Microsoft has efficiently disrupted a serious cyberattack marketing campaign orchestrated by the Vanilla Tempest menace group in early October 2025.
The tech big revoked over 200 fraudulent certificates that the cybercriminals had used to signal faux Microsoft Groups set up information, which had been designed to ship the Oyster backdoor and deploy Rhysida ransomware on sufferer programs.
Discovery and Response to the Risk
Microsoft safety researchers found this Vanilla Tempest marketing campaign in late September 2025 after monitoring a number of months of suspicious exercise involving fraudulently signed binary information.
The corporate took swift motion by not solely revoking the malicious certificates but additionally making certain that Microsoft Defender Antivirus can detect the faux setup information, Oyster backdoor, and Rhysida ransomware.
Moreover, Microsoft Defender for Endpoint now identifies the particular ways, strategies, and procedures utilized by Vanilla Tempest of their assaults.
Vanilla Tempest operates as a financially motivated cybercriminal group, additionally tracked by numerous safety distributors beneath the names VICE SPIDER and Vice Society.
The menace actor makes a speciality of deploying ransomware and stealing delicate information for extortion functions.
All through their operation historical past, they’ve utilized a number of ransomware variants together with BlackCat, Quantum Locker, and Zeppelin, however have lately centered totally on deploying Rhysida ransomware.
The assault marketing campaign relied on subtle social engineering strategies to trick customers into downloading malicious software program.
Vanilla Tempest created faux MSTeamsSetup.exe information and hosted them on fraudulent domains that carefully mimicked professional Microsoft Groups web sites, akin to teams-download[.]buzz, teams-install[.]run, and teams-download[.]high.
Safety researchers consider that potential victims had been directed to those malicious obtain websites by way of search engine marketing poisoning, a method that manipulates search engine outcomes to show malicious hyperlinks prominently.
When victims executed the faux Microsoft Groups setup information, the malware delivered a loader that subsequently put in a fraudulently signed Oyster backdoor on their programs.
Investigation revealed that Vanilla Tempest started incorporating Oyster into their assault campaigns as early as June 2025, however solely began fraudulently signing these backdoors in early September 2025.
To make their malicious software program seem professional, Vanilla Tempest exploited a number of trusted code signing companies.
The menace actors had been noticed utilizing Microsoft’s Trusted Signing service, together with certificates from SSL[.]com, DigiCert, and GlobalSign to fraudulently signal each faux installers and post-compromise instruments.
Microsoft emphasised that absolutely enabled Microsoft Defender Antivirus efficiently blocks this menace.
The corporate has additionally supplied extra steering by way of Microsoft Defender for Endpoint to assist organizations mitigate and examine this assault.
Whereas sharing that these protections safe their clients, Microsoft launched this menace intelligence publicly to assist strengthen cybersecurity defenses throughout the broader safety neighborhood.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
