MICROSOFT has cracked down on Fox Tempest, a financially motivated group that fuelled Rhysida ransomware and helped develop tools for strains such as Oyster, Lumma Stealer and Vidar. On 19 May 2026 the company unsealed a US district court case in the Southern District of New York and disclosed how its Digital Crimes Unit engaged with Fox Tempest’s operators using undercover personas, identified the group’s infrastructure and disrupted its operations.
The DCU moved its infrastructure earlier in 2026, shifted to Cloudzy in January, and after filing on 5 May 2026 secured a court order three days later, transferring the group’s domains to a Microsoft-owned sinkhole and taking down hundreds of accounts. Fox Tempest sold a “malware-signing-as-a-service” tool that allowed other criminals to disguise malware as legitimate software, with three purchase options ranging from $5,000 to $9,500.
Microsoft is now working with the FBI and Europol’s EC3 to uncover the identities behind the group, according to Infosecurity Magazine. Rhysida is named as a co-conspirator in the lawsuit and has been linked to attacks spanning 2023 to April 2026, including incidents affecting schools, hospitals and critical infrastructure.