Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks.
The certificates were “used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware,” the Microsoft Threat Intelligence team said in a post shared on X.
The tech giant said it disrupted the activity earlier this month after it was detected in late September 2025. In addition to revoking the certificates, its security solutions have been updated to flag the signatures associated with the fake setup files, Oyster backdoor, and Rhysida ransomware.
Vanilla Tempest (formerly Storm-0832) is the name given to a financially motivated threat actor also called Vice Society and Vice Spider that’s assessed to be active since at least July 2022, delivering various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida over the years.
Oyster (aka Broomstick and CleanUpLoader), on the other hand, is a backdoor that’s often distributed via trojanized installers for popular software such as Google Chrome and Microsoft Teams using bogus websites that users stumble upon when searching for the programs on Google and Bing.
“In this campaign, Vanilla Tempest used fake MSTeamsSetup.exe files hosted on malicious domains mimicking Microsoft Teams, for example, teams-download[.]buzz, teams-install[.]run, or teams-download[.]top,” Microsoft said. “Users are likely directed to malicious download sites using search engine optimization (SEO) poisoning.”
To sign these installers and other post-compromise tools, the threat actor is said to have used Trusted Signing, as well as SSL[.]com, DigiCert, and GlobalSign code signing services.
Details of the campaign were first disclosed by Blackpoint Cyber last month, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client.
“This activity highlights the continued abuse of SEO poisoning and malicious advertisements to deliver commodity backdoors under the guise of trusted software,” the company said. “Threat actors are exploiting user trust in search results and well-known brands to gain initial access.”
To mitigate such risks, it’s advised to download software only from verified sources and avoid clicking on suspicious links served via search engine ads.
