{ "type": "Domain", "indicator": "signspace.cloud", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/signspace.cloud", "alexa": "http://www.alexa.com/siteinfo/signspace.cloud", "indicator": "signspace.cloud", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4368530745, "indicator": "signspace.cloud", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "6a0ec4bc3bab6cd24d3d05be", "name": "Politicians to Ditch Signal for Homegrown Apps", "description": "European governments are transitioning from encrypted messaging applications like Signal and WhatsApp to sovereign Matrix-based solutions. This shift follows successful phishing campaigns, primarily attributed to Russian intelligence services, exploiting Signal's linked devices feature to gain persistent access to political communications. While Signal was initially recommended for external communications, scope creep led to its widespread use for sensitive statecraft discussions. Matrix-based systems offer advantages including federated architecture, government-controlled identity platforms, and customizable data retention policies. However, these homegrown solutions introduce new security vulnerabilities and implementation challenges. The walled-garden nature of current sovereign systems limits their utility for international diplomacy, suggesting Signal will continue to be used for communications with external parties despite the security concerns.", "modified": "2026-05-21T16:39:25.594000", "created": "2026-05-21T08:39:24.349000", "tags": [ "fast16", "phishing attacks", "sovereign messaging", "encrypted communications", "diplomatic security", "european governments", "stuxnet", "signal", "matrix protocol", "whatsapp" ], "references": [ "https://news.risky.biz/srsly-risky-biz-politicians-to-ditch-signal-for-homegrown-apps/" ], "public": 1, "adversary": "Russia", "targeted_countries": [ "United States of America", "Belgium", "France", "Germany", "Poland", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Stuxnet - S0603", "display_name": "Stuxnet - S0603", "target": null }, { "id": "W32.Stuxnet", "display_name": "W32.Stuxnet", "target": null }, { "id": "Fast16", "display_name": "Fast16", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 386483, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0ca3690196d40952527b96", "name": "Exposing Fox Tempest: A malware-signing service operation", "description": "Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) business used by cybercriminals to distribute malicious code, including ransomware. The actor abuses Microsoft Artifact Signing to generate fraudulent code-signing certificates, allowing malware to evade security controls. Fox Tempest created over a thousand certificates and established hundreds of Azure tenants to support operations. Microsoft revoked over one thousand certificates and disrupted the service in May 2026 through the Digital Crimes Unit. The operation enabled ransomware deployment including Rhysida by threat actors like Vanilla Tempest, and distributed malware families including Oyster, Lumma Stealer, and Vidar. The MSaaS was available through signspace[.]cloud, charging between $5000-$9000 USD. Attacks impacted healthcare, education, government, and financial services sectors globally.", "modified": "2026-05-21T00:24:05.220000", "created": "2026-05-19T17:52:41.390000", "tags": [ "azure abuse", "akira", "code-signing certificates", "msaas", "oyster", "vidar", "ransomware enabler", "lumma stealer", "oyster backdoor", "blackbyte", "qilin", "malware-signing-as-a-service", "rhysida", "inc", "vanilla tempest" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/" ], "public": 1, "adversary": "Fox Tempest", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "China", "France", "India" ], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Oyster", "display_name": "Oyster", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Brave Prince - S0252", "display_name": "Brave Prince - S0252", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "BlackByte", "display_name": "BlackByte", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Healthcare", "Education", "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386482, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552487, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12843bfa62f3048b801a6f", "name": "Politicians to Ditch Signal for Homegrown Apps", "description": "", "modified": "2026-05-24T04:53:15.584000", "created": "2026-05-24T04:53:15.584000", "tags": [ "fast16", "phishing attacks", "sovereign messaging", "encrypted communications", "diplomatic security", "european governments", "stuxnet", "signal", "matrix protocol", "whatsapp" ], "references": [ "https://news.risky.biz/srsly-risky-biz-politicians-to-ditch-signal-for-homegrown-apps/" ], "public": 1, "adversary": "Russia", "targeted_countries": [ "United States of America", "Belgium", "France", "Germany", "Poland", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Stuxnet - S0603", "display_name": "Stuxnet - S0603", "target": null }, { "id": "W32.Stuxnet", "display_name": "W32.Stuxnet", "target": null }, { "id": "Fast16", "display_name": "Fast16", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6a0ec4bc3bab6cd24d3d05be", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a10c1c488a7f300a313067e", "name": "FoxTempest Malware Signing Abuse Campaign", "description": "Fox Tempest abused Microsoft\u2019s signing infrastructure to issue trusted certificates for malware, enabling attackers to bypass security controls and distribute ransomware and stealers via fake software installers. The service impacted multiple sectors globally, including government, healthcare, finance and education, before being disrupted in 2026 by Microsoft through certificate revocation and infrastructure takedown.", "modified": "2026-05-22T20:51:16.677000", "created": "2026-05-22T20:51:16.677000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "IPv4": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 502, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e8fa9968222a1aea671ac", "name": "Exposing Fox Tempest: A malware-signing service operation", "description": "", "modified": "2026-05-21T04:52:57.486000", "created": "2026-05-21T04:52:57.486000", "tags": [ "azure abuse", "akira", "code-signing certificates", "msaas", "oyster", "vidar", "ransomware enabler", "lumma stealer", "oyster backdoor", "blackbyte", "qilin", "malware-signing-as-a-service", "rhysida", "inc", "vanilla tempest" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/" ], "public": 1, "adversary": "Fox Tempest", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "China", "France", "India" ], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Oyster", "display_name": "Oyster", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Brave Prince - S0252", "display_name": "Brave Prince - S0252", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "BlackByte", "display_name": "BlackByte", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Healthcare", "Education", "Government", "Finance" ], "TLP": "white", "cloned_from": "6a0ca3690196d40952527b96", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e78a4a708697231dce14a", "name": "IOC - Exposing Fox Tempest: A malware-signing service operation", "description": "", "modified": "2026-05-21T03:14:44.842000", "created": "2026-05-21T03:14:44.842000", "tags": [ "azure abuse", "akira", "code-signing certificates", "msaas", "oyster", "vidar", "ransomware enabler", "lumma stealer", "oyster backdoor", "blackbyte", "qilin", "malware-signing-as-a-service", "rhysida", "inc", "vanilla tempest" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/" ], "public": 1, "adversary": "Fox Tempest", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "China", "France", "India" ], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Oyster", "display_name": "Oyster", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Brave Prince - S0252", "display_name": "Brave Prince - S0252", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "BlackByte", "display_name": "BlackByte", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Healthcare", "Education", "Government", "Finance" ], "TLP": "white", "cloned_from": "6a0ca3690196d40952527b96", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0da30900c4f27be5dad4e6", "name": "Exposing Fox Tempest: A malware-signing service operation.", "description": "Fox Tempest is a financially motivated threat actor specializing in malware-signing-as-a-service (MSaaS), enabling the distribution of malicious code, particularly ransomware, by providing fraudulent code-signing certificates. This service exploits Microsoft Artifact Signing to create short-lived certificates that lend a facade of legitimacy, allowing malware to circumvent security mechanisms. Fox Tempest has generated over a thousand such certificates and operated hundreds of Azure tenants and subscriptions to facilitate its activities, which have included backing various malware families such as Rhysida ransomware, Oyster, Lumma Stealer, and Vidar.", "modified": "2026-05-20T12:03:21.930000", "created": "2026-05-20T12:03:21.930000", "tags": [ "fox tempest", "trojan", "defender", "microsoft", "intelligence", "antivirus", "tempest", "ransom", "msaas offering", "vidar", "qilin", "malware", "ransomware", "lumma stealer", "akira", "anydesk", "webex", "february", "telegram", "june", "broomstick", "malcert", "blackbyte", "rhysida", "twitter", "bluesky", "oyster" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Oyster", "display_name": "Oyster", "target": null } ], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" } ], "industries": [ "Healthcare", "Education", "Government", "Financial Services" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b53626be41dfe6834d2e4", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:57:18.461000", "created": "2026-05-18T17:58:58.565000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 118 }, "indicator_count": 864, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b5364337dfd91041f4d22", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:56:56.059000", "created": "2026-05-18T17:59:00.842000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 118 }, "indicator_count": 864, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b535b1d8235c877c4fc81", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:52:51.376000", "created": "2026-05-18T17:58:51.398000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 117 }, "indicator_count": 863, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0d42a406f194178e8b728c", "name": "Exposing Fox Tempest: A malware-signing service operation | Microsoft Security Blog", "description": "Microsoft has exposed Fox Tempest, a malware-signing service operation used by other cybercriminals to more effectively distribute malicious code, including ransomware, in a blog published in the Microsoft Security Review.", "modified": "2026-05-20T05:12:04.027000", "created": "2026-05-20T05:12:04.027000", "tags": [ "fox tempest", "vanilla tempest", "trojan", "defender", "microsoft", "intelligence", "antivirus", "tempest", "ransom", "msaas offering", "vidar", "qilin", "malware", "ransomware", "lumma stealer", "akira", "anydesk", "putty", "webex", "february", "telegram", "june", "broomstick", "backdoor", "malcert", "blackbyte", "rhysida", "twitter", "bluesky", "oyster" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France", "India", "China" ], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Oyster", "display_name": "Oyster", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [ "Healthcare", "Education", "Government", "Financial Services" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0d42806a669e0aa319e28a", "name": "Exposing Fox Tempest: A malware-signing service operation | Microsoft Security Blog", "description": "Microsoft has exposed Fox Tempest, a malware-signing service operation used by other cybercriminals to more effectively distribute malicious code, including ransomware, in a blog published in the Microsoft Security Review.", "modified": "2026-05-20T05:11:28.509000", "created": "2026-05-20T05:11:28.509000", "tags": [ "fox tempest", "vanilla tempest", "trojan", "defender", "microsoft", "intelligence", "antivirus", "tempest", "ransom", "msaas offering", "vidar", "qilin", "malware", "ransomware", "lumma stealer", "akira", "anydesk", "putty", "webex", "february", "telegram", "june", "broomstick", "backdoor", "malcert", "blackbyte", "rhysida", "twitter", "bluesky", "oyster" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France", "India", "China" ], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Oyster", "display_name": "Oyster", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [ "Healthcare", "Education", "Government", "Financial Services" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs-MAY2.csv", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/", "https://news.risky.biz/srsly-risky-biz-politicians-to-ditch-signal-for-homegrown-apps/", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "related": { "alienvault": { "adversary": [ "Fox Tempest", "Russia" ], "malware_families": [ "Rhysida", "Stuxnet - s0603", "Oyster", "W32.stuxnet", "Blackbyte", "Qilin", "Brave prince - s0252", "Vidar", "Fast16", "Akira", "Lumma stealer" ], "industries": [ "Government", "Healthcare", "Finance", "Education" ] }, "other": { "adversary": [ "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "Russia", "Fox Tempest" ], "malware_families": [ "Rhysida", "Stuxnet - s0603", "Oyster", "W32.stuxnet", "Blackbyte", "Qilin", "Brave prince - s0252", "Vidar", "Fast16", "Akira", "Lumma stealer" ], "industries": [ "Government", "Healthcare", "Finance", "Education", "Financial services" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "6a0ec4bc3bab6cd24d3d05be", "name": "Politicians to Ditch Signal for Homegrown Apps", "description": "European governments are transitioning from encrypted messaging applications like Signal and WhatsApp to sovereign Matrix-based solutions. This shift follows successful phishing campaigns, primarily attributed to Russian intelligence services, exploiting Signal's linked devices feature to gain persistent access to political communications. While Signal was initially recommended for external communications, scope creep led to its widespread use for sensitive statecraft discussions. Matrix-based systems offer advantages including federated architecture, government-controlled identity platforms, and customizable data retention policies. However, these homegrown solutions introduce new security vulnerabilities and implementation challenges. The walled-garden nature of current sovereign systems limits their utility for international diplomacy, suggesting Signal will continue to be used for communications with external parties despite the security concerns.", "modified": "2026-05-21T16:39:25.594000", "created": "2026-05-21T08:39:24.349000", "tags": [ "fast16", "phishing attacks", "sovereign messaging", "encrypted communications", "diplomatic security", "european governments", "stuxnet", "signal", "matrix protocol", "whatsapp" ], "references": [ "https://news.risky.biz/srsly-risky-biz-politicians-to-ditch-signal-for-homegrown-apps/" ], "public": 1, "adversary": "Russia", "targeted_countries": [ "United States of America", "Belgium", "France", "Germany", "Poland", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Stuxnet - S0603", "display_name": "Stuxnet - S0603", "target": null }, { "id": "W32.Stuxnet", "display_name": "W32.Stuxnet", "target": null }, { "id": "Fast16", "display_name": "Fast16", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 386483, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0ca3690196d40952527b96", "name": "Exposing Fox Tempest: A malware-signing service operation", "description": "Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) business used by cybercriminals to distribute malicious code, including ransomware. The actor abuses Microsoft Artifact Signing to generate fraudulent code-signing certificates, allowing malware to evade security controls. Fox Tempest created over a thousand certificates and established hundreds of Azure tenants to support operations. Microsoft revoked over one thousand certificates and disrupted the service in May 2026 through the Digital Crimes Unit. The operation enabled ransomware deployment including Rhysida by threat actors like Vanilla Tempest, and distributed malware families including Oyster, Lumma Stealer, and Vidar. The MSaaS was available through signspace[.]cloud, charging between $5000-$9000 USD. Attacks impacted healthcare, education, government, and financial services sectors globally.", "modified": "2026-05-21T00:24:05.220000", "created": "2026-05-19T17:52:41.390000", "tags": [ "azure abuse", "akira", "code-signing certificates", "msaas", "oyster", "vidar", "ransomware enabler", "lumma stealer", "oyster backdoor", "blackbyte", "qilin", "malware-signing-as-a-service", "rhysida", "inc", "vanilla tempest" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/" ], "public": 1, "adversary": "Fox Tempest", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "China", "France", "India" ], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Oyster", "display_name": "Oyster", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Brave Prince - S0252", "display_name": "Brave Prince - S0252", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "BlackByte", "display_name": "BlackByte", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Healthcare", "Education", "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386482, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552487, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12843bfa62f3048b801a6f", "name": "Politicians to Ditch Signal for Homegrown Apps", "description": "", "modified": "2026-05-24T04:53:15.584000", "created": "2026-05-24T04:53:15.584000", "tags": [ "fast16", "phishing attacks", "sovereign messaging", "encrypted communications", "diplomatic security", "european governments", "stuxnet", "signal", "matrix protocol", "whatsapp" ], "references": [ "https://news.risky.biz/srsly-risky-biz-politicians-to-ditch-signal-for-homegrown-apps/" ], "public": 1, "adversary": "Russia", "targeted_countries": [ "United States of America", "Belgium", "France", "Germany", "Poland", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Stuxnet - S0603", "display_name": "Stuxnet - S0603", "target": null }, { "id": "W32.Stuxnet", "display_name": "W32.Stuxnet", "target": null }, { "id": "Fast16", "display_name": "Fast16", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6a0ec4bc3bab6cd24d3d05be", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a10c1c488a7f300a313067e", "name": "FoxTempest Malware Signing Abuse Campaign", "description": "Fox Tempest abused Microsoft\u2019s signing infrastructure to issue trusted certificates for malware, enabling attackers to bypass security controls and distribute ransomware and stealers via fake software installers. The service impacted multiple sectors globally, including government, healthcare, finance and education, before being disrupted in 2026 by Microsoft through certificate revocation and infrastructure takedown.", "modified": "2026-05-22T20:51:16.677000", "created": "2026-05-22T20:51:16.677000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "IPv4": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 502, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e8fa9968222a1aea671ac", "name": "Exposing Fox Tempest: A malware-signing service operation", "description": "", "modified": "2026-05-21T04:52:57.486000", "created": "2026-05-21T04:52:57.486000", "tags": [ "azure abuse", "akira", "code-signing certificates", "msaas", "oyster", "vidar", "ransomware enabler", "lumma stealer", "oyster backdoor", "blackbyte", "qilin", "malware-signing-as-a-service", "rhysida", "inc", "vanilla tempest" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/" ], "public": 1, "adversary": "Fox Tempest", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "China", "France", "India" ], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Oyster", "display_name": "Oyster", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Brave Prince - S0252", "display_name": "Brave Prince - S0252", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "BlackByte", "display_name": "BlackByte", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Healthcare", "Education", "Government", "Finance" ], "TLP": "white", "cloned_from": "6a0ca3690196d40952527b96", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e78a4a708697231dce14a", "name": "IOC - Exposing Fox Tempest: A malware-signing service operation", "description": "", "modified": "2026-05-21T03:14:44.842000", "created": "2026-05-21T03:14:44.842000", "tags": [ "azure abuse", "akira", "code-signing certificates", "msaas", "oyster", "vidar", "ransomware enabler", "lumma stealer", "oyster backdoor", "blackbyte", "qilin", "malware-signing-as-a-service", "rhysida", "inc", "vanilla tempest" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/" ], "public": 1, "adversary": "Fox Tempest", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "China", "France", "India" ], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Oyster", "display_name": "Oyster", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Brave Prince - S0252", "display_name": "Brave Prince - S0252", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "BlackByte", "display_name": "BlackByte", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Healthcare", "Education", "Government", "Finance" ], "TLP": "white", "cloned_from": "6a0ca3690196d40952527b96", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0da30900c4f27be5dad4e6", "name": "Exposing Fox Tempest: A malware-signing service operation.", "description": "Fox Tempest is a financially motivated threat actor specializing in malware-signing-as-a-service (MSaaS), enabling the distribution of malicious code, particularly ransomware, by providing fraudulent code-signing certificates. This service exploits Microsoft Artifact Signing to create short-lived certificates that lend a facade of legitimacy, allowing malware to circumvent security mechanisms. Fox Tempest has generated over a thousand such certificates and operated hundreds of Azure tenants and subscriptions to facilitate its activities, which have included backing various malware families such as Rhysida ransomware, Oyster, Lumma Stealer, and Vidar.", "modified": "2026-05-20T12:03:21.930000", "created": "2026-05-20T12:03:21.930000", "tags": [ "fox tempest", "trojan", "defender", "microsoft", "intelligence", "antivirus", "tempest", "ransom", "msaas offering", "vidar", "qilin", "malware", "ransomware", "lumma stealer", "akira", "anydesk", "webex", "february", "telegram", "june", "broomstick", "malcert", "blackbyte", "rhysida", "twitter", "bluesky", "oyster" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Oyster", "display_name": "Oyster", "target": null } ], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" } ], "industries": [ "Healthcare", "Education", "Government", "Financial Services" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b53626be41dfe6834d2e4", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:57:18.461000", "created": "2026-05-18T17:58:58.565000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 118 }, "indicator_count": 864, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "signspace.cloud", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "signspace.cloud", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780205711.7163076 }