Executive Summary

In October 2025, Microsoft took decisive action to revoke over 200 fraudulent code-signing certificates that had been systematically abused in a sophisticated campaign orchestrated by the threat actor known as Vanilla Tempest (also tracked as Vice Society, VICE SPIDER, and Storm-0832). These certificates were used to sign malicious binaries, most notably trojanized installers for Microsoft Teams, which were then distributed via search engine optimization (SEO) poisoning and malicious download sites. The campaign’s primary objective was to deliver the Oyster backdoor, enabling the deployment of the Rhysida ransomware. By leveraging trusted certificate authorities, the attackers significantly increased the likelihood of bypassing endpoint security controls and deceiving end users. This campaign has targeted organizations across education, healthcare, IT, and manufacturing sectors, underscoring the critical need for robust supply chain and endpoint security controls.

Threat Actor Profile

Vanilla Tempest is a financially motivated threat group with a well-documented history of ransomware and extortion operations. The group has been active since at least July 2022 and is known for its opportunistic targeting of organizations with limited cyber resilience, particularly in the education and healthcare sectors. Vanilla Tempest has previously deployed ransomware families such as BlackCat, Quantum Locker, and Zeppelin, and has recently shifted focus to the Rhysida ransomware. The group’s tactics, techniques, and procedures (TTPs) are characterized by the abuse of legitimate software supply chains, the use of stolen or fraudulently obtained code-signing certificates, and the deployment of custom backdoors for persistent access and lateral movement. Their operations are marked by a high degree of technical sophistication, including the use of SEO poisoning to lure victims and the exploitation of trusted digital signatures to evade detection.

Technical Analysis of Malware/TTPs

The attack chain begins with SEO poisoning, where Vanilla Tempest manipulates search engine results to promote malicious domains such as teams-download[.]buzz, teams-install[.]run, and teams-download[.]top. Unsuspecting users searching for Microsoft Teams or other popular software are redirected to these sites, where they are prompted to download a trojanized installer named MSTeamsSetup.exe. This executable is signed with a fraudulent certificate issued by reputable certificate authorities, including Trusted Signing, SSL[.]com, DigiCert, and GlobalSign.

Upon execution, the installer acts as a loader for the Oyster backdoor (also known as Broomstick or CleanUpLoader). Oyster establishes persistence on the compromised system, typically by creating scheduled tasks or modifying registry keys. It then facilitates the download and execution of additional payloads, most notably the Rhysida ransomware. The ransomware encrypts files on the victim’s system and displays a ransom note demanding payment in cryptocurrency.

The attackers employ several advanced TTPs to maximize the impact of their campaign. These include the use of signed binaries to bypass application whitelisting and endpoint detection and response (EDR) solutions, the exploitation of Remote Desktop Protocol (RDP) and Windows Management Instrumentation Provider Host for lateral movement, and the exfiltration of sensitive data prior to ransomware deployment. The abuse of code-signing certificates is particularly notable, as it undermines the trust model of the software supply chain and allows malicious binaries to appear legitimate to both users and security tools.

Exploitation in the Wild

The campaign has been observed targeting organizations in the education, healthcare, IT, and manufacturing sectors. Victims are typically lured through search engine results manipulated by SEO poisoning, leading them to download trojanized installers from attacker-controlled domains. Once the Oyster backdoor is installed, the attackers conduct reconnaissance, establish persistence, and move laterally within the network. Data exfiltration is performed prior to the deployment of the Rhysida ransomware, maximizing the leverage for extortion. The use of signed binaries enables the attackers to evade many traditional security controls, increasing the likelihood of successful compromise and ransomware deployment.

Security researchers have reported a significant uptick in incidents involving fraudulent code-signing certificates, with over 200 certificates revoked by Microsoft in response to this campaign. The abuse of multiple certificate authorities highlights the attackers’ ability to exploit weaknesses in the digital certificate issuance process, as well as the challenges faced by defenders in detecting and responding to such threats.

Victimology and Targeting

The primary targets of this campaign have been organizations in the education, healthcare, IT, and manufacturing sectors. These sectors are often characterized by large, distributed user bases and varying levels of cybersecurity maturity, making them attractive targets for ransomware operators. The global nature of the campaign suggests that the attackers are opportunistic, leveraging SEO poisoning to cast a wide net and maximize the number of potential victims. While specific countries have not been explicitly identified in public reporting, the campaign’s reach is believed to be international, with a focus on organizations that are likely to pay ransoms to restore critical operations.

The use of fake Microsoft Teams installers as the initial infection vector is particularly effective, given the widespread adoption of remote collaboration tools and the frequency with which users search for legitimate software downloads. By abusing trusted certificate authorities, the attackers are able to bypass many of the security controls that organizations rely on to protect against malware, increasing the risk of successful compromise.

Mitigation and Countermeasures

Organizations are strongly advised to implement a multi-layered approach to mitigate the risks associated with this campaign. Key recommendations include:

Ensuring that all software, especially collaboration tools like Microsoft Teams, is downloaded exclusively from official vendor websites or trusted enterprise repositories. Users should be educated about the risks of downloading software from third-party sites and the importance of verifying digital signatures.

Deploying advanced endpoint protection solutions such as Microsoft Defender Antivirus and Microsoft Defender for Endpoint, which now detect the fake MS Teams setup files, the Oyster backdoor, and the Rhysida ransomware. These solutions also provide investigation guidance for the TTPs associated with Vanilla Tempest.

Regularly reviewing and updating endpoint detection and response (EDR) policies to detect and block the execution of binaries signed with revoked or suspicious certificates. Security teams should monitor for the presence of known malicious domains, such as teams-download[.]buzz, teams-install[.]run, and teams-download[.]top, and block access at the network perimeter.

Implementing strict application whitelisting and least privilege access controls to limit the ability of attackers to execute unauthorized code and move laterally within the network. Monitoring for unusual RDP and WMI activity can help detect lateral movement attempts.

Maintaining regular, offline backups of critical data and testing restoration procedures to ensure business continuity in the event of a ransomware attack. Organizations should also develop and rehearse incident response plans that address ransomware and supply chain threats.

Staying informed about the latest threat intelligence and indicators of compromise (IOCs) related to this campaign. Security teams should subscribe to threat intelligence feeds and collaborate with industry peers to share information about emerging threats.

References

The Hacker News: Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign

HelpNetSecurity: Microsoft revokes 200 certs used to sign malicious Teams installers

Security Affairs: Microsoft revokes 200+ certificates abused by Vanilla Tempest in fake Teams campaign

Microsoft Threat Intelligence on X (Twitter): @MsftSecIntel

Blackpoint Cyber: Initial campaign disclosure

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to help organizations stay ahead of emerging threats and ensure the resilience of their digital ecosystem. For more information about how Rescana can help your organization strengthen its cybersecurity posture, we are happy to answer questions at ops@rescana.com.