Microsoft revoked 200+ certificates used by Vanilla Tempest to sign fake Teams installers spreading Oyster backdoor and Rhysida ransomware.
Microsoft revoked over 200 certificates used by the cybercrime group Vanilla Tempest (aka VICE SPIDER and Vice Society) to sign fake Teams installers spreading the Oyster backdoor and Rhysida ransomware.
The threat actor has been active since July 2022, it was observed targeting organizations in the education, healthcare, IT, and manufacturing sectors. The group employed various ransomware payloads in its attacks, including BlackCat, Quantum Locker, Zeppelin, and Rhysida.
The threat actor uses Remote Desktop Protocol (RDP) for lateral movement and deploys the INC ransomware payload through the Windows Management Instrumentation Provider Host.
“In early October 2025, Microsoft disrupted a Vanilla Tempest campaign by revoking over 200 certificates that the threat actor had fraudulently signed and used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware.” states Microsoft. “We identified this Vanilla Tempest campaign in late September 2025, following several months of the threat actor using fraudulently signed binaries in attacks.”
Microsoft also announced that it has added indicators of compromise (IoCs) to Defender Antivirus to detect the fake setup files, ensuring that Defender for Endpoint can detect Vanilla Tempest TTPs.
In this campaign, Vanilla Tempest distributed fake MSTeamsSetup.exe installers hosted on domains mimicking Microsoft Teams, such as teams-download[.]buzz and teams-install[.]run. Victims were lured through SEO poisoning to malicious download sites. Executing the fake installers deployed a loader that installed a fraudulently signed Oyster backdoor, active since June 2025 and signed starting in September. The group abused Trusted Signing, SSL[.]com, DigiCert, and GlobalSign services to sign the malicious files and post-compromise tools.
“Fully enabled Microsoft Defender Antivirus blocks this threat. In addition to detections, Microsoft Defender for Endpoint has additional guidance for mitigating and investigating this attack. While these protections help secure our customers, we’re sharing this intelligence broadly to help strengthen defenses and improve resilience across the entire cybersecurity community.” concludes the announcement.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft)
Laisser un commentaire