Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
In early October 2025, Microsoft stopped a large malicious operation attributed to the Vanilla Tempest group, revoking more than 200 digital certificates used to fraudulently sign Microsoft Teams installation files.
These fake packages served as a vector to spread the Oyster backdoor and, later, the Rhysida ransomware .
The campaign was discovered in late September 2025 , after months of activity in which the threat actor had exploited seemingly legitimate binaries.
In response, Microsoft Defender Antivirus has updated its signatures to recognize and block both fake Teams installers and the malware involved, while Microsoft Defender for Endpoint has been strengthened to detect tactics, techniques, and procedures (TTPs) typical of Vanilla Tempest.
Vanilla Tempest, also known by the aliases VICE SPIDER or Vice Society in other security reports, is a financially motivated cybercriminal group. Its operations focus on ransomware attacks and the theft of sensitive data for extortion purposes. Over time, it has deployed several payloads, including BlackCat , Quantum Locker , and Zeppelin , but in recent months it has focused primarily on Rhysida .
During the campaign, the criminals spread several fake files named MSTeamsSetup.exe , hosted on malicious domains that simulated official Microsoft Teams sites, such as teams-download[.]buzz , teams-install[.]run , and teams-download[.]top .
Users were allegedly directed to these sites through SEO poisoning attacks , a technique that manipulates search engine results to make infected domains appear among the top results.
Once executed, the fake installer generated a loader that in turn installed Oyster , a backdoor already employed by Vanilla Tempest as of June 2025 , but which the group began fraudulently digitally signing as of September 2025 .
To give the distributed files the appearance of legitimacy, Vanilla Tempest abused Trusted Signing services and certificate authorities SSL[.]com , DigiCert , and GlobalSign , thus initially managing to bypass security controls.
Microsoft has stated that Defender Antivirus , when fully enabled, can block the entire attack chain . Additionally, Defender for Endpoint provides analysis and mitigation tools to help organizations investigate potential compromises.
The company publicly shared the technical details of the operation to strengthen cooperation within the cybersecurity community and improve the collective ability to respond to these types of threats.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
