Fox Tempest
Coverage of Fox Tempest in the Nexus archive.
- Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks
Microsoft disrupted a malware-signing-as-a-service operation that delivered malicious code and conducted ransomware attacks, compromising thousands of machines worldwide. The operation was attributed to Fox Tempest, a threat actor that offered the MSaaS scheme. Microsoft's action aimed to prevent further attacks.
- Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware
Microsoft shut down an illegal code-signing operation used by ransomware criminals to mask their malware, seizing websites and taking down hundreds of virtual machines running the service. The operation, called Fox Tempest, abused Microsoft's Artifact Signing code-signing service, selling code-signing certificates to other criminals for thousands of dollars. This allowed ransomware groups to make their malware appear legitimate to Windows and users.
- Microsoft disrupts Fox Tempest malware-signing-as-a-service platform tied to ransomware gangs
Microsoft disrupted Fox Tempest, a malware-signing-as-a-service platform tied to ransomware gangs, by unsealing a legal case in U.S. District Court. The platform has operated since May 2025 and provides cybercriminals with code signing tools. This disruption is a significant blow to ransomware gangs.
- Microsoft disrupts cybercrime service that abused software verification systems en masse
Microsoft disrupted a cybercrime service called Fox Tempest that created and sold code-signing certificates to make malware appear legitimate. The service was used by multiple ransomware groups and had a global impact. Microsoft seized infrastructure and dismantled the operation after tracking it since September 2025.