Microsoft said it disrupted a high-volume campaign in October after discovering a coordinated effort by the ransomware group known as Vanilla Tempest to weaponize fraudulently signed installers that impersonated Microsoft Teams.
The company revoked more than 200 code-signing certificates the group had used to make malicious binaries look legitimate, and Defender products now detect the fake installers, the Oyster backdoor and the Rhysida ransomware the actor used to extort victims.
Microsoft’s telemetry first flagged the Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, campaign in late September 2025 after it saw months of misuse of trusted signing infrastructure.
Investigators observed attackers hosting counterfeit Teams installers on look-alike domains — for example, teams-download[.]buzz, teams-install[.]run and teams-download[.]top — and using search-engine poisoning to surface those pages to unsuspecting users. Running a fake MSTeamsSetup.exe delivered a loader that staged the fraudulently signed Oyster backdoor; Oyster in turn enabled data collection, lateral movement and final deployment of Rhysida ransomware.
Security teams found the operational chain notable for its focus on trust infrastructure. The actors obtained signatures through a mix of compromised or abused signing services and third-party providers, Microsoft reported.
The campaign used Trusted Signing and legitimate certificate authorities, including SSL[.]com, DigiCert and GlobalSign, to sign both the fake installers and post-compromise tools beginning in early September. Because the binaries carried legitimate signatures, the files bypassed some naïve allow-lists and lowered the bar for user execution.
Microsoft said its AV detected the fake setup files, Oyster artifacts and Rhysida encryption activities, while its endpoint solution flagged the tactics, techniques and procedures (TTPs) Vanilla Tempest used during the attacks. The company revoked the misused certificates and pushed detection rules to customers, actions that Microsoft called essential to blunt the operation quickly.
Ransomware Main Tool in Vanilla Tempest’s Arsenal
Vanilla Tempest has a long catalog of ransomware activity and extortion operations. Cybersecurity firm Cyble) tracked the group’s activity back to at least June 2021. Operators targeted education, healthcare and manufacturing — sectors where downtime and data theft generate urgent pressure to negotiate — and they have previously deployed families such as BlackCat, Quantum Locker and Zeppelin.
Also read: Vice Society: A Growing Threat to Schools, Warns the FBI
In recent months they pivoted toward a sustained Rhysida campaign; Microsoft’s findings show how the group layered social engineering, SEO poisoning and code-signing fraud to seed their intrusion vector.
The attack chain Microsoft outlined matched a common pattern for modern ransomware operations. Compromise or mimic a trusted application, establish a stealthy foothold with a signed loader, escalate privileges and spread via remote tools, then encrypt and exfiltrate.
In previously observed incidents, the threat actor has pushed remote administration tooling — examples include SimpleHelp and MeshAgent — to support reconnaissance and hands-on keying, then used living-off-the-land techniques and utilities such as PsExec and Impacket for lateral movement. The earlier campaigns also saw other tools being used for reconnaissance (Advanced Port Scanner, PowerSploit scripts) and for exfiltration or staging (Rclone).
Detection guidance Microsoft shared included hunting for anomalous installers that invoked unsigned or atypically signed libraries, unexpected network connections to uncommon Teams download domains, new service installs, and process trees that spawned PowerShell with encoded command lines or initiated Rclone transfers. Microsoft also recommended auditing for unusual certificate activity in the organization — for example, new code-signing certificates issued to unknown entities or sudden signer changes for frequently used installers.
Cyble researchers noted the operation illustrated two broader trends. First, attackers increasingly targeted the trust chain — certificates, legitimate installers and vendor branding — because breaking trust reduces the friction for initial compromise. Second, defenders must expand visibility beyond network and endpoint telemetry to include supply-chain signals like certificate transparency logs, content-delivery origin records and search-result poisoning indicators.
