Microsoft has successfully disrupted a sophisticated campaign by the financially motivated threat actor known as Vanilla Tempest also tracked by other security vendors under the names VICE SPIDER and Vice Society by revoking more than 200 fraudulently obtained code-signing certificates.
The campaign, which surfaced in late September 2025, leveraged counterfeit Microsoft Teams installer files to deliver a stealthy backdoor and ultimately deploy the Rhysida ransomware strain.
In early October, Microsoft’s security teams identified a cluster of domains masquerading as official Teams download portals. These sites exploited search engine optimization poisoning to lure victims into downloading a malicious MSTeamsSetup.exe.
Once executed, the fake installer dropped a loader component that in turn installed the Oyster backdoor, enabling persistent access to compromised systems.
Key malicious domains included:
- teams-download[.]buzz
- teams-install[.]run
- teams-download[.]top
Oyster has been part of Vanilla Tempest’s toolkit since June 2025, but only in September did the actor begin signing these backdoors with stolen certificates from legitimate authorities, including Trusted Signing, SSL.com, DigiCert, and GlobalSign.
By appearing authentically signed, the malicious binaries could evade many security controls and trick users and automated defenses alike.
The threat actor’s certificate abuse tactics involved:
- Fraudulent code-signing via Trusted Signing.
- Misuse of SSL.com, DigiCert, and GlobalSign code signing services.
- Rapid deployment of signed binaries to avoid revocation windows.
Microsoft moved quickly to revoke the identified certificates, invalidating over 200 keys that the attacker had used across fake setup files and post-compromise tools. Alongside certificate revocation, Microsoft Defender Antivirus now flags the counterfeit installers, Oyster backdoor, and the Rhysida ransomware payload.
Microsoft Defender for Endpoint has also been updated to detect the tactics, techniques, and procedures (TTPs) characteristic of the Vanilla Tempest group, providing further safeguards and forensic guidance for security operations teams investigating these incidents.
Vanilla Tempest specializes in ransomware and data extortion, having previously deployed payloads such as BlackCat, Quantum Locker, and Zeppelin. In recent months, however, the group has shifted focus to Rhysida as its primary ransomware choice.
Upon gaining a foothold via the Oyster backdoor, attackers exfiltrate critical data before encrypting systems, applying maximum pressure for ransom payment.
The swift revocation of certificates not only disrupts the adversary’s ongoing campaign but also underscores the importance of robust certificate management practices and real-time threat intelligence sharing.
Microsoft’s action helps protect its customers globally and sets a precedent for collaboration across certificate authorities and the wider cybersecurity community.
Organizations are urged to ensure that Microsoft Defender Antivirus is fully enabled and up to date, and to deploy Microsoft Defender for Endpoint for comprehensive detection and investigation capabilities.
Additional guidance on mitigating and responding to Rhysida ransomware and associated backdoor activity is available through Microsoft’s security portals.
By sharing these insights broadly, Microsoft aims to strengthen defenses and enhance resilience against evolving ransomware threats across industries.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
