector, forcing threat actors to revert to less effective delivery methods.
  • The operation demonstrates the value of coordinated public‑private threat‑intel sharing for protecting third‑party ecosystems.

Who Is Affected – Financial services, healthcare, retail, SaaS providers, and any organization that relies on signed binaries for trust decisions.

Recommended Actions – Review any reliance on third‑party code‑signing or certificate authorities, validate the provenance of signed executables, and enhance detection rules for newly signed files.

Technical Notes – The actors abused Microsoft Artifact Signing to obtain fraudulent certificates, then offered a “malware‑signing‑as‑a‑service” platform. The takedown involved legal action, domain seizure, VM shutdown, and revocation of >1,000 certificates. No public data breach was reported. Source: Security Affairs

📰 Original Source
https://securityaffairs.com/192818/security/resecurity-supports-microsoft-dcu-in-disrupting-fox-tempest-cybercriminal-code-signing-ecosystem.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →