Overview
- Microsoft, which announced the disruption Tuesday, seized domains, took hundreds of virtual machines offline, and removed more than 1,000 accounts tied to Fox Tempest.
- A civil suit filed May 5 in the Southern District of New York led to a court order that let Microsoft sinkhole the group’s domains and block access to its code repository.
- Investigators say the service forged identities to abuse Microsoft’s Artifact Signing, creating short‑lived certificates that made malicious files look safe, and Microsoft has revoked over 1,000 of those certificates.
- Microsoft links the service to ransomware operators such as Rhysida and several Storm affiliates and to malware like Oyster, Lumma, MuddyWater, and Vidar that hit healthcare, education, government, and finance across countries led by the United States, France, India, and China.
- Microsoft is working with the FBI and Europol’s European Cybercrime Centre to identify the operators and says the takedown should raise costs for attackers who rely on search ads and SEO tricks to spread malware.