Microsoft Thwarts Ransomware Attack on Teams Users
▼ Summary
– Microsoft disrupted Rhysida ransomware attacks in early October by revoking over 200 malicious Teams installer certificates.
– Vanilla Tempest used fake Microsoft Teams domains and installers to distribute the Oyster backdoor through a late September malvertising campaign.
– The malicious installers deployed signed Oyster malware, enabling remote access, file theft, command execution, and additional payload drops.
– Vanilla Tempest is a financially motivated group that deploys ransomware like Rhysida and has targeted education, healthcare, IT, and manufacturing sectors since 2021.
– The FBI and CISA previously warned about Vanilla Tempest (as Vice Society) disproportionately targeting the U.S. education sector, including a breach of LAUSD in 2022.
Microsoft has successfully countered a significant ransomware campaign by invalidating more than two hundred digital certificates that were exploited to sign harmful Teams installation packages. This action in early October effectively blocked the Rhysida ransomware’s distribution network, which relied on these fraudulent certificates to appear legitimate. The threat actor, identified as Vanilla Tempest, orchestrated this scheme using deceptive domains that closely imitated the official Microsoft Teams platform. These counterfeit sites, with addresses like teams-install[.]top and teams-download[.]buzz, tricked users into downloading a malicious file named “MSTeamsSetup.exe”, identical to the genuine installer’s filename.
The attacks originated from a late September malvertising drive that manipulated search engine advertisements and search engine optimization tactics to promote fake Teams installers. Visitors to these spoofed websites encountered a prominent download button that delivered the tainted executable. Once activated, the installer launched a loader component which then deployed the signed Oyster backdoor. This malware, also recognized as Broomstick and CleanUpLoader, provided attackers with remote system access, enabling them to execute commands, exfiltrate sensitive files, and introduce further malicious software onto compromised Windows machines.
Vanilla Tempest began utilizing the Oyster backdoor in June 2025, and starting the following September, they employed Trusted Signing alongside code signing services from SSL.com, DigiCert, and GlobalSign to sign their malicious payloads. Oyster malware first appeared in mid-2023 and has been a tool in prior Rhysida ransomware incidents, often distributed through malvertising campaigns that impersonate trusted IT utilities such as PuTTY and WinSCP.
According to Microsoft, Vanilla Tempest, also monitored by cybersecurity firms as VICE SPIDER and Vice Society, is a financially driven cybercriminal group specializing in ransomware deployment and data theft for extortion purposes. While this actor has historically used various ransomware families including BlackCat, Quantum Locker, and Zeppelin, their recent focus has shifted predominantly to Rhysida ransomware.
Active since at least June 2021, Vanilla Tempest has repeatedly targeted organizations across the education, healthcare, information technology, and manufacturing sectors. During its earlier operations under the Vice Society alias, the group was known for employing multiple ransomware variants, such as Hello Kitty/Five Hands and Zeppelin. In September 2022, the FBI and CISA released a joint cybersecurity advisory highlighting that Vice Society disproportionately attacked the U.S. education system, notably breaching the Los Angeles Unified School District, the nation’s second-largest school district.
(Source: Bleeping Computer)
