Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal Action
Summary
Hide ▲
Show ▼
Microsoft filed a civil action against Fox Tempest in the US District Court for the Southern District of New York, securing a court order that enabled a broad disruption of the group's cybercrime infrastructure. The action moved malicious domains to a Microsoft-owned sinkhole, disabled hundreds of virtual machines, and took down about 1,000 accounts. Microsoft says Fox Tempest sold malware-signing-as-a-service and supported Rhysida ransomware and other malware operations. The case matters because it targets an upstream enabler in the cybercrime supply chain rather than a single downstream attack.
Related Happenings
Charter Communications hit by network compromise linked to ShinyHunters
Incident
First: 26.05.2026 22:46
Last: 26.05.2026 22:46
Sources 1
About this happening:
**Charter Communications** confirmed a **data breach** tied to **ShinyHunters** extortion, raising the risk of customer-data exposure and active follow-on pressure. The company sa...
Charter Communications hit by network compromise linked to ShinyHunters
IncidentAbout this happening: **Charter Communications** confirmed a **data breach** tied to **ShinyHunters** extortion, raising the risk of customer-data exposure and active follow-on pressure. The company sa...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
TA551 campaign expands across multiple victims
Campaign
First: 25.03.2026 10:47
Last: 25.03.2026 10:47
Sources 1
About this happening:
The **TA551 / Mario Kart** operation ran a **massive spam-email malware campaign** that spread infections worldwide and enabled later access sales to ransomware crews. At peak, it...
TA551 campaign expands across multiple victims
CampaignAbout this happening: The **TA551 / Mario Kart** operation ran a **massive spam-email malware campaign** that spread infections worldwide and enabled later access sales to ransomware crews. At peak, it...
Storm-2561 SEO-poisoning VPN credential-theft campaign
Campaign
First: 13.03.2026 15:38
Last: 13.03.2026 15:38
Sources 1
About this happening:
The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 SEO-poisoning VPN credential-theft campaign
CampaignAbout this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Timeline
-
19.05.2026 18:00 1 articles · 8d ago
Microsoft files civil action against Fox Tempest
Legal Policy Action UpdateMicrosoft files a civil action against Fox Tempest in the US District Court for the Southern District of New York, starting a court-backed effort against a malware-signing-as-a-service operator linked to Rhysida ransomware support and other malware enablement.
Show sources
- Microsoft Takes Down Fox Tempest for Providing Ransomware-Enabling Signing Tool — www.infosecurity-magazine.com — 19.05.2026 18:00
-
19.05.2026 18:00 1 articles · 8d ago
Court order enables Fox Tempest infrastructure takedown
Mitigation Patch UpdateThree days after the filing, a court order enables Microsoft to move Fox Tempest's malicious domains to a Microsoft-owned sinkhole, disable hundreds of Cloudzy-hosted virtual machines with provider help, take down about 1,000 accounts, and suspend the threat actor's repository.
Show sources
- Microsoft Takes Down Fox Tempest for Providing Ransomware-Enabling Signing Tool — www.infosecurity-magazine.com — 19.05.2026 18:00
-
19.05.2026 18:00 2 articles · 8d ago
Microsoft publicly unseals Fox Tempest case and disruption details
Initial DisclosureMicrosoft publicly unseals the Fox Tempest case on May 19, 2026 and says its Digital Crimes Unit used undercover personas, identified the group's infrastructure, worked with hosting providers, and coordinated with the FBI and Europol's European Cybercrime Centre (EC3) to identify the people behind the group.
Show sources
- Microsoft Takes Down Fox Tempest for Providing Ransomware-Enabling Signing Tool — www.infosecurity-magazine.com — 19.05.2026 18:00
- Microsoft Takes Down Fox Tempest for Providing Ransomware-Enabling Signing Tool — www.infosecurity-magazine.com — 19.05.2026 18:00