Full Report
New Microsoft research disclosed disruption of a cybercrime operation known as Fox Tempest, a malware-signing-as-a-service (MSaaS) platform that... The post Microsoft dismantles Fox Tempest cybercrime platform tied to ransomware attacks on hospitals, critical organizations appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Fox Tempest
## Attribution & Identity
**Fox Tempest** is a cybercrime operation identified as a **malware-signing-as-a-service (MSaaS)** platform. Unlike a traditional ransomware group, it functions as an infrastructure provider that enables other threat actors to bypass security controls by providing illicit code-signing services.
**Associated Groups:**
* **Vanilla Tempest:** A ransomware-associated threat actor.
* **Ransomware Gangs:** INC, Qilin, Akira, and Rhysida.
* **Partnerships:** Microsoft has coordinated with Resecurity, Europol’s European Cybercrime Centre, and the FBI to investigate this actor.
## Activity Summary
Active since **May 2025**, Fox Tempest provided a platform for malware developers to disguise malicious software as legitimate applications. In **February 2026**, the group evolved its infrastructure by shifting to third-party-hosted virtual machines to scale operations. The service was disrupted in **May 2026** through a coordinated effort by Microsoft to seize domains and take down hundred of virtual machines.
## Tactics, Techniques & Procedures
* **Malware-Signing-as-a-Service (MSaaS):** Providing infrastructure to sign malicious files with stolen or fraudulently obtained digital certificates to bypass endpoint detection and response (EDR) systems.
* **Fraudulent Code-Signing Infrastructure:** Exploiting Microsoft’s code-signing ecosystem to gain legitimacy for malware.
* **Infrastructure Adaptation:** Utilizing networks of third-party-hosted virtual machines (VMs) to maintain persistence and scale operations despite disruption attempts.
* **Customer Migration:** Attempting to transition its user base to alternative code-signing services when primary operations are targeted by law enforcement.
## Targeting
* **Sectors:** Schools, hospitals, critical infrastructure, and government sectors.
* **Geography:** Worldwide targeting; specifically noted for campaigns affecting critical infrastructure in **Europe** and organizations across multiple global regions.
* **Victims:** While specific organization names were not listed (other than general categories like "hospitals"), the platform enabled attacks by high-profile ransomware strains like Rhysida and Akira.
## Tools & Infrastructure
* **Malware Families Served:**
* **Stealers:** Lumma Stealer, Vidar.
* **Loaders/Backdoors:** Oyster.
* **Ransomware:** INC, Qilin, Akira, Rhysida.
* **Infrastructure:**
* **Seized Domain:** signspace[.]cloud
* **Compute:** Hundreds of virtual machines (VMs) used as backend infrastructure.
## Implications
The existence of Fox Tempest underscores a highly specialized and "industrialized" cybercrime economy. By lowering the barrier to entry for malware deployment (through MSaaS), Fox Tempest allowed multiple ransomware groups to infect thousands of machines globally. Its ability to quickly adapt infrastructure demonstrates the resilience of modern cybercrime platforms against standard takedown efforts.
## Mitigations
* **Certificate Validation:** Implement strict policies for checking the reputation and validity of digital certificates on all executable files.
* **Revocation List Monitoring:** Ensure systems are regularly updating Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responses.
* **Application Control:** Use Windows Defender Application Control (WDAC) or AppLocker to restrict execution to only explicitly trusted publishers, rather than trusting all signed software.
* **Endpoint Detection:** Deploy EDR solutions capable of detecting behavioral anomalies (e.g., a signed file performing credential theft) rather than relying solely on signature validity.