Microsoft unsealed a legal case in the US District Court for the Southern District of New York targeting a cybercrime service known as Fox Tempest, which, starting in May 2025, enabled cybercriminals to deliver malware disguised as legitimate software and enable ransomware and other attacks, infecting thousands of machines and compromising networks worldwide.
Building upon ongoing internal efforts to revoke fraudulently obtained code‑signing certificateso disrupt the service, agents of Microsoft’s Digital Crimes Unit (DCU) seized Fox Tempest’s website, took hundreds of the virtual machines running the operation offline, and blocked access to a site hosting the underlying code.
According to Microsoft, “the lawsuit targeted Fox Tempest’s infrastructure and also named Vanilla Tempest as a co-conspirator, a prominent ransomware group that used the service to deploy malware like Oyster, Lumma Stealer, and Vidar, and ransomware, including Rhysida, in multiple recent cyberattacks.
One example of a malware attack enabled by Fox Tempest was a fake landing page to download Microsoft’s own Teams software
Scope of attacks
Co-conspirator Vanilla Tempest has targeted schools, hospitals, and other critical organizations worldwide, while Rhysida, a highly evolved ransomware variant that both encrypts files and steals data, often used for double extortion, has been used by various actors in numerous high-profile attacks globally, including to steal and leak internal documents from the British Library and to disrupt operations at Seattle-Tacoma International Airport. Microsoft’s investigation further linked Fox Tempest to various additional ransomware affiliates and families, including INC, Qilin, Akira, and others.
According to reporting by Infosecurity Magazine, countries that were most targeted by attacks that were enabled by Fox Tempest included the United States, France, India, China, Brazil, Germany, Japan, the UK, Italy and Spain.
Microsoft was able to identify and work directly with a reseller of Fox Tempest’s technology, who informed Microsoft how to purchase instances of the “malware-sigining-as-a-service,” their cost, which ranged from $5,000 to $9,500; and listed the kinds of information that applicants provided to the operators of Fox Tempest.
How it worked
Fox Tempest’s business model was to sell fraudulent code-signing capability, let others package malware, and enable attacks downstream. The model has generated millions in financial profit.
Infosecurity Magazine said that Fox Tempest used Artifact Signing, a system that Microsoft introduced in 2024 as Trusted Signing, which is used by developers to verify that software is legitimate.
According to Microsoft, “the operators built access at scale. Using fabricated identities and impersonating legitimate organizations, they created hundreds of fraudulent Microsoft accounts to obtain real code-signing credentials in volume. Customers who paid for Fox Tempest’s services could then upload malicious files via an online portal for them to be signed using Fox Tempest-controlled certificates. Cybercriminals paid thousands of dollars for the service.”
The takedown
The service was hosted by legitimate hosting providers located and Europe and the UAE. In early May, Microsoft filed a request with the US District Court for the Southern District of New York which quickly granted a court order allowing Microsoft to transfer Fox Tempest’s malicious domains to Microsoft, took down about 1,000 accounts and suspended Fox Tempest’s repository
Microsoft also collaborated closely with Europol’s European Crime Centre (EC3) and the US Federal Bureau of Investigation (FBI).
Not the last roundup
Microsoft’s goal was to reduce the success rate of attacks like these, making it more difficult and more expensive for cybercriminals to conduct attacks.
Microsoft cautioned that this takedown doesn’t end the problem. “When you take that capability away, you’re making it harder and more expensive for these criminals to operate,” asid Steven Masada, global head of Microsoft’s digital crimes unit. “But this isn’t one and done. These actors will adapt.”
Why it matters
This case underscores how technical operations that complement piracy have gone from pranks by individual hackers to become sophisticated large-scale services operated by cybecriminal teams on a worldwide basis. In turn, services like Fox Tempest have become parts of a global ecosystem “where services are bought and sold and interoperate with one another. Further weaponizing the process, AI is being used to optimize these services and make them more scalable.
It’s also an example of a coordinated response that included industry partners and law enforcement organizations. Microsoft worked with organizations ranging from
Further reading
Disrupting Fox Tempest: A cybercrime service that turned “verified” software into a pathway for ransomware. Article. May 19, 2026. by Steven Masada, Assistant General Counsel. Digital Crimes Unit. Microsoft Corp.
Microsoft takes down Fox Tempest for providing ransomware-enabling signing tool. Article. May 19, 2026. by Kevin Poireault, Reporter. Infosecurity Magazine.
Microsoft disrupts service selling fake certificates to ransomware gangs. Article. May 19, 2026. By Sam Sabin. Axios
