Microsoft has taken a major action to disrupt a ransomware operation. On October 17, 2025, the company announced that it had revoked over 200 fake code-signing certificates. These certificates were being used by a cybercriminal group known as Vanilla Tempest, also linked to Vice Society, to make their malware appear legitimate and trusted.
The revoked certificates were part of a campaign where attackers used them to sign fake Microsoft Teams installers. These fake setup files, named like “MSTeamsSetup.exe,” were hosted on lookalike domains designed to trick users. When victims downloaded and ran these installers, they unknowingly installed malicious programs.
Once launched, the fake installers deployed a loader that installed a backdoor called Oyster. Through this backdoor, attackers gained access to victims’ systems and then deployed the Rhysida ransomware. The ransomware encrypted files across the network and demanded payment from victims to restore their data.
Microsoft detected this malicious campaign in late September 2025 and took immediate action. In early October, the company revoked all the fraudulent certificates and updated its security tools. These updates allow Windows Defender and other Microsoft security systems to detect and block the fake Teams installers, Oyster backdoor, and Rhysida ransomware.
The hackers behind this campaign exploited legitimate certificate authorities such as DigiCert, GlobalSign, and SSL.com. By doing this, they made their fake software look authentic to both users and operating systems. This helped them bypass many standard security checks and gain a higher chance of being installed successfully.
Vanilla Tempest, the group behind this attack, has been active since around 2021. It is known for using various ransomware families such as BlackCat, Zeppelin, and Quantum Locker before switching to Rhysida. The group’s main motive is financial gain, and its tactics include data theft, lateral movement inside networks, and ransom demands.
Revoking the certificates is an important step because it stops new infections using those same signed files. However, it does not automatically clean already infected systems. Microsoft has also enhanced its Defender for Endpoint tools to detect and respond to the attack patterns used by Vanilla Tempest, helping organizations investigate any compromises.
To stay safe, users should only download software from official sources and verify the authenticity of files before installing them. Keeping antivirus and operating systems updated is also critical. Suspicious downloads or installers should be isolated immediately, and organizations must monitor their networks for unusual activity. Microsoft’s quick response shows how collaboration and certificate control can significantly reduce the impact of such cyberattacks.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
