Microsoft recently revealed that it invalidated over 200 certificates utilized by a threat actor identified as Vanilla Tempest to falsely sign malicious files in ransomware assaults.
These certificates were employed in counterfeit Teams installation files to distribute the Oyster backdoor and subsequently deploy the Rhysida ransomware, as per the Microsoft Threat Intelligence team’s announcement.
The tech company took action to disrupt this malicious activity earlier this month, following its detection in late September 2025. Alongside revoking the certificates, Microsoft’s security solutions have been updated to detect the signatures linked to the fake setup files, Oyster backdoor, and Rhysida ransomware.
Vanilla Tempest, previously known as Storm-0832, is a financially motivated threat actor also referred to as Vice Society and Vice Spider. This actor has been active since at least July 2022, disseminating various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida throughout the years.
Oyster, alternatively known as Broomstick and CleanUpLoader, is a backdoor commonly distributed through trojanized installers for popular software like Google Chrome and Microsoft Teams. This distribution is carried out via deceptive websites that users encounter when searching for these programs on search engines like Google and Bing.
Microsoft noted that Vanilla Tempest utilized fake MSTeamsSetup.exe files hosted on malicious domains mimicking Microsoft Teams, such as teams-download[.]buzz, teams-install[.]run, or teams-download[.]top, in this campaign. Users are likely directed to these malicious download sites through search engine optimization (SEO) manipulation.
To sign these installers and other tools post-compromise, the threat actor reportedly utilized Trusted Signing, as well as SSL[.]com, DigiCert, and GlobalSign code signing services.
The details of this campaign were initially disclosed by Blackpoint Cyber, emphasizing how users searching for Teams online were redirected to fraudulent download pages offering a malicious MSTeamsSetup.exe instead of the genuine client.
Microsoft pointed out that this activity underscores the ongoing exploitation of SEO poisoning and malicious advertisements to distribute backdoors disguised as legitimate software. Threat actors leverage user trust in search results and reputable brands to gain initial access.
To mitigate such risks, it is recommended to download software exclusively from verified sources and refrain from clicking on suspicious links presented through search engine ads.
