Microsoft said on Thursday it revoked more than 200 code signing certificates that a threat actor tracked as Vanilla Tempest used to fraudulently sign malicious binaries, according to a post shared on X by the company’s security team. The company described the action as part of efforts to disrupt a campaign that delivered ransomware.
Microsoft’s Threat Intelligence team said the certificates were used in fake Microsoft Teams setup files to deliver an Oyster backdoor and ultimately deploy Rhysida ransomware. The company said it detected the activity in late September 2025 and disrupted it earlier in October, and that its security solutions have been updated to flag the signatures associated with the fake installers, the backdoor, and the ransomware.
The article said the actor tracked as Vanilla Tempest, also referred to as Vice Society and Vice Spider, is a financially motivated group assessed to have been active since at least July 2022 and has delivered multiple ransomware strains including BlackCat, Quantum Locker, Zeppelin, and Rhysida.
Microsoft described the Oyster backdoor, also called Broomstick and CleanUpLoader, as commonly distributed via trojanized installers for popular software such as Google Chrome and Microsoft Teams, hosted on bogus websites that users may reach through search results. The company gave examples of malicious domains mimicking Microsoft Teams and said the actor used services including Trusted Signing as well as SSL.com, DigiCert, and GlobalSign to sign installers and post compromise tools.
Security teams and users were advised to obtain software from verified sources and to avoid clicking suspicious links served via search engine ads. Details of the campaign were first disclosed last month by Blackpoint Cyber, and Microsoft said it has taken steps to block the malicious signatures and disrupt the activity.