Microsoft has disrupted a wave of Rhysida ransomware attacks in early October by revoking over 200 certificates used to sign malicious Teams installers.
Vanilla Tempest, the threat group behind the attacks, used domains that mimic Microsoft Teams, such as teams-install[.]top, teams-download[.]buzz, teams-download[.]top, and teams-install[.]run, to distribute fake MSTeamsSetup.exe files that infected victims with the Oyster backdoor.
These attacks were part of a late September malvertising campaign that used search engine ads and SEO poisoning to push fake Microsoft Teams installers that backdoored Windows devices with Oyster malware (also known as Broomstick and CleanUpLoader).
The ads and the domains led to websites that impersonated the Microsoft Teams download site. Clicking the prominently displayed download link downloads a file named “MSTeamsSetup.exe,” the same filename used by the official Teams installer.
Upon execution, the malicious Teams installers launched a loader that deployed the signed Oyster malware, granting the threat actors remote access to the infected systems and allowing them to steal files, execute commands, and drop additional malicious payloads.
Vanilla Tempest has been using the Oyster backdoor since June 2025, leveraging Trusted Signing alongside code signing services from SSL.com, DigiCert, and GlobalSign starting in September 2025.
This malware, first spotted in mid-2023, was also used in previous Rhysida attacks to breach corporate networks and is commonly spread via malvertising that impersonates IT tools like PuTTY and WinSCP.
“Vanilla Tempest, tracked by other security vendors as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion,” Microsoft said.
“The threat actor has used various ransomware payloads, including BlackCat, Quantum Locker, and Zeppelin, but more recently has been primarily deploying Rhysida ransomware.”
Active since at least June 2021, Vanilla Tempest has frequently attacked organizations in the education, healthcare, IT, and manufacturing sectors. While active as Vice Society, the threat actor was known to use multiple ransomware strains, including Hello Kitty/Five Hands and Zeppelin ransomware.
Three years ago, in September 2022, the FBI and CISA issued a joint advisory warning that Vice Society disproportionately targeted the U.S. education sector after the cybercrime gang breached Los Angeles Unified (LAUSD), the second-largest school district in the United States.
Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.
Don’t miss the event that will shape the future of your security strategy
