Microsoft cancels 200 certificates for malicious Teams installers
▼ Summary
– Microsoft revoked 200 software-signing certificates to disrupt Vanilla Tempest, a threat actor distributing malware disguised as the Microsoft Teams installer.
– Vanilla Tempest used fake Teams setup files on malicious domains and SEO poisoning to direct users to download sites, deploying loader malware and a signed Oyster backdoor.
– The group fraudulently signed their tools using services like Trusted Signing, SSL.com, DigiCert, and GlobalSign, with campaigns observed from late September 2025.
– Vanilla Tempest, active since 2021, aims to deploy ransomware such as Rhysida after data exfiltration for extortion, having previously used BlackCat and other strains.
– Microsoft Defender now detects the fake Teams files, Oyster backdoor, and Rhysida ransomware, while sharing intelligence to help the cybersecurity community mitigate attacks.
In a decisive move to protect users, Microsoft has revoked 200 software-signing certificates to disrupt a malicious campaign by the ransomware group known as Vanilla Tempest. This threat actor had been distributing malware disguised as the Microsoft Teams installer, tricking users into downloading harmful files from counterfeit websites. By invalidating these certificates, Microsoft effectively neutralized the group’s ability to sign and distribute their fraudulent software, safeguarding countless organizations from potential cyberattacks.
Vanilla Tempest employed deceptive domains that closely resembled legitimate Microsoft services, such as teams-download[.]buzz and teams-install[.]run. These sites hosted a malicious executable named MSTeamsSetup.exe, which was actually a loader designed to install the Oyster backdoor. Security experts note that the group likely used search engine optimization (SEO) poisoning to direct unsuspecting users to these fake download pages. The campaign, first identified in late September 2025, involved signed files that appeared authentic, increasing the likelihood of successful infections.
The group’s fraudulent signing activities leveraged several trusted certificate authorities, including Trusted Signing, SSL[.]com, DigiCert, and GlobalSign. Vanilla Tempest, also identified as VICE SPIDER or Vice Society, has been active since 2021 with a consistent focus on data theft and ransomware deployment. Historically, they have utilized BlackCat, Quantum Locker, and Zeppelin ransomware, but recent attacks show a shift toward the Rhysida strain. Their primary objective remains gaining access to organizational networks, exfiltrating sensitive data, and then deploying ransomware for financial extortion.
Microsoft has enhanced its security products to provide robust protection against this threat. Microsoft Defender Antivirus now detects the fake Teams installers, the Oyster backdoor, and Rhysida ransomware, while Microsoft Defender for Endpoint identifies the specific tactics, techniques, and procedures (TTPs) employed by Vanilla Tempest. These improvements allow organizations to not only block attacks but also conduct thorough investigations into any suspicious activities. The company emphasized its commitment to sharing threat intelligence widely, aiming to bolster defensive measures across the entire cybersecurity community.
Earlier this month, Microsoft released detailed guidance for IT and security professionals on mitigating risks associated with attacks delivered through or exploiting Microsoft Teams. This advisory provides actionable steps to strengthen organizational security postures and prevent similar incidents. By combining technological defenses with informed security practices, businesses can significantly reduce their vulnerability to these sophisticated cyber threats.
(Source: HelpNet Security)
