Microsoft has successfully disrupted a major cyberattack campaign orchestrated by the Vanilla Tempest threat group in early October 2025.
The tech giant revoked over 200 fraudulent certificates that the cybercriminals had used to sign fake Microsoft Teams installation files, which were designed to deliver the Oyster backdoor and deploy Rhysida ransomware on victim systems.
Discovery and Response to the Threat
Microsoft security researchers discovered this Vanilla Tempest campaign in late September 2025 after monitoring several months of suspicious activity involving fraudulently signed binary files.
The company took swift action by not only revoking the malicious certificates but also ensuring that Microsoft Defender Antivirus can detect the fake setup files, Oyster backdoor, and Rhysida ransomware.
Additionally, Microsoft Defender for Endpoint now identifies the specific tactics, techniques, and procedures used by Vanilla Tempest in their attacks.
Vanilla Tempest operates as a financially motivated cybercriminal group, also tracked by various security vendors under the names VICE SPIDER and Vice Society.
The threat actor specializes in deploying ransomware and stealing sensitive data for extortion purposes.
Throughout their operation history, they have utilized multiple ransomware variants including BlackCat, Quantum Locker, and Zeppelin, but have recently focused primarily on deploying Rhysida ransomware.
The attack campaign relied on sophisticated social engineering techniques to trick users into downloading malicious software.
Vanilla Tempest created fake MSTeamsSetup.exe files and hosted them on fraudulent domains that closely mimicked legitimate Microsoft Teams websites, such as teams-download[.]buzz, teams-install[.]run, and teams-download[.]top.
Security researchers believe that potential victims were directed to these malicious download sites through search engine optimization poisoning, a technique that manipulates search engine results to display malicious links prominently.
When victims executed the fake Microsoft Teams setup files, the malware delivered a loader that subsequently installed a fraudulently signed Oyster backdoor on their systems.
Investigation revealed that Vanilla Tempest began incorporating Oyster into their attack campaigns as early as June 2025, but only started fraudulently signing these backdoors in early September 2025.
To make their malicious software appear legitimate, Vanilla Tempest exploited multiple trusted code signing services.
The threat actors were observed using Microsoft’s Trusted Signing service, along with certificates from SSL[.]com, DigiCert, and GlobalSign to fraudulently sign both fake installers and post-compromise tools.
Microsoft emphasized that fully enabled Microsoft Defender Antivirus successfully blocks this threat.
The company has also provided additional guidance through Microsoft Defender for Endpoint to help organizations mitigate and investigate this attack.
While sharing that these protections secure their customers, Microsoft released this threat intelligence publicly to help strengthen cybersecurity defenses across the broader security community.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
