.svg){kind=spacer}
June 19, 2026
In brief
Industrial Cyber reports that Microsoft has disrupted Fox Tempest, a malware-signing-as-a-service platform that helped ransomware groups and other cybercriminals make malicious software appear legitimate. Active since May 2025, the service abused Microsoft’s code-signing infrastructure by using fraudulent accounts, fabricated identities, and impersonated organizations to obtain real signing credentials. Microsoft linked the platform to ransomware actors and malware families including Vanilla Tempest, Rhysida, Oyster, Lumma Stealer, Vidar, INC, Qilin, and Akira, with victims including schools, hospitals, and critical organizations worldwide.
Microsoft’s Digital Crimes Unit seized the Fox Tempest website, took hundreds of virtual machines offline, blocked access to code-hosting infrastructure, revoked fraudulent certificates, removed accounts, and unsealed a U.S. court case naming Vanilla Tempest as a co-conspirator. The article presents Fox Tempest as part of a broader industrialized cybercrime ecosystem, where specialized services are bought and sold to make attacks easier, harder to detect, and more scalable. Microsoft said the goal was not only to stop one actor, but to degrade a key cybercrime enabler by increasing cost, friction, and operational risk for ransomware groups.
Source: Industrial Cyber
