Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft civil action against Fox Tempest infrastructure takedown

Regulatory/Legal Action
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

Microsoft filed a civil action against Fox Tempest in the US District Court for the Southern District of New York, securing a court order that enabled a broad disruption of the group's cybercrime infrastructure. The action moved malicious domains to a Microsoft-owned sinkhole, disabled hundreds of virtual machines, and took down about 1,000 accounts. Microsoft says Fox Tempest sold malware-signing-as-a-service and supported Rhysida ransomware and other malware operations. The case matters because it targets an upstream enabler in the cybercrime supply chain rather than a single downstream attack.

Related Happenings

Operation Endgame takedown of Amadey and StealC infrastructure

Law Enforcement
H score66 First: 24.06.2026 18:02 Last: 24.06.2026 18:02 Sources 1

About this happening: An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...

Microsoft hit by cyberattack

Incident
H score68 First: 09.06.2026 18:42 Last: 09.06.2026 18:42 Sources 1

About this happening: A **Microsoft** GitHub repository removal incident in **June 2026** disrupted **continuous integration pipelines** and briefly broke **Azure/functions-action** workflows used by d...

Charter Communications hit by network compromise linked to ShinyHunters

Incident
H score70 First: 26.05.2026 22:46 Last: 26.05.2026 22:46 Sources 1

About this happening: **Charter Communications** confirmed a **data breach** tied to **ShinyHunters** extortion, with the company saying it is **alerting authorities** and that **no sensitive personal...

Latest development: 29.05.2026 11:29

Have I Been Pwned analyzed leaked Charter Communications data and confirmed that the incident affected 4.9 million accounts, with exposed records including names, email addresses, job titles, phone numbers, and physical addresses. The published data also included a subset of about 85,000 records from an internal employee directory.

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
H score26 First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
H score37 First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Timeline

  1. 19.05.2026 18:00 1 articles · 1mo ago

    Microsoft files civil action against Fox Tempest

    Legal Policy Action Update

    Microsoft files a civil action against Fox Tempest in the US District Court for the Southern District of New York, starting a court-backed effort against a malware-signing-as-a-service operator linked to Rhysida ransomware support and other malware enablement.

    Show sources
  2. 19.05.2026 18:00 1 articles · 1mo ago

    Court order enables Fox Tempest infrastructure takedown

    Mitigation Patch Update

    Three days after the filing, a court order enables Microsoft to move Fox Tempest's malicious domains to a Microsoft-owned sinkhole, disable hundreds of Cloudzy-hosted virtual machines with provider help, take down about 1,000 accounts, and suspend the threat actor's repository.

    Show sources
  3. 19.05.2026 18:00 2 articles · 1mo ago

    Microsoft publicly unseals Fox Tempest case and disruption details

    Initial Disclosure

    Microsoft publicly unseals the Fox Tempest case on May 19, 2026 and says its Digital Crimes Unit used undercover personas, identified the group's infrastructure, worked with hosting providers, and coordinated with the FBI and Europol's European Cybercrime Centre (EC3) to identify the people behind the group.

    Show sources