Microsoft has announced that it has revoked more than 200 digital certificates exploited by a threat actor known as Vanilla Tempest to fraudulently sign malicious binaries and deliver ransomware attacks. The company revealed that these certificates were “used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware,” according to a statement by the Microsoft Threat Intelligence team on X.
The campaign was first detected in late September 2025 and subsequently disrupted earlier this month. Microsoft responded by revoking the compromised certificates and updating its security solutions to detect and block the malicious signatures linked to the fake installers, the Oyster backdoor, and Rhysida ransomware.
Vanilla Tempest—formerly tracked as Storm-0832—is a financially driven cybercriminal group also known by aliases such as Vice Society and Vice Spider. Active since at least July 2022, the group has deployed multiple ransomware families over time, including BlackCat, Quantum Locker, Zeppelin, and Rhysida.
The Oyster backdoor (also called Broomstick or CleanUpLoader) has been a recurring tool in the group’s operations. It is typically distributed through trojanized installers of popular software like Google Chrome and Microsoft Teams, hosted on fake websites designed to deceive unsuspecting users.
“In this campaign, Vanilla Tempest used fake MSTeamsSetup.exe files hosted on malicious domains mimicking Microsoft Teams, for example, teams-download[.]buzz, teams-install[.]run, or teams-download[.]top,” Microsoft explained. “Users are likely directed to malicious download sites using search engine optimization (SEO) poisoning.”
To sign and validate these fraudulent installers, the attackers allegedly abused Trusted Signing, as well as certificate services from SSL[.]com, DigiCert, and GlobalSign.
The campaign was initially detailed by Blackpoint Cyber, which observed that users searching for Microsoft Teams online were being redirected to counterfeit pages offering malicious installers instead of the legitimate application.
“This activity highlights the continued abuse of SEO poisoning and malicious advertisements to deliver commodity backdoors under the guise of trusted software,” the company stated. “Threat actors are exploiting user trust in search results and well-known brands to gain initial access.”
Security experts advise users to download software only from official or verified sources and avoid clicking on suspicious ads or links appearing in search results to prevent such attacks.
