In a significant move against cybercrime, Microsoft recently disrupted a surge of ransomware attacks targeting users of Microsoft Teams. In early October, the company took action by revoking over 200 certificates that were used to digitally sign malicious installers aiming to exploit Teams users. As a result, these efforts effectively curtailed the activities of the threat group known as Vanilla Tempest, which has been linked to the Rhysida ransomware.
“Vanilla Tempest, tracked by other security vendors as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion,” Microsoft explained. This warning highlights the group's ongoing malicious initiatives, which have placed numerous organizations at risk.
The attackers utilized fraudulent domains resembling Microsoft Teams, including teams-install[.]top and teams-download[.]buzz. These domains hosted fake installers named "MSTeamsSetup.exe," which were designed to infect victims' systems with the Oyster backdoor. Victims lured in by the campaign unwittingly downloaded these files, believing they were legitimate.
This wave of attacks followed a broader malvertising effort that began in late September, leveraging SEO manipulation and search engine advertisements to guide potential victims to counterfeit Microsoft Teams download sites. Clicking on the prominently displayed download link would initiate a series of events that ultimately led to the installation of the malicious software.
Upon executing these deceptive installers, users unwittingly activated a loader that installed the signed Oyster malware, allowing cybercriminals to gain remote access to affected systems. This access enabled them to steal sensitive files, execute commands, and introduce additional malicious code. “The threat actor has used various ransomware payloads, including BlackCat, Quantum Locker, and Zeppelin, but more recently has been primarily deploying Rhysida ransomware,” Microsoft noted.
By the Numbers
By the Numbers
By the Numbers
According to records, the Oyster backdoor, observed since mid-2023, has been a consistent part of Vanilla Tempest’s arsenal. The group has relied on Trusted Signing and utilized code-signing services from reputable providers like SSL.com, DigiCert, and GlobalSign since September 2025, masking their malicious intent with legitimate-looking credentials.
Despite the recent disruption, Vanilla Tempest has been active in the cybercrime landscape for years, particularly targeting sectors such as education, healthcare, IT, and manufacturing. “Active since at least June 2021, Vanilla Tempest has frequently attacked organizations,” said a cybersecurity analyst. These attacks can have devastating consequences, particularly in sensitive sectors where breaches can expose private data.
In a previous alert, the FBI and CISA had issued advisories highlighting Vice Society's disproportionate targeting of the U.S. education sector, revealing a pattern of behavior that included notable breaches such as the Los Angeles Unified School District hack in September 2022. “Three years ago, in September 2022, the FBI and CISA issued a joint advisory warning that Vice Society disproportionately targeted the U.S. education sector,” said the analyst, stressing the importance of vigilance in protecting these vulnerable organizations.
As cybersecurity threats continue to evolve, Microsoft’s proactive measures signify a crucial step in securing user safety. The company’s actions not only target immediate vulnerabilities but also send a broader message about the importance of vigilance against cybersecurity threats. Their commitment to protecting users will likely remain a pivotal focus, ensuring that everyone can engage in digital communication safely and securely.
Going forward, the cybersecurity community must remain vigilant against evolving tactics employed by groups like Vanilla Tempest. With ever-changing threats, a collaborative approach to security—between organizations, tech companies, and law enforcement—will be vital in countering these malicious actors and safeguarding sensitive information.