Microsoft on Tuesday said it disrupted Fox Tempest, a cybercrime operation that helped ransomware gangs hide malware behind legitimate software.

Fox Tempest operated a malware signing-as-a-service operation, which abused code-signing tools that verify the authenticity of commercial software. 

Ransomware gangs and other criminal actors abused tools, including Microsoft’s Artifact Signing, to deliver malware as part of a wider campaign to launch ransomware attacks. 

Through a legal filing with the U.S. District Court for the Southern District of New York, Microsoft was able to disrupt the Fox Tempest website, take hundreds of virtual machines offline and block access to a website that hosted the operation’s underlying code. 

The legal filing also named the Vanilla Tempest ransomware group as a co-conspirator. Vanilla Tempest allegedly used the service to deliver malware like Lumma Stealer, Oyster and Vidar, as well as Rhysida ransomware, in a number of recent attacks, according to the Microsoft blog. 

Microsoft said it coordinated its efforts with the FBI and Europol’s European Cybercrime Centre. It is not immediately clear whether any arrests or other legal proceedings were part of the disruption.

Rhysida ransomware has been used in a number of high profile attacks against the British Library and a 2024 attack targeting Seattle-Tacoma International Airport. Microsoft said its investigation also connected Vanilla Tempest to other cybercrime groups, such as INC, Qilin and Akira, among others.

The operation has been linked to attacks targeting various sectors, including education, healthcare, government agencies and financial services, according to Microsoft. Victims have been targeted in various countries, including the U.S., France, India and China. 

A spokesperson for the FBI was not immediately available for comment.