Full Report
Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks. The certificates were "used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware," the Microsoft Threat Intelligence team said in a post shared on X. The tech
Analysis Summary
# Incident Report: Rhysida Ransomware Campaign Using Fraudulent Microsoft Certificates
## Executive Summary
Microsoft disclosed the disruption of a campaign by the threat actor Vanilla Tempest (also known as Vice Society/Vice Spider) involving the use of over 200 fraudulent code-signing certificates to distribute the Oyster backdoor, culminating in Rhysida ransomware deployment. Attackers gained initial access by tricking users into downloading trojanized Microsoft Teams setup files via SEO poisoning, leading to significant compromise potential through the deployment of persistent malware and ransomware. Microsoft responded by revoking the fraudulent certificates and updating defenses.
## Incident Details
- Discovery Date: Late September 2025 (Detection) / Early October 2025 (Microsoft Disruption)
- Incident Date: Campaign active since at least July 2022 (underlying actor history); specific campaign details in September/October 2025.
- Affected Organization: Unspecified victims targeted by the ransomware payloads, though Microsoft's systems were used fraudulently for signing.
- Sector: Likely multiple sectors targeted by Rhysida ransomware infections.
- Geography: Global (Implied by nature of ransomware-as-a-service campaigns and online distribution).
## Timeline of Events
### Initial Access
- Date/Time: Prior to Late September 2025 (when activity was detected).
- Vector: Search Engine Optimization (SEO) poisoning and malicious advertisements directing users to look-alike domains.
- Details: Attackers created malicious domains mimicking Microsoft (e.g., teams-download[.]buzz, teams-install[.]run) to host trojanized `MSTeamsSetup.exe` installers.
### Lateral Movement
- Details: The initial execution deployed the Oyster backdoor (aka Broomstick/CleanUpLoader), which enables further unauthorized access and persistence, setting the stage for ransomware deployment.
### Data Exfiltration/Impact
- Details: The ultimate impact was the deployment of Rhysida ransomware, suggesting data encryption and potential data extortion threats.
### Detection & Response
- Date/Time: Late September 2025 (Detection); Early October 2025 (Microsoft Disruption).
- Details: Microsoft Threat Intelligence detected the malicious activity. Response included revoking over 200 certificates used for signing malicious binaries and updating security solutions to flag the bad configuration files, Oyster backdoor, and Rhysida ransomware signatures.
## Attack Methodology
- Initial Access: SEO poisoning guiding users to malicious websites hosting trojanized software installers (`MSTeamsSetup.exe`).
- Persistence: Use of the Oyster backdoor to maintain access post-initial compromise.
- Privilege Escalation: Not explicitly detailed, but typically required to deploy ransomware successfully.
- Defense Evasion: Using digitally signed malicious binaries (via fraudulently acquired certificates) to appear legitimate to operating system security controls.
- Credential Access: Not detailed, but likely employed by the Oyster backdoor or subsequent Rhysida modules.
- Discovery: Not detailed, but subsequent activity following Oyster deployment would involve network/system reconnaissance.
- Lateral Movement: Not detailed, but implied by the pattern of Rhysida attacks often following initial backdoor deployment.
- Collection: Not detailed, but necessary precursor to ransomware deployment.
- Exfiltration: Not detailed, but standard for modern ransomware strains.
- Impact: Deployment of Rhysida ransomware, leading to file encryption.
## Impact Assessment
- Financial: Not specified, but significant due to ransom demands and recovery costs associated with Rhysida attacks.
- Data Breach: Implied risk of sensitive data exposure associated with Rhysida ransomware operations.
- Operational: Disruption caused by ransomware encryption across affected endpoints/systems.
- Reputational: Damage to victim organizations; potential reputation harm to software providers if users are misled (indirectly mitigated by Microsoft's disclosure).
## Indicators of Compromise
*(Note: Specific IoCs were omitted as per TTP requirements (e.g., domain names ending in [.]buzz would be considered IoCs requiring defanging))*
- Network indicators: Malicious domains mimicking Microsoft (e.g., teams-download[.]***, teams-install[.]***).
- File indicators: Fraudulently signed `MSTeamsSetup.exe`; Oyster backdoor files; Rhysida ransomware payload.
- Behavioral indicators: Execution of new processes from user directories masquerading as software installs; connection activity related to Oyster C2.
## Response Actions
- Containment measures: Microsoft revoked the 200+ fraudulent code-signing certificates associated with the activity.
- Eradication steps: Security solutions updated to flag signatures associated with the fake setup files, Oyster backdoor, and Rhysida ransomware.
- Recovery actions: Not specified for victims, but implied clean-up/restoration efforts would be necessary post-ransomware deployment.
## Lessons Learned
- Key takeaways: Threat actors (Vanilla Tempest) are effectively abusing legitimate code-signing infrastructure (Trusted Signing, SSL[.]com, DigiCert, GlobalSign) to achieve high levels of trust for malware distribution. SEO poisoning remains a highly effective method for initial access by exploiting user trust in search results for mainstream software.
- What could have been done better: Organizations must enforce stricter validation checks on software sources, even when dealing with seemingly legitimate installers.
## Recommendations
- Prevention measures for similar incidents: Users should only download software from verified official sources and avoid clicking links presented in response to general web searches, especially advertisements. Endpoint detection and response (EDR) solutions should be configured to scrutinize the origin and signature validity of executables, even when signed.