Microsoft has taken decisive action against a cyber campaign linked to the Rhysida ransomware group by revoking more than 200 fraudulent code-signing certificates. These certificates were misused by a threat actor known as Vanilla Tempest to disguise malicious software as legitimate Microsoft Teams installers.
Discovery and Disruption
According to the Microsoft Threat Intelligence team, the malicious activity was detected in late September 2025 and subsequently disrupted earlier this month. The revoked certificates had been used to sign fake Teams setup files, which secretly delivered the Oyster backdoor—a malware designed to deploy Rhysida ransomware on compromised systems.
Microsoft confirmed that its security solutions have been updated to detect and block these fake digital signatures associated with the campaign, preventing further infections.
About Vanilla Tempest and Oyster Backdoor
Vanilla Tempest, previously known as Storm-0832, is a financially motivated cyber group also identified by other names such as Vice Society and Vice Spider. The group has been active since at least July 2022, launching ransomware attacks using strains like BlackCat, Quantum Locker, Zeppelin, and Rhysida.
The Oyster backdoor—also referred to as Broomstick or CleanUpLoader—is typically distributed through trojanized installers for popular applications such as Google Chrome and Microsoft Teams. Attackers create fake download websites, tricking users who search for software on Google or Bing.
Deceptive Techniques
In this campaign, Vanilla Tempest hosted fake Teams installers (MSTeamsSetup.exe) on malicious domains designed to mimic Microsoft’s official download pages. These domains included teams-download[.]buzz, teams-install[.]run, and teams-download[.]top.
Attackers relied heavily on SEO poisoning, a tactic that manipulates search results to display malicious pages at the top, making them appear trustworthy. Unsuspecting users were then redirected to these fraudulent download portals, where malware was silently installed.
Abuse of Trusted Signing Services
The threat actor reportedly used Trusted Signing and several legitimate certificate authorities (CAs) such as SSL[.]com, DigiCert, and GlobalSign to sign their malicious tools. By doing this, they made the malware appear authentic, bypassing basic security checks.
The campaign was initially exposed by Blackpoint Cyber, which warned that users searching for “Microsoft Teams download” were being diverted to fake websites hosting malware instead of legitimate installers.
Preventive Recommendations
This campaign demonstrates how cybercriminals exploit user trust in search results and famous brand names to gain system access. To stay protected:
- Always download software from official or verified sources.
- Avoid clicking ads or sponsored links that appear in search results.
- Ensure endpoint protection and browsers are updated to detect SEO-based threats.
Microsoft has already revoked the fake certificates and strengthened its security detection systems to prevent further abuse.
