Microsoft撤销了200多个被网络犯罪组织Vanilla Tempest滥用的证书,这些证书用于签署伪造的Microsoft Teams安装程序以传播Oyster后门和Rhysida勒索软件。该组织自2022年7月以来活跃,针对教育、医疗、IT和制造业等多个行业发起攻击,并利用多种勒索软件ayload进行攻击。微软通过撤销证书和更新Defender Antivirus检测功能来应对这一威胁。 2025-10-17 09:40:21 Author: securityaffairs.com(查看原文) 阅读量:10 收藏
Microsoft revokes 200+ certificates abused by Vanilla Tempest in fake Teams campaign
Microsoft revoked 200+ certificates used by Vanilla Tempest to sign fake Teams installers spreading Oyster backdoor and Rhysida ransomware.
Microsoft revoked over 200 certificates used by the cybercrime group Vanilla Tempest (aka VICE SPIDER and Vice Society) to sign fake Teams installers spreading the Oyster backdoor and Rhysida ransomware.
The threat actor has been active since July 2022, it was observed targeting organizations in the education, healthcare, IT, and manufacturing sectors. The group employed various ransomware payloads in its attacks, including BlackCat, Quantum Locker, Zeppelin, and Rhysida.
The threat actor uses Remote Desktop Protocol (RDP) for lateral movement and deploys the INC ransomware payload through the Windows Management Instrumentation Provider Host.
“In early October 2025, Microsoft disrupted a Vanilla Tempest campaign by revoking over 200 certificates that the threat actor had fraudulently signed and used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware.” states Microsoft. “We identified this Vanilla Tempest campaign in late September 2025, following several months of the threat actor using fraudulently signed binaries in attacks.”
Microsoft also announced that it has added indicators of compromise (IoCs) to Defender Antivirus to detect the fake setup files, ensuring that Defender for Endpoint can detect Vanilla Tempest TTPs.
In this campaign, Vanilla Tempest distributed fake MSTeamsSetup.exe installers hosted on domains mimicking Microsoft Teams, such as teams-download[.]buzz and teams-install[.]run. Victims were lured through SEO poisoning to malicious download sites. Executing the fake installers deployed a loader that installed a fraudulently signed Oyster backdoor, active since June 2025 and signed starting in September. The group abused Trusted Signing, SSL[.]com, DigiCert, and GlobalSign services to sign the malicious files and post-compromise tools.
“Fully enabled Microsoft Defender Antivirus blocks this threat. In addition to detections, Microsoft Defender for Endpoint has additional guidance for mitigating and investigating this attack. While these protections help secure our customers, we’re sharing this intelligence broadly to help strengthen defenses and improve resilience across the entire cybersecurity community.” concludes the announcement.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft)
如有侵权请联系:admin#unsafe.sh