What Happened
Microsoft’s Digital Crimes Unit (DCU) has taken down the infrastructure of Fox Tempest, a financially motivated threat actor active since at least May 2025. The group operated as an enabler “upstream in the malware and ransomware supply chain” — not conducting attacks directly, but selling a malware-signing-as-a-service (MSaaS) offering that allowed cybercriminals to disguise malware as legitimate, trusted software.
Legal Action
On May 5, Microsoft filed a civil court action with the Southern District of New York and was granted a court order three days later. The DCU then transferred the group’s malicious domains to a Microsoft-owned sinkhole, disabled hundreds of virtual machines hosted on Cloudzy (a VPS provider based in Dubai), took down approximately 1,000 accounts, and suspended the threat actor’s repository.
Scale of the Operation
Microsoft estimates Fox Tempest generated more than 1,000 fraudulent certificates and operated hundreds of Azure tenants and subscriptions supporting the service.
Ransomware Groups Served
Malware signed through Fox Tempest’s service was used by ransomware groups and cybercriminal operations including Rhysida, Akira, INC, and Vanilla Tempest. The certificates allowed attackers to disguise malicious software as legitimate applications, helping malware bypass security filters.
Malware Families Linked
Fox Tempest’s operation — which included an authenticated portal and a drag-and-drop feature for rapid code signing — was directly linked to dozens of malware families, including Oyster, Lumma Stealer, MuddyWater, and Vidar.
Delivery Vectors
Ransomware operators primarily deployed fraudulent certificates via ads or SEO poisoning, pushing malicious software and infostealers to the top of search rankings and ensnaring victims who believed they were downloading legitimate applications.
Geographic Targeting
Fox Tempest targeted organizations across the US, France, India, China, Brazil, Germany, Japan, the UK, Italy, and Spain.
Partners in the Action
Microsoft coordinated with Europol’s European Cybercrime Centre (EC3), the FBI, and cybersecurity firm Resecurity, whose intelligence helped map how Fox Tempest operated.
Microsoft’s Broader Posture
Microsoft acknowledged that threat actors will likely attempt to rebuild, and stated they will continue applying pressure through intelligence sharing and partnerships with other code-signing services to harden the ecosystem against similar abuse.
