Microsoft has taken significant steps to dismantle a cyber threat group known as Fox Tempest, a key player behind various Rhysida ransomware attacks and the development of malicious tools like Oyster, Lumma Stealer, and Vidar. The tech giant made headlines on May 19 when it revealed an unsealed legal case in the United States District Court for the Southern District of New York, specifically directed at this cyber crime organization.
In a thorough investigation, Microsoft’s Digital Crimes Unit (DCU) has actively engaged with the operators of Fox Tempest, using undercover techniques to gather intelligence. With a collaborative spirit, the DCU has identified the group’s operational infrastructure and has joined forces with organizations hosting this infrastructure to disrupt their activities forcibly. Microsoft’s commitment to eradicating such threats extends further as it is currently working alongside the FBI and Europol’s European Cybercrime Centre (EC3) to unveil the identities of the individuals behind Fox Tempest.
### Profiling Fox Tempest: A Financially Motivated Cybercrime Syndicate
Fox Tempest is described as a financially motivated cybercrime group that has been operational since at least May 2025. Rather than executing cyber attacks directly, the group is noted for its role as an enabler within the malware and ransomware supply chain, as articulated by Maurice Mason, a principal cybercrime investigator at Microsoft. In a recent press briefing, Mason disclosed that Fox Tempest primarily provides tools and services that facilitate malicious operations conducted by other cyber threat actors.
Notably, they offer a concept termed “malware-signing-as-a-service” (MSaaS), allowing cybercriminals to disguise harmful software as legitimate applications. This tactic significantly complicates conventional security measures, making it harder for defensive systems to identify these threats before they can strike. Microsoft has indicated that Fox Tempest has collaborated closely with multiple ransomware groups, including Storm-2501, Storm-0249, and the infamous Rhysida, also tracked by Microsoft under the name Vanilla Tempest.
The Rhysida group has emerged prominently in this narrative, identified as a major co-conspirator in the lawsuit against Fox Tempest. Since its emergence, Rhysida has been connected to a slew of cyber incidents impacting educational institutions, healthcare organizations, and critical infrastructure globally. Noteworthy cyber attacks attributed to Rhysida include a significant incident at the British Library in October 2023 and a data extortion scheme that hit Seattle-Tacoma International Airport in September 2024.
### The Reach and Impact of Fox Tempest
The DCU has identified Fox Tempest’s fraudulent code-signing tools as critical enablers of various malware strains, including but not limited to Aurora, Lumma Stealer, and Vidar, among others. The group has been particularly impactful across nations like the United States, France, and India, alongside countries including China, Brazil, Germany, Japan, the UK, Italy, and Spain. Mason clarified that the presence of malicious files in these countries does not imply that these nations were directly targeted; rather, it indicates that systems within these countries contained files signed with the certificates produced through Fox Tempest’s service.
### Explaining Code-Signing Abuse
To facilitate its MSaaS tool, Fox Tempest has taken advantage of legitimate code-signing tools, such as Microsoft’s Artifact Signing system, introduced to assist software developers in verifying the legitimacy of applications. This manipulation enables cybercriminals to essentially “walk through the front door” of secure systems undetected. Steven Masada, global head of Microsoft’s DCU, emphasized how this fraudulent code-signing functions as a fake ID for malicious actors.
Fox Tempest’s approach is astonishingly user-friendly, enabling even those with limited technical expertise to utilize its services. Interested parties could obtain code-signing certificates through a simple drag-and-drop interface, with pricing tiers that include a standard version for $5,000, a priority service for $7,500, and an expedited option for $9,500. This accessibility underscores the need for urgent action from cybersecurity stakeholders.
### Microsoft’s Comprehensive Takedown Strategy
In its quest to neutralize Fox Tempest, the DCU undertook a detailed investigation of the group’s infrastructure. Key to their operations was a website known as Signspace[dot]cloud, which employed authentic hosting providers, including UK-based Freak Hosting and Estonia-based Wavecom. Following a strategic shift in January 2026, Fox Tempest began utilizing Cloudzy, a VPS provider located in Dubai.
On May 5, Microsoft filed a civil court action against Fox Tempest in the Southern District of New York. Just three days later, a court order was granted allowing Microsoft to initiate its takedown operations. The DCU successfully transferred the group’s malicious domains to a Microsoft-controlled sinkhole and collaborated with Cloudzy to disable numerous virtual machines, effectively crippling Fox Tempest’s operations. This direct intervention led to the suspension of about 1,000 accounts tied to the threat actor’s infrastructure, marking a significant victory in the ongoing battle against cybercrime.
Mason recounted the aftermath of engaging with SamCodeSign, a seller of code-signing certificates who had acted as an access broker for Fox Tempest. The challenges encountered by SamCodeSign in maintaining its service post-takedown reflect the broader impact of Microsoft’s initiative, displaying an immediate reduction in the availability of Fox Tempest-made certificates.
“This proactive approach marks an unprecedented move by Microsoft to address a powerful but often invisible facilitator within the cybercrime ecosystem,” Masada stated. By targeting the essential tools and mechanisms that cybercriminals utilize to enhance their operational success, Microsoft is paving the way for a more secure digital environment. The public action against Fox Tempest underscores a growing recognition of the necessity to confront the intricate web of cybercrime enabling structures that thrive in the shadows.