Microsoft Disrupts Vanilla Tempest Ransomware Campaign Using Fake Teams Installers

Microsoft has disrupted a highly sophisticated ransomware campaign launched by Vanilla Tempest, which used fake Microsoft Teams installers and fraudulently signed malware to target victims. This takedown, involving the revocation of over 200 malicious certificates, highlights the growing threat of SEO poisoning.

Vanilla Tempest, also known as VICE SPIDER or Vice Society, is a cybercriminal group that has been active since at least 2021. It’s driven by financial gain through ransomware attacks and data extortion on the education and healthcare sectors. This group is known for deploying a range of ransomware strains (including BlackCat, Quantum Locker, and Zeppelin), and has recently shifted its focus to using Rhysida ransomware in its operations.

How did the fake Microsoft Teams installers work?

Microsoft first detected the Vanilla Tempest campaign in late September 2025. The company disrupted this campaign by revoking more than 200 fraudulently obtained code-signing certificates used by the cybercriminals to sign their malware.

In this campaign, Vanilla Tempest tricked users into downloading malicious files by creating fake Microsoft Teams installers hosted on deceptive websites that closely mimicked legitimate Microsoft domains. These sites (such as teams-download[.]buzz and teams-install[.]run) were promoted using search engine optimization (SEO) poisoning. This approach makes them appear in search results and increases the likelihood of unsuspecting users clicking on them.

Once executed, the fake installer deployed a loader that delivered the Oyster backdoor, which had been fraudulently signed to appear trustworthy. This backdoor served as a gateway for further malicious activity, which ultimately led to the deployment of Rhysida ransomware.

“Running the fake Microsoft Teams setups delivered a loader, which in turn delivered a fraudulently signed Oyster backdoor. Vanilla Tempest has incorporated Oyster into their attacks as early as June 2025, but they started fraudulently signing these backdoors in early September 2025,” the Microsoft Threat Intelligence team explained.

How can organizations protect themselves against Vanilla Tempest attacks?

Microsoft’s security solutions successfully identified and blocked the fake Teams installers, the Oyster backdoor, and the Rhysida ransomware payload. Microsoft recommends ensuring that Microsoft Defender Antivirus is fully enabled to protect organizations against the Vanilla Tempest campaign.

Additionally, Microsoft Defender for Endpoint provides advanced detection of the threat actor’s tactics and offers specific guidance for investigating and mitigating such attacks. Microsoft aims to help organizations strengthen their defenses and improve overall cybersecurity resilience.