Microsoft Nukes 200+ Fake Certificates in Teams Malware Attack
▼ Summary
– Microsoft revoked over 200 fraudulently signed certificates used in fake Teams setup files to deliver malware and a backdoor.
– The campaign, known as Vanilla Tempest, is financially motivated and deploys ransomware like Rhysida while exfiltrating data for extortion.
– Attackers used SEO poisoning and malvertising to lure victims to spoofed websites hosting fake Teams installers that delivered the Oyster backdoor.
– Vanilla Tempest fraudulently signed malicious tools using services like Trusted Signing, SSL.com, DigiCert, and GlobalSign starting in early September 2025.
– Microsoft Defender Antivirus blocks this threat, and the group has been active since at least 2021, targeting sectors such as healthcare and education.
Microsoft has taken decisive action by revoking more than two hundred fraudulent certificates that were exploited by cybercriminals to distribute malware through counterfeit Microsoft Teams installation files. This campaign, identified by Microsoft as Vanilla Tempest and known to other security experts as Vice Spider or Vice Society, was uncovered in late September. The financially motivated attackers behind the scheme focus on deploying ransomware and stealing sensitive data for extortion purposes.
The malicious operation involved fake Teams setup files that delivered the Oyster backdoor, which in turn was used to install Rhysida ransomware. In addition to Rhysida, the threat group has employed other ransomware families such as BlackCat, Quantum Locker, and Zeppelin in their attacks. To lure victims, the attackers used search engine optimization (SEO) poisoning and malvertising tactics, tricking users into downloading a malicious file named MSTeamsSetup.exe.
People searching online for “Teams download” were directed to fraudulent websites designed to look like official Microsoft pages. These deceptive domains included addresses like teams-download[.]buzz, teams-install[.]run, and teams-download[.]top. Microsoft’s investigation revealed that Vanilla Tempest began incorporating the Oyster backdoor into their attacks as early as June 2025, but started using fraudulent code signing for these tools in early September of the same year.
The group used several trusted code signing services, including Microsoft’s own Trusted Signing, as well as SSL[.]com, DigiCert, and GlobalSign, to sign the fake installers and other post-compromise tools illegitimately. According to Microsoft, systems with fully enabled Microsoft Defender Antivirus are protected against this threat. Microsoft Defender for Endpoint also provides additional detection capabilities and guidance for mitigating and investigating related attacks.
Vanilla Tempest has been highly active since at least 2021. Security researchers established connections between this group and Rhysida ransomware in 2023, following multiple incidents that impacted the U.S. healthcare sector. The previous year, the group carried out a series of ransomware campaigns targeting educational institutions in both the United Kingdom and the United States.
(Source: InfoSecurity Magazine)
