Microsoft announced that it had revoked more than 200 digital certificates exploited by the notorious Vanilla Tempest hacking group.
This action effectively disrupted an ongoing campaign where attackers impersonated Microsoft Teams installations to infiltrate corporate networks and deploy ransomware.
The operation, uncovered in late September, highlights the evolving tactics of ransomware operators who leverage legitimate-looking software to bypass security defenses.
Vanilla Tempest, also tracked by cybersecurity firms as VICE SPIDER and Vice Society, has emerged as a persistent menace in the ransomware landscape.
This financially driven actor specializes in data exfiltration for extortion, often pairing theft with encryption attacks to maximize payouts.
Over the years, the group has wielded a variety of ransomware strains, including BlackCat, Quantum Locker, and Zeppelin. However, in recent months, Rhysida ransomware has become their weapon of choice, targeting sectors like healthcare, education, and manufacturing for high-impact disruptions.
Fake Teams Downloads Via Search Engines
The latest campaign preyed on unsuspecting users seeking legitimate Microsoft Teams updates. Attackers hosted counterfeit MSTeamsSetup.exe files on deceptive domains such as teams-download[.]buzz, teams-install[.]run, and teams-download[.]top.
These sites likely gained traction through search engine optimization (SEO) poisoning, where manipulated search results direct victims to malicious downloads instead of official Microsoft resources.
Once executed, the bogus installers unleashed a multi-stage payload. An initial loader paved the way for the Oyster backdoor, a versatile malware tool that Vanilla Tempest began integrating into operations as early as June 2025.
By early September, the group escalated their stealth by fraudulently signing these backdoors and loaders with stolen or misused certificates from reputable providers like Trusted Signing, SSL.com, DigiCert, and GlobalSign.
This signing process lent the files an air of authenticity, tricking antivirus software and user scrutiny alike. From there, the infection chain culminated in Rhysida ransomware deployment, locking files and demanding ransoms while exfiltrating sensitive data for leverage.
Microsoft’s response was multifaceted. Beyond certificate revocation, the company bolstered its defenses through Microsoft Defender Antivirus, which now identifies and blocks the fake setup files, the Oyster backdoor, and Rhysida ransomware variants.
For enterprise users, Microsoft Defender for Endpoint offers behavioral detections tailored to Vanilla Tempest’s tactics, techniques, and procedures (TTPs), including anomalous network activity and privilege escalations.
This incident underscores the risks of supply chain-style attacks in everyday software updates. As remote work tools like Teams remain essential, attackers continue to exploit trust in familiar brands.
Microsoft’s proactive revocation prevented further abuse of the compromised certificates, but experts warn that similar tactics could resurface with new signing authorities.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
