New Microsoft research disclosed disruption of a cybercrime operation known as Fox Tempest, a malware-signing-as-a-service (MSaaS) platform that enabled ransomware gangs and other threat actors to disguise malicious software as legitimate applications. Active since May 2025, the service was used to infect thousands of machines and compromise networks worldwide through fraudulent abuse of Microsoft’s code-signing infrastructure. Microsoft linked the operation to ransomware actors, including Vanilla Tempest, and malware families such as Oyster, Lumma Stealer, Vidar, INC, Qilin, and Akira.
The company said organizations targeted by the campaigns included schools, hospitals, and other critical entities across multiple regions. Microsoft also tied the Rhysida ransomware strain associated with the operation to high-profile attacks. Microsoft added that the broader abuse of illicit code-signing services has also been observed in attacks targeting critical infrastructure organizations in Europe, underscoring the increasingly global and industrialized nature of the cybercrime ecosystem.
Microsoft is working closely with cybersecurity firm Resecurity to understand how Fox Tempest operates, while also coordinating with Europol’s European Cybercrime Centre and the Federal Bureau of Investigation.
Read the rest of the story at Industrial Cyber.
