Overview
- Microsoft, which unsealed a lawsuit Tuesday in New York, seized the signspace.cloud domain, took hundreds of virtual machines offline, and blocked the site hosting the service’s code.
- Fox Tempest abused Microsoft’s Artifact Signing to issue 72-hour certificates using stolen or fabricated identities so malicious files appeared legitimate to users and security tools.
- Investigators say the group created more than 1,000 certificates, set up hundreds of Azure tenants and accounts, and later offered preconfigured signing virtual machines hosted through Cloudzy.
- Ransomware and malware crews used the signed files in malvertising and search scams, with Vanilla Tempest deploying Rhysida after fake Microsoft Teams installs and others pushing Oyster, Lumma Stealer, and Vidar.
- Microsoft revoked over 1,000 certificates and worked with Resecurity, Europol EC3, and the FBI, reporting fewer new Fox Tempest certificates and cautioning that operators may try to rebuild using new infrastructure.