Microsoft announced on Wednesday that it has significantly disrupted a cyberattack campaign executed by a threat group it tracks as Vanilla Tempest, whose ultimate goal was the deployment of the notorious Rhysida ransomware. This group, also known by aliases such as Vice Spider and Vice Society, has been active since at least 2021 and is most recognized for its aggressive ransomware attacks targeting organizations in the education and healthcare sectors. While Vice Society operated its own leak website until 2023, its disappearance roughly coincided with the emergence of Rhysida ransomware. Prior to this, the group was known to utilize various file encryptors, including BlackCat, Quantum Locker, and Zeppelin, but recently has overwhelmingly favored the Rhysida payload in its operations.
The core of Microsoft’s countermeasure involved the swift disruption of the Vanilla Tempest campaign in early October by revoking more than 200 certificates that the cybercriminals were using to fraudulently sign their malware. According to the tech giant, the hackers were using these certificates to sign fake Microsoft Teams setup files. These malicious installers were designed to covertly install a backdoor named Oyster, which would then be used as the primary mechanism to deliver the final Rhysida ransomware payload to the compromised network. This use of legitimate-looking, signed files helps the malware evade detection and bypass security measures that rely on verifying software authenticity.
The fraudulent Teams installers were being distributed through various deceptive websites, including domains such as ‘teams-download.buzz’ and ‘teams-install.run’. It is highly probable that victims were directed to these malicious sites through the technique of SEO poisoning, where the threat actors manipulate search engine results to rank their malicious pages highly for common search queries. When a victim ran one of these fake setup files, it executed a loader designed to download a digitally signed version of the Oyster backdoor. Vanilla Tempest has been using the Oyster backdoor since at least June 2025, but the cybercriminals only began signing the backdoor files in early September to increase their malicious tools’ legitimacy.
Microsoft detailed the sophistication of the threat actor’s operation, noting that to fraudulently sign the fake installers and their post-compromise tools, Vanilla Tempest was observed utilizing a wide array of legitimate services. The group was observed leveraging Trusted Signing, as well as code signing services from companies including SSL[.]com, DigiCert, and GlobalSign. This tactic of using multiple legitimate services highlights the effort the threat group puts into making their malicious software appear trustworthy to both users and automated security systems. The revocation of these certificates by Microsoft immediately negates that effort.
Microsoft’s decisive actions will significantly make the malware distributed by Vanilla Tempest easier for security products to detect and block across the internet. While the immediate operational impact on the cybercrime group is expected to be considerable, the long-term effectiveness of the disruption is yet to be seen. Given the group’s history and resources, it is highly anticipated that the threat actors will rapidly work to re-arm with new certificates and may only need to make slight modifications to their current tactics to resume their criminal activities.
Reference:
