"Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks. The certificates were "used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware," the Microsoft Threat Intelligence team said in a post shared on X. The tech giant said it disrupted the activity earlier this month after it was detected in late September 2025."
"Oyster (aka Broomstick and CleanUpLoader), on the other hand, is a backdoor that's often distributed via trojanized installers for popular software such as Google Chrome and Microsoft Teams using bogus websites that users stumble upon when searching for the programs on Google and Bing. "In this campaign, Vanilla Tempest used fake MSTeamsSetup.exe files hosted on malicious domains mimicking Microsoft Teams, for example, teams-download[.]buzz, teams-install[.]run, or teams-download[.]top," Microsoft said. "Users are likely directed to malicious download sites using search engine optimization (SEO) poisoning.""
Microsoft revoked more than 200 certificates tied to Vanilla Tempest after detecting fraudulent code-signing used to distribute malware. The certificates had been used to sign fake Microsoft Teams installers that delivered the Oyster backdoor and enabled deployment of Rhysida ransomware. Microsoft disrupted the activity in October 2025 after detecting the campaign in late September 2025 and updated security solutions to flag the malicious signatures. Vanilla Tempest, also known as Vice Society/Vice Spider, has deployed multiple ransomware strains since 2022. The campaign used trojanized installers on bogus download sites and SEO poisoning, and leveraged Trusted Signing, SSL.com, DigiCert, and GlobalSign services.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]