Microsoft on Thursday said it has revoked more than 200 certificates used by Vanilla Tempest, an attacker it tracks to fraudulently sign malicious binaries in ransomware attacks.
The Microsoft Threat Intelligence team said in a post shared on X that the certificate was “used in a fake Teams setup file to deliver the Oyster backdoor and ultimately deploy the Rhysida ransomware.”
The tech giant announced earlier this month that it had suspended the activity after it was detected in late September 2025. In addition to certificate revocation, the company’s security solutions have been updated to flag signatures associated with fake setup files, Oyster backdoor, and Rhysida ransomware.
Vanilla Tempest (formerly known as Storm-0832) is the name given to a financially motivated threat actor also known as Vice Society or Vice Spider, which is assessed to have been active since at least July 2022 and has distributed various ransomware strains over the years, including BlackCat, Quantum Locker, Zeppelin, and Rhysida.
Oyster (also known as Broomstick and CleanUpLoader), on the other hand, is a backdoor that is often distributed via trojanized installers for popular software such as Google Chrome and Microsoft Teams using fake websites that users encounter when searching for programs on Google or Bing.
“In this campaign, Vanilla Tempest used a fake MSTeamsSetup.exe file hosted on a malicious domain that mimics Microsoft Teams. For example, teams-download[.]buzz, team install[.]Run or Team Download[.]Microsoft says, “Users can be directed to malicious download sites using search engine optimization (SEO) poisoning.”
To sign these installers and other post-compromise tools, the attackers allegedly used trusted signatures in addition to SSL.[.]com, DigiCert, and GlobalSign code signing services.
Details of the campaign were first revealed by Blackpoint Cyber last month, showing how users searching for Teams online were redirected to a fake download page that served the malicious MSTeamsSetup.exe instead of the legitimate client.
“This activity highlights the continued misuse of SEO poisoning and malicious advertising to deliver backdoors in products under the guise of trusted software,” the company said. “Those attackers are exploiting user trust in search results and well-known brands to gain initial access.”
To reduce such risks, we recommend that you only download software from verified sources and avoid clicking on suspicious links provided through search engine advertisements.
Source link
