Microsoft has blunted the effectiveness of a ransomware threat actor targeting Teams users by revoking over 200 certificates for a key component in the digital extortionists' attack chain.
Vanilla Tempest, which is also tracked as Vice Spider and Vice Society by infosec companies, launched a recent campaign to deploy fake Microsoft Teams installers, hosted on genuine looking malicious domains.
Vanilla Tempest is "financially motivated", and deploys ransomware and exfiltrates data.
If users run the .exe installers, a downloader fetches the Oyster backdoor, and ultimately the Rhysida ransomware, Microsoft Threat Intelligence wrote.
On top of Rhysida, Vanilla Tempest has used a range of other ransomware, Microsoft said.
The ransomware raiders had signed the fake installers and the tools that were used after initial compromise with certificates from Trusted Signing, SSL.co, DigiCert and GlobalSign.
Now, the digital certificates used to vouch for the malware are revoked, Microsoft said, making it more difficult to impersonate legitimate files.
Microsoft Threat Intelligence announced the certificate revocations on LinkedIn and in other social media posts.
.jpg&h=140&w=231&c=1&s=0)
iTnews State of Security Breakfast
iTnews State of Data & AI Breakfast
The 2026 iAwards
.jpg&w=120&c=1&s=0)
Integrate 2026
Security Exhibition & Conference
_(1).jpg&h=140&w=231&c=1&s=0)
