Fox Tempest
Financially motivated threat actor tracked under the Microsoft Tempest naming convention.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
10 mentions · 4 sources"Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest."
"Microsoft Threat Intelligence assesses that Fox Tempest is a well-resourced group handling infrastructure creation, customer r"
"Microsoft Threat Intelligence has linked the actor to various ransomware groups including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249, who have all leveraged Fox Tempest-signed malware in active intrusions."
"Microsoft linked Fox Tempest-enabled activity to ransomware and malware operations involving Vanilla Tempest, Rhysida, Oyster, Lumma Stealer, Vidar, INC, Qilin, Akira, and other families or affiliates."
"Microsoft Threat Intelligence has tracked Fox Tempest since September 2025. Microsoft Threat Intelligence has linked the actor to various ransomware groups including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249, who have all leveraged Fox Tempest-signed malware in active intrusions."
"Microsoft Threat Intelligence assesses that Fox Tempest is a well-resourced group handling infrastructure creation"
"Microsoft Threat Intelligence has tracked Fox Tempest since September 2025."
Hedge terms observed