On October 15, 2025, Microsoft announced the revocation of over 200 certificates used by a threat actor known as Vanilla Tempest to illegitimately sign malicious software in ransomware attacks. According to the Microsoft Threat Intelligence team, these certificates were employed in counterfeit Teams setup files to install the Oyster backdoor and ultimately deploy Rhysida ransomware.
The tech giant interrupted this activity earlier this month after it was detected in late September 2025. Along with revoking the certificates, Microsoft’s security solutions have been updated to identify signatures linked to these fraudulent setup files, the Oyster backdoor, and Rhysida ransomware.
Vanilla Tempest, previously referred to as Storm-0832, is a financially motivated threat actor also known as Vice Society and Vice Spider, active since at least July 2022. This group has delivered various ransomware strains, including BlackCat, Quantum Locker, Zeppelin, and Rhysida.
The Oyster backdoor, also known as Broomstick and CleanUpLoader, is often distributed through trojanized installers for popular software like Google Chrome and Microsoft Teams, typically via fake websites that users encounter while searching on Google and Bing.
“In this campaign, Vanilla Tempest utilized counterfeit MSTeamsSetup.exe files hosted on malicious domains that imitate Microsoft Teams, such as teams-download[.]buzz, teams-install[.]run, and teams-download[.]top,” Microsoft stated. “Users are likely being directed to these harmful download sites through search engine optimization (SEO) poisoning.”
To sign these installers and other post-compromise tools, the threat actor reportedly used Trusted Signing, as well as SSL[.]com, DigiCert, and GlobalSign code signing services.
Details of this operation were initially revealed by Blackpoint Cyber last month, which noted how users searching for Teams online were redirected to fake download pages, where they unwittingly downloaded a malicious MSTeamsSetup.exe instead of the genuine client.
“This activity underscores the ongoing exploitation of SEO poisoning and malicious advertisements to deliver backdoors disguised as legitimate software,” the company remarked. “Threat actors are taking advantage of users’ trust in search results and well-known brands to gain entry.”
To mitigate these risks, users are advised to download software only from verified sources and to avoid clicking on suspicious links presented through search engine advertisements.
Source: TheHackerNews Edited by Bernie.
