Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Operation Microsoft has dismantled Fox Tempest, a sophisticated malware-signing-as-a-service (MSaaS) operation that enabled cybercriminals to bypass security defenses by making malicious software appear legitimate. The takedown, revealed in a U.S. District Court filing on Tuesday, targeted a service active since May 2025 that weaponized Microsoft’s Artifact Signing system designed to verify software authenticity to distribute malware and ransomware. Cybercriminals, including affiliates of Rhysida, INC, Qilin, and Akira, used Fox Tempest to obtain fraudulent code-signing certificates, allowing malware to evade detection. The service provided short-lived certificates that mimicked trusted software like AnyDesk, Teams, Putty, and Webex, tricking users and security tools into executing malicious payloads. Microsoft’s investigation found that the group created over 1,000 certificates and established hundreds of Azure tenants to support its operations. The disruption included seizing Fox Tempest’s website, taking down virtual machines, and revoking compromised certificates. Evidence showed cybercriminals complaining about the takedown, with some ransomware affiliates losing access to critical attack tools. Microsoft’s Digital Crimes Unit linked the service to the distribution of malware families such as Oyster, Lumma Stealer, and Vidar, delivered via malicious ads and fake download sites. Fox Tempest operated as a well-resourced criminal enterprise, with dedicated teams for infrastructure, customer support, and financial transactions. Cryptocurrency analysis revealed the group earned millions of dollars from ransomware affiliates, with attacks targeting organizations in the U.S., China, France, and India. Unlike lower-cost cybercrime services, Fox Tempest charged thousands per operation, reflecting the growing sophistication of the cybercriminal ecosystem. The takedown highlights how code-signing abuse undermines trust in digital security, allowing attackers to bypass defenses by masquerading as legitimate software. Microsoft’s actions aim to increase the cost of cybercrime by disrupting critical infrastructure used in large-scale attacks.

New Phishing Campaign Exploits Fake PayPal Alerts to Hijack RMM Tools A recent surge in phishing attacks is leveraging fake PayPal alerts to compromise both personal and corporate systems through legitimate remote monitoring and management (RMM) tools. CyberProof’s advisory, published on Tuesday, details a shift from seasonal lures such as holiday invites or tax notices to high-urgency financial scams designed to prompt immediate action. Researchers analyzed six incidents across customer environments, including one case where an employee’s personal PayPal account became the initial entry point. On January 5, 2026, CyberProof’s Managed Detection and Response (MDR) team detected suspicious activity that later escalated into corporate access. The attack began with a fraudulent PayPal email, followed by phone-based social engineering. Posing as support staff, the attacker convinced the victim to install LogMeIn Rescue, later switching to AnyDesk to maintain persistence all without triggering endpoint detection and response (EDR) alerts. The attackers employed a tactic of using one RMM tool to install another, a method also observed in recent Broadcom research. This redundancy may help evade detection and exploit trial licenses before they expire. Artifacts from the attacks included multiple LogMeIn Rescue binaries and evidence of active remote sessions. Persistence was achieved through a scheduled task and a disguised startup shortcut, mimicking legitimate system activity. While the immediate goal appears financial, CyberProof warned that such access could be sold to advanced persistent threat (APT) groups, leading to full corporate compromise or ransomware deployment. The firm highlighted the risks of RMM tool abuse and the need for stronger phishing controls, restricted network access to common RMM ports, and the avoidance of exposed remote services like RDP.

The Mad Liberator ransomware group used social engineering to exploit the remote-access application AnyDesk, gaining unauthorized access and exfiltrating data without the company's knowledge. They carried out a sophisticated attack involving a fake Windows update screen to hide their activities, successfully bypassing the victim's defenses by masking their actions behind a familiar system process. The incident did not involve encryption of data but focused on exfiltrating sensitive information through the misuse of AnyDesk's remote access capabilities. The attackers capitalized on the trust placed in IT departments' regular maintenance practices, which allowed them to carry out the attack unnoticed for almost four hours.