In early October 2025, Microsoft executed a targeted disruption against Vanilla Tempest—the threat actor also tracked as Vice Society—after uncovering a streamlined, high-impact campaign that deployed Rhysida ransomware through a cleverly staged infection chain. The operation leaned on SEO poisoning to funnel victims searching for “Microsoft Teams” installers to attacker-controlled domains (e.g., teams-download[.]buzz, teams-install[.]run). Once downloaded and launched, the fake Teams setup quietly pulled down a digitally signed copy of the Oyster backdoor, a foothold Vanilla Tempest has leveraged since at least mid-2023. With Oyster running, the actors had the persistent access needed to drop their endgame: Rhysida.
What made this campaign unusually slippery wasn’t a zero-day—it was trust. Vanilla Tempest abused code-signing to cloak both the lure and post-compromise tooling, fraudulently obtaining signatures from reputable providers including Trusted Signing, DigiCert, GlobalSign, and SSL[.]com. Signed binaries blended into enterprise environments, sidestepping application controls and reputation-based defenses that often flag or throttle unsigned executables. By spreading their bets across multiple certificate authorities, the group complicated blocklists and stretched the window of undetected activity.
Microsoft’s counterpunch was decisive: more than 200 certificates were revoked, immediately degrading the campaign’s ability to evade detection and making malicious binaries far easier for defenders to quarantine. While this revocation spree dealt a material blow to Vanilla Tempest’s infrastructure and tooling, seasoned defenders know the story doesn’t end here. Financially motivated crews adapt. Expect the group to pursue fresh certificates, tweak their SEO poisoning playbooks, and continue targeting sectors where urgency and downtime risk are highest—especially education and healthcare, Vice Society’s longstanding hunting grounds.
For security teams, the disrupted campaign is a blueprint of the group’s current TTPs and a reminder that trust anchors (like code signing) are a critical attack surface. Prioritize browser and DNS filtering to blunt SEO-poisoning funnels, enforce publisher allowlists and certificate pinning where feasible, and watch for the telltale sequence: suspicious software acquisition → signed loader execution → Oyster C2 beacons → Rhysida staging. Treat “signed” as not synonymous with safe; validation must include reputation, issuance timing, and anomalous publisher metadata. Microsoft’s revocations bought defenders time—use it to harden controls, refine detections, and pressure the adversary’s next move.
#Rhysida #ViceSociety #VanillaTempest #OysterBackdoor #Microsoft #CodeSigningAbuse #CertificateRevocation #TrustedSigning #DigiCert #GlobalSign #SSLcom #SEOPoisoning #Ransomware #EducationSecurity #HealthcareSecurity #ThreatIntelligence #Malware #Infosec
