Microsoft Revokes Hundreds of Fraudulent Certificates Used by Vanilla Tempest in Ransomware Campaigns

TLDR

Microsoft revoked over 200 fraudulent code‑signing certificates linked to the Vanilla Tempest threat actor.

The certificates were used to sign malicious Teams installers, the Oyster backdoor, and Rhysida ransomware. Revocation blocks further abuse and enables security tools to flag the associated binaries.

What happened

In late September 2025 Microsoft’s Threat Intelligence Center detected a surge of malicious binaries signed with certificates that appeared to be issued by Microsoft. The certificates were not issued by Microsoft. They were forged by a threat actor known as Vanilla Tempest.

Vanilla Tempest has been active since at least July 2022. The group specializes in supply‑chain attacks that target popular collaboration tools. In this campaign the actor created fake Microsoft Teams installer packages. The packages were hosted on compromised or newly registered domains that ranked highly for search terms such as “download Microsoft Teams”.The attacker used SEO poisoning techniques to push the malicious pages to the top of search results. When a user clicked the link, they were redirected to a site that mimicked the official Microsoft download page. The site offered a “TeamsSetup.exe” file that was digitally signed with one of the fraudulent certificates.

The signed binary passed basic trust checks on Windows. Once executed, the installer dropped the Oyster backdoor. Oyster establishes persistence, exfiltrates credentials, and opens a command channel for the attacker.

After the backdoor was in place, the threat actor delivered the Rhysida ransomware payload. Rhysida encrypts files, appends a custom extension, and leaves a ransom note demanding payment in cryptocurrency.

Microsoft’s internal certificate‑revocation infrastructure was updated to block the 200+ fraudulent certificates. The revocation list was pushed to Windows Update, Microsoft Defender, and Azure security services. Security vendors were notified so that they could update their detection signatures.

Why it matters

• Code‑signing abuse undermines trust. Users rely on digital signatures to verify software integrity. When a forged certificate is accepted, the attacker can bypass many security controls.
• Supply‑chain impact. The malicious Teams installers were distributed through legitimate‑looking download pages. This method reaches a broad audience without requiring phishing or social engineering.
• Long‑term campaign. Vanilla Tempest has been operating for more than three years. The group has refined its techniques, making detection harder.
• Ransomware escalation. The campaign combined a stealthy backdoor (Oyster) with a destructive ransomware (Rhysida). The backdoor provides reconnaissance and lateral movement before the encryption phase.
• Widespread exposure. Microsoft Teams is deployed in millions of enterprises. Any user who downloads the fake installer can become an entry point.

The revocation prevents new binaries from being trusted, but existing compromised systems remain at risk. Organizations must still locate and remove the Oyster backdoor and any remnants of Rhysida.

Who is affected

The primary victims are organizations that use Microsoft Teams for collaboration. The attack surface includes:

• Enterprises of all sizes that allow employees to download Teams installers from the internet.
• Managed service providers that install Teams on behalf of clients.
• Educational institutions that provide Teams to students and staff.
• Government agencies that have adopted Teams for remote work.
• Individual users who manually download Teams outside of corporate IT channels.

Any system that executed a signed installer from the malicious domains is potentially compromised. The impact is not limited to Windows workstations; the backdoor can spread to servers, virtual machines, and container hosts if lateral movement is successful.

How to check exposure

Security teams should perform the following steps to determine whether their environment has been affected.

1. Identify the certificate thumbprints. Microsoft published a list of the revoked certificates. The list includes SHA‑1 and SHA‑256 thumbprints. Import the list into your SIEM or endpoint detection platform.
2. Search for signed binaries. Query file‑hash logs for executables that were signed with any of the listed thumbprints. Look for both the original installer name (e.g., TeamsSetup.exe) and any renamed variants.
3. Check process creation events. Correlate the signed binaries with process creation logs. Flag any execution of the installer after September 2025.
4. Detect Oyster indicators. The Oyster backdoor uses known command‑and‑control (C2) domains and a set of mutex names. Use threat‑intel feeds to hunt for these IOCs.
5. Search for Rhysida artifacts. Look for files with the custom extension used by Rhysida (e.g., .rhysida) and ransom notes that reference the ransomware name.
6. Review network traffic. Identify outbound connections to the known C2 infrastructure used by Vanilla Tempest. Block any suspicious IPs or domains.
7. Audit software distribution channels. Verify that all Teams installations in your environment were sourced from official Microsoft channels (MS Store, Microsoft Endpoint Manager, or approved internal mirrors).

Document any findings and prioritize remediation based on the severity of the detected artifacts.

Fast mitigation

While the certificate revocation stops future abuse, immediate actions are required to contain existing infections.

• Block the revoked certificates. Deploy the updated revocation list to all Windows endpoints via Group Policy or Microsoft Endpoint Configuration Manager.
• Quarantine suspicious binaries. Use endpoint protection to isolate any executable that matches the revoked thumbprints.
• Remove the Oyster backdoor. Run a full endpoint scan with updated signatures. If the backdoor persists, perform a manual removal using the provided PowerShell removal script from Microsoft’s security advisory.
• Restore encrypted data. If Rhysida has already encrypted files, engage your backup restoration process. Do not pay the ransom.
• Patch vulnerable software. Ensure that all Windows systems have the latest security updates, especially those that address credential dumping and privilege escalation.
• Restrict download sources. Enforce a policy that only allows software installation from approved URLs. Use web filtering to block the malicious domains identified in the campaign.
• Educate users. Communicate the risk of downloading installers from search results. Encourage the use of official Microsoft portals.
• Monitor for lateral movement. Enable Windows Event Forwarding to collect authentication events. Look for unusual logon patterns that may indicate the attacker is moving laterally.

After containment, conduct a post‑incident review. Update your incident‑response playbooks to include certificate‑revocation checks for future supply‑chain threats.