Microsoft introduced that it had revoked greater than 200 digital certificates exploited by the infamous Vanilla Tempest hacking group.
This motion successfully disrupted an ongoing marketing campaign the place attackers impersonated Microsoft Groups installations to infiltrate company networks and deploy ransomware.
The operation, uncovered in late September, highlights the evolving ways of ransomware operators who leverage legitimate-looking software program to bypass safety defenses.
Vanilla Tempest, additionally tracked by cybersecurity companies as VICE SPIDER and Vice Society, has emerged as a persistent menace within the ransomware panorama.
This financially pushed actor makes a speciality of information exfiltration for extortion, typically pairing theft with encryption assaults to maximise payouts.
Over time, the group has wielded quite a lot of ransomware strains, together with BlackCat, Quantum Locker, and Zeppelin. Nevertheless, in current months, Rhysida ransomware has turn out to be their weapon of alternative, concentrating on sectors like healthcare, training, and manufacturing for high-impact disruptions.
Pretend Groups Downloads Through Search Engines
The most recent marketing campaign preyed on unsuspecting customers looking for official Microsoft Groups updates. Attackers hosted counterfeit MSTeamsSetup.exe information on misleading domains comparable to teams-download[.]buzz, teams-install[.]run, and teams-download[.]high.
These websites seemingly gained traction by SEO (website positioning) poisoning, the place manipulated search outcomes direct victims to malicious downloads as a substitute of official Microsoft sources.
In early October 2025, Microsoft disrupted a Vanilla Tempest marketing campaign by revoking over 200 certificates that the risk actor had fraudulently signed and utilized in pretend Groups setup information to ship the Oyster backdoor and in the end deploy Rhysida ransomware. We recognized this… pic.twitter.com/FeTitSrTbi— Microsoft Risk Intelligence (@MsftSecIntel) October 15, 2025
As soon as executed, the bogus installers unleashed a multi-stage payload. An preliminary loader paved the best way for the Oyster backdoor, a flexible malware device that Vanilla Tempest started integrating into operations as early as June 2025.
By early September, the group escalated their stealth by fraudulently signing these backdoors and loaders with stolen or misused certificates from respected suppliers like Trusted Signing, SSL.com, DigiCert, and GlobalSign.
This signing course of lent the information an air of authenticity, tricking antivirus software program and person scrutiny alike. From there, the an infection chain culminated in Rhysida ransomware deployment, locking information and demanding ransoms whereas exfiltrating delicate information for leverage.
Microsoft’s response was multifaceted. Past certificates revocation, the corporate bolstered its defenses by Microsoft Defender Antivirus, which now identifies and blocks the pretend setup information, the Oyster backdoor, and Rhysida ransomware variants.
For enterprise customers, Microsoft Defender for Endpoint provides behavioral detections tailor-made to Vanilla Tempest’s ways, methods, and procedures (TTPs), together with anomalous community exercise and privilege escalations.
This incident underscores the dangers of provide chain-style assaults in on a regular basis software program updates. As distant work instruments like Groups stay important, attackers proceed to take advantage of belief in acquainted manufacturers.
Microsoft’s proactive revocation prevented additional abuse of the compromised certificates, however consultants warn that related ways may resurface with new signing authorities.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
