ctipilot.ch

Home · Live brief · Weekly 2026-W21

Fox Tempest — Microsoft DCU disrupts the malware-signing service feeding Rhysida, INC, Qilin and Akira

notable synthesis discovered 2026-05-18 05:00 UTC single-source

Entities: Fox Tempest Akira

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

Microsoft Threat Intelligence and the Digital Crimes Unit disrupted Fox Tempest, a malware-signing-as-a-service operation that supplied code-signing to multiple ransomware operations (daily 2026-05-20). Status: disrupted via combined intelligence exposure and a sealed US legal action. The defender takeaway is that code-signing trust on binaries attributable to Rhysida/INC/Qilin/Akira tooling should not be treated as a benign signal — the signing pipeline was a criminal service.

ransomware supply-chain law-enforcement organized-crime identity global europe