Microsoft revokes 200 certs used to sign malicious Teams installers

By revoking 200 software-signing certificates, Microsoft has hampered the activities of Vanilla Tempest, a ransomware-wielding threat actor that has been targeting organizations with malware posing as Microsoft Teams.

“In this campaign, Vanilla Tempest used fake MSTeamsSetup.exe files hosted on malicious domains mimicking Microsoft Teams, for example, teams-download[.]buzz, teams-install[.]run, or teams-download[.]top. Users are likely directed to malicious download sites using SEO poisoning,” the company’s threat intelligence team shared.

The campaign

In this latest campaign, spotted by Microsoft’s researchers in late September 2025, Vanilla Tempest used signed files made to look like the official Teams installer.

The files were actually loader malware that downloaded a signed Oyster backdoor.

According to the threat analysts, Vanilla Tempest began incorporating Oyster into their attacks as early as June 2025, but started fraudulently signing these backdoors in early September 2025.

“To fraudulently sign the fake installers and post-compromise tools, Vanilla Tempest was observed using Trusted Signing, as well as SSL[.]com, DigiCert, and GlobalSign,” they shared.

Vanilla Tempest (aka VICE SPIDER or Vice Society) has been active since 2021, and its ultimate goal is to deliver ransomware to organizations and deploy it after exfiltrating data for extortion.

Over the years, the group used BlackCat, Quantum Locker, and Zeppelin ransomware, but lately it has switched to primarily deploying the Rhysida strain.

Additional action by Microsoft

Microsoft Defender Antivirus now detects the fake MS Teams setup files, the Oyster backdoor, and Rhysida ransomware, while Microsoft Defender for Endpoint detects Vanilla Tempest tactics, techniques, and procedures (TTPs) to help organizations mitigate and investigate the attack, the company said.

“While these protections help secure our customers, we’re sharing this intelligence broadly to help strengthen defenses and improve resilience across the entire cybersecurity community,” they added.

Earlier this month, Microsoft’s analysts published guidance for IT and security teams on mitigating the risk of attacks delivered via or leveraging Microsoft Teams.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!