Microsoft Takes Down Group Operating Ransomware-Enabling Signing Tool
Microsoft Takes Down Group Operating Ransomware-Enabling Signing Tool
https://www.infosecurity-magazine.com/news/microsoft-takes-down-fox-tempest/
Publish Date: 2026-05-19 11:00:00
Source Domain: www.infosecurity-magazine.com
Microsoft has cracked down on Fox Tempest, a cyber threat actor that fueled Rhysida ransomware attacks and developed tools for major malware strains like Oyster, Lumma Stealer, and Vidar.
On May 19, the tech giant unsealed a legal case in the US District Court for the Southern District of New York focused on the group.
It also shared details of how its Digital Crimes Unit (DCU) agents have engaged with Fox Tempest’s operators using undercover personas, identified the group’s infrastructure, collaborated with some of the organizations hosting this infrastructure and disrupted the group’s operations.
Microsoft is now working with the FBI and Europol’s European Cybercrime Centre (EC3) to uncover the identity of people behind the group.
Fox Tempest: A Prolific Cybercrime-Enabling Group
Fox Tempest is a financially motivated threat actor that has been active since at least May 2025.
The group operates “in the upstream in the malware and ransomware supply chain, as an enabler,” Maurice Mason, principal cybercrime investigator at Microsoft’s Digital Crimes Unit, explained during a press briefing held on May 18.
This means that, instead of carrying out malicious operations themselves, Fox Tempest provides tools and services enabling other cyber-threat actors to do so.
Specifically, the group sells what Microsoft calls a “malware-signing-as-a-service” (MSaaS) offering that further allows cybercriminals to disguise malware as legitimate software and thereby evade traditional security defenses.
Microsoft assessed that Fox Tempest has worked closely with several ransomware groups.
These include Storm-2501, Storm-0249 and Rhysida, a group tracked by Microsoft as Vanilla Tempest.
Rhysida, in particular, was named as a Fox Tempest’s co-conspirator in the lawsuit. The group has been linked to multiple cyber-attacks between 2023 and April 2026, including schools, hospitals, medical institutions and other critical…
