Executive Summary

In October 2025, Microsoft executed a significant disruption of a sophisticated ransomware campaign that exploited the trust model of code-signing by abusing over 200 Azure and third-party certificates. The campaign, orchestrated by the threat group Vanilla Tempest (also tracked as VICE SPIDER and Vice Society), leveraged fraudulent certificates to sign malicious installers masquerading as legitimate Microsoft Teams applications. These installers delivered the Oyster backdoor, which facilitated the deployment of the Rhysida ransomware payload. The operation targeted a broad spectrum of organizations, including those in education, healthcare, IT, and manufacturing, and demonstrated advanced techniques in initial access, lateral movement, and evasion. This advisory provides a comprehensive technical breakdown of the campaign, the threat actor’s profile, observed tactics, techniques, and procedures (TTPs), victimology, and actionable mitigation strategies.

Threat Actor Profile

Vanilla Tempest is a financially motivated cybercrime group with a history of high-impact ransomware operations. Also known as VICE SPIDER and Vice Society, the group has been active since at least July 2022 and is notorious for targeting sectors where operational disruption can yield high ransom payments. Their arsenal includes ransomware families such as BlackCat, Quantum Locker, Zeppelin, INC ransomware, and most recently, Rhysida. The group is adept at exploiting supply chain weaknesses, abusing trusted digital certificates, and leveraging social engineering and SEO poisoning to maximize the reach and impact of their campaigns. Vanilla Tempest is known for rapid post-exploitation activity, including lateral movement via Remote Desktop Protocol (RDP) and the use of living-off-the-land binaries to evade detection.

Technical Analysis of Malware/TTPs

The campaign’s technical sophistication centered on the abuse of over 200 code-signing certificates, including those issued by Azure, SSL.com, DigiCert, GlobalSign, and Trusted Signing. These certificates were fraudulently obtained or compromised, allowing the attackers to sign malicious binaries and bypass endpoint security controls that rely on digital signature validation.

Initial access was achieved through the distribution of fake Microsoft Teams installers, primarily named MSTeamsSetup.exe, hosted on domains crafted to mimic legitimate Microsoft download portals, such as teams-download[.]buzz and teams-install[.]run. The attackers employed SEO poisoning to ensure these malicious sites ranked highly in search engine results, increasing the likelihood of user interaction.

Upon execution, the installer—signed with a valid but abused certificate—deployed a loader that installed the Oyster backdoor. This backdoor, first observed in June 2025 and signed with compromised certificates from September 2025 onward, provided persistent access and command-and-control (C2) capabilities. The Oyster backdoor enabled the threat actor to conduct reconnaissance, escalate privileges, and facilitate lateral movement.

Lateral movement was primarily conducted via RDP, with credentials harvested or brute-forced post-infection. The attackers then used Windows Management Instrumentation Provider Host to deploy the INC ransomware payload, followed by the final stage deployment of Rhysida ransomware. The ransomware encrypted critical data and systems, demanding payment for decryption keys.

The campaign’s TTPs mapped closely to the following MITRE ATT&CK techniques: T1190 (Exploit Public-Facing Application), T1566.002 (Spearphishing via Service), T1204.002 (User Execution: Malicious File), T1547 (Boot or Logon Autostart Execution), T1021.001 (Remote Desktop Protocol), T1071.001 (Web Protocols), and T1486 (Data Encrypted for Impact).

Exploitation in the Wild

The campaign was active for several months prior to its disruption by Microsoft. During this period, multiple organizations across the education, healthcare, IT, and manufacturing sectors were compromised. The attackers’ use of SEO poisoning and highly convincing fake download portals resulted in a significant number of infections, particularly among users seeking to install or update Microsoft Teams outside of official channels.

Microsoft Defender Antivirus and Defender for Endpoint were updated with new detection rules and indicators of compromise (IOCs) as soon as the campaign was identified. The company also revoked the abused certificates and coordinated with certificate authorities to prevent further misuse. The rapid sharing of IOCs and TTPs with the broader security community was instrumental in containing the threat.

Victimology and Targeting

The primary targets of this campaign were organizations in the education, healthcare, IT, and manufacturing sectors. These industries were selected due to their reliance on Microsoft Teams for collaboration and their high tolerance for operational disruption, making them attractive ransomware targets. The campaign was global in scope, with a particular focus on organizations using Azure services and Microsoft Teams. There is no evidence that official Microsoft Teams update channels or the Microsoft Store were compromised; only users who downloaded installers from malicious third-party sites were affected.

Mitigation and Countermeasures

Organizations are strongly advised to ensure that Microsoft Defender Antivirus and Defender for Endpoint are fully enabled and updated with the latest signatures and detection rules. Access to the identified malicious domains, including teams-download[.]buzz and teams-install[.]run, should be blocked at the network perimeter and monitored for attempted connections.

It is critical to audit and monitor the use of code-signing certificates within your environment. Any unexpected or unauthorized certificate usage should be investigated immediately. Users should be educated to download software only from official vendor sources, and any execution of MSTeamsSetup.exe or similar installers from non-official sources should be treated as a potential security incident.

Review and restrict RDP usage across your environment, implementing multi-factor authentication and network-level authentication where possible. Employ advanced hunting queries in Microsoft Defender XDR and Microsoft Sentinel to detect suspicious activity related to Teams installations and certificate usage.

Finally, organizations should maintain robust backup and recovery procedures, ensure that backups are stored offline or in immutable storage, and regularly test restoration processes to minimize the impact of ransomware attacks.

References

SecurityAffairs: Microsoft revokes 200+ certificates abused by Vanilla Tempest in fake Teams campaign

Microsoft Security Blog: Disrupting threats targeting Microsoft Teams

MITRE ATT&CK Framework: https://attack.mitre.org/

Rhysida Ransomware Attacks Abused Azure Certificates - LinkedIn: https://www.linkedin.com/posts/dark-reading_rhysida-ransomware-attacks-abused-azure-certificates-activity-7385061301615755264-FJVT

BleepingComputer: Microsoft disrupts ransomware attacks targeting Teams users

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization’s cyber resilience, we are happy to answer questions at ops@rescana.com.