Microsoft Disrupts Ransomware Signing Tool Operation
▼ Summary
– Microsoft unsealed a legal case against Fox Tempest in the US District Court for the Southern District of New York on May 19.
– Fox Tempest is a financially motivated threat actor active since at least May 2025, providing malware-signing-as-a-service to help other criminals evade security defenses.
– Microsoft’s Digital Crimes Unit used undercover personas, identified infrastructure, and collaborated with hosting organizations to disrupt Fox Tempest’s operations.
– Microsoft is now working with the FBI and Europol’s European Cybercrime Centre to identify the individuals behind the group.
– Fox Tempest has worked closely with ransomware groups including Rhysida, which has been linked to attacks on schools, hospitals, and critical infrastructure worldwide.
Microsoft has moved decisively against Fox Tempest, a cybercriminal group that served as a key enabler for Rhysida ransomware attacks and supplied custom tools for major malware strains including Oyster, Lumma Stealer, and Vidar.
On May 19, the tech giant unsealed a legal action in the U. S. District Court for the Southern District of New York, targeting the operation. The company also disclosed how agents from its Digital Crimes Unit (DCU) infiltrated the group using undercover personas, mapped its infrastructure, coordinated with hosting providers to dismantle parts of that network, and ultimately disrupted the group’s activities.
Microsoft is now collaborating with the FBI and Europol’s European Cybercrime Centre (EC3) to identify the individuals behind Fox Tempest.
A Key Enabler of the Cybercrime Supply Chain
Fox Tempest is a financially motivated threat actor that has been active since at least May 2025. According to Maurice Mason, principal cybercrime investigator at Microsoft’s Digital Crimes Unit, the group operates “upstream in the malware and ransomware supply chain, as an enabler.” During a press briefing on May 18, Mason explained that Fox Tempest does not conduct its own malicious attacks. Instead, it provides tools and services that allow other cybercriminals to do so.
The group’s core offering is what Microsoft terms “malware-signing-as-a-service” (MSaaS). This service helps threat actors disguise malware as legitimate software, bypassing traditional security defenses and evading detection.
Microsoft assesses that Fox Tempest worked closely with several ransomware groups, including Storm-2501, Storm-0249, and Rhysida (tracked by Microsoft as Vanilla Tempest). In the lawsuit, Rhysida is named as a co-conspirator. The group has been linked to multiple cyberattacks between 2023 and April 2026, targeting schools, hospitals, medical facilities, and other critical infrastructure organizations worldwide.
Rhysida is also believed to be responsible for an October 2023 breach of the British Library and a data extortion attack against Seattle-Tacoma International Airport in September 2024.
(Source: Infosecurity Magazine)