In a decisive move to bolster cybersecurity, Microsoft has revoked more than 200 fraudulent digital certificates that were exploited by the cybercriminal group known as Vanilla Tempest. These certificates were instrumental in signing malicious binaries, facilitating the distribution of the Rhysida ransomware through deceptive Microsoft Teams installation files.
Unveiling the Threat
The Microsoft Threat Intelligence team identified that these counterfeit certificates were embedded in fake Teams setup files. These files were designed to deploy the Oyster backdoor, which subsequently installed the Rhysida ransomware on compromised systems. This discovery underscores the sophisticated methods employed by cyber adversaries to infiltrate and exploit organizational networks.
Swift Countermeasures
Upon detecting this malicious activity in late September 2025, Microsoft acted promptly to neutralize the threat. By early October, the company had not only revoked the fraudulent certificates but also updated its security solutions. These updates now detect and flag the malicious signatures associated with the counterfeit setup files, the Oyster backdoor, and the Rhysida ransomware, thereby enhancing protection for users worldwide.
Profile of the Adversary: Vanilla Tempest
Vanilla Tempest, previously identified as Storm-0832 and also known by aliases such as Vice Society and Vice Spider, is a financially motivated threat actor. Active since at least July 2022, this group has been linked to the deployment of various ransomware strains, including BlackCat, Quantum Locker, Zeppelin, and Rhysida. Their evolving tactics and persistent attacks highlight the dynamic nature of cyber threats in the digital age.
The Oyster Backdoor: A Stealthy Intruder
The Oyster backdoor, also referred to as Broomstick and CleanUpLoader, is a sophisticated malware variant. It is often disseminated through trojanized installers of popular software like Google Chrome and Microsoft Teams. Cybercriminals create counterfeit websites that mimic legitimate download pages, leading unsuspecting users to install malicious software. This method exploits the trust users place in well-known brands and underscores the importance of vigilance when downloading software.
Deceptive Distribution Tactics
In this particular campaign, Vanilla Tempest utilized fake Microsoft Teams setup files hosted on malicious domains that closely resembled legitimate Microsoft Teams download sites. Domains such as teams-download[.]buzz, teams-install[.]run, and teams-download[.]top were employed to deceive users. The attackers leveraged search engine optimization (SEO) poisoning techniques to ensure these malicious sites appeared prominently in search results, increasing the likelihood of user engagement.
Exploitation of Code Signing Services
To lend an air of legitimacy to their malicious installers and post-compromise tools, the threat actors exploited code signing services. They utilized platforms like Trusted Signing, SSL[.]com, DigiCert, and GlobalSign to sign their malicious binaries. This abuse of trusted code signing services highlights the need for stringent verification processes within the digital certificate ecosystem to prevent such exploitation.
Initial Disclosure and Broader Implications
The campaign was first brought to light by Blackpoint Cyber in September 2025. Their findings revealed that users searching for Microsoft Teams online were being redirected to fraudulent download pages, where they were offered malicious setup files instead of the authentic client. This incident underscores the ongoing abuse of SEO poisoning and malicious advertisements by threat actors to distribute malware under the guise of trusted software.
Mitigation Strategies and Best Practices
To mitigate the risks associated with such sophisticated cyber threats, it is imperative for users and organizations to adopt the following best practices:
1. Download Software from Verified Sources: Always obtain software directly from official websites or trusted app stores. Avoid downloading software from third-party sites or links provided in unsolicited emails.
2. Exercise Caution with Search Engine Results: Be wary of sponsored links or advertisements in search engine results, as they may lead to malicious sites. Verify the authenticity of the website before downloading any software.
3. Implement Robust Security Solutions: Utilize comprehensive security solutions that can detect and block malicious activities, including those involving fraudulent digital certificates and SEO poisoning tactics.
4. Regularly Update Software and Systems: Ensure that all software and operating systems are up to date with the latest security patches to protect against known vulnerabilities.
5. Educate Users on Cybersecurity Awareness: Conduct regular training sessions to inform users about the latest cyber threats and safe online practices.
Conclusion
Microsoft’s swift action in revoking over 200 fraudulent certificates exploited in the Rhysida ransomware campaign highlights the critical importance of proactive cybersecurity measures. As cyber threats continue to evolve in complexity, it is essential for both organizations and individuals to remain vigilant, adopt best practices, and leverage robust security solutions to safeguard against such malicious activities.
