Microsoft has taken aggressive steps to neutralize a surge in malicious activity targeting users of its collaboration platform, Microsoft Teams. In a concerted effort to disrupt a widespread ransomware campaign, the tech giant has revoked over 200 compromised digital certificates used by the threat actor known as Vanilla Tempest — also referred to as Vice Society or Vice Spider. This actor leveraged the fraudulent certificates to sign harmful Microsoft Teams installers, which were in fact laced with the Oyster backdoor malware and intended ultimately to deliver the notorious Rhysida ransomware.
This revocation effort not only aimed to cripple the immediate operation but also to restore trust in security-connected digital certificate systems—an increasingly common vector abused in sophisticated cyberattacks.
Fraudulent Teams Installers Weaponized With Code Signing Abuse
The campaign orchestrated by Vanilla Tempest employed an increasingly popular method of distribution: search engine optimization (SEO) poisoning. By manipulating search engine results and creating fake domains such as `teams-download[.]buzz`, `teams-install[.]run`, and `teams-install[.]top`, the attackers tricked users into downloading malicious Microsoft Teams setup files.
When unsuspecting victims launched the fake installers, they unwittingly executed a binary that appeared to be signed legitimately. These were made to look trustworthy through the abuse of code signing certificates obtained from well-known certificate authorities (CAs) including Trusted Signing, SSL[.]com, DigiCert, and GlobalSign.
Short-Lived Certificates Used as Evasion Mechanism
An example reported on September 25, 2025, by The Cortex Protocol revealed that some of the digital certificates were valid for extraordinarily short lifespans—sometimes just two days. In one case, a setup file signed by “KUTTANADAN CREATIONS INC.” was able to bypass signature-based security checks. Microsoft Defender’s Attack Surface Reduction (ASR) policies blocked C2 communications in some environments, indicating that ASR configurations played a significant role in early detection.
These short-lived but valid digital signatures allowed the attackers to rapidly iterate their payloads and evade endpoint defenses before detection and revocation measures could be implemented.
Oyster Backdoor Opens the Door for Rhysida Ransomware
At the core of these attacks was the delivery of the Oyster backdoor, an advanced malware strain also known by aliases such as Broomstick and CleanUpLoader. Upon installation of the fake Teams client, a malicious DLL named `CaptureService.dll` was dropped into the `%APPDATA%Roaming` directory. Persistence was maintained using a scheduled task labeled “CaptureService,” designed to execute the payload every 11 minutes.
Once active, Oyster provided Vanilla Tempest actors with remote access to the compromised machine, enabling:
- Execution of arbitrary commands
- Deployment of additional malicious payloads
- File exfiltration and eventual ransomware detonation
The Oyster malware has previously surfaced in campaigns that impersonated legitimate IT administrative tools like PuTTY and WinSCP. This latest incarnation adds another layer of deception by cloning the look and feel of Microsoft’s legitimate software.
Microsoft’s Response: Certificate Revocation and Enhanced Detection
Microsoft’s multi-pronged response included revoking over 200 certificates associated with this threat activity, across all involved CAs. They also rolled out enhancements to their security products to recognize and respond to:
- Fraudulent installers of Microsoft Teams
- Variants of the Oyster backdoor
- Detected versions of the Rhysida ransomware payload
Microsoft has emphasized that this coordinated revocation and detection measures aim to dismantle the threat infrastructure and prevent ongoing exploitation. The company also urges users and organizations to download software only from official sources and be especially cautious of search engine results—particularly those accompanied by ads, which are susceptible to manipulation through SEO poisoning.
Strategic and Operational Lessons for Enterprise Defenders
This campaign underscores several pressing challenges and lessons for enterprise security teams:
- Certificate Trust Model Breakdown : The abuse of otherwise legitimate CA-issued code signing certificates demonstrates an urgent need to validate not just the existence of a certificate, but also the reputation and behavior of the signer.
- Malvertising Meets Malware : SEO poisoning and search engine ad manipulation were critical to the observed initial infection vector. Relying on users to distinguish legitimate links from fakes is an increasingly weak line of defense.
- Role of ASR and EDR : Microsoft Defender’s ASR policies and proactive endpoint detection response (EDR) played a crucial role in identifying malicious patterns and preventing deeper compromises.
- Importance of Certificate Lifespan Monitoring : Limiting the trust granted to ultra-short-lived certificates and monitoring anomalous signing behavior can reduce exposure time for malware campaigns.
- User Awareness and Hygiene : Social engineering remains a vital component of successful malware distribution. Security awareness training to emphasize the risks of searching for software downloads via search engines is essential.
Conclusion: Certificate Revocation Alone Isn’t Enough
While Microsoft’s revocation of over 200 fraudulent certificates significantly disrupted Vanilla Tempest’s operations, this case highlights a recurring tension between trust and verification in digital certificate ecosystems. As malware campaigns become more nimble, combining SEO manipulation with weaponized installers signed using “trusted” certificates, defenders must evolve toward layered, behavior-based detection and rapid response processes.
Ultimately, while revoked certificates and hardened defenses may slow adversaries like Vanilla Tempest, the ability to dynamically abuse trust-based systems is proof that certificate hygiene, endpoint visibility, and continuous threat detection are critical pillars of modern cybersecurity.
