Microsoft disclosed the revocation of more than 200 fraudulent code signing certificates used by the financially motivated threat actor known as Vanilla Tempest (also called Vice Society or Vice Spider). These certificates were abused to sign malicious binaries, specifically fake Microsoft Teams setup files, which were distributed via malicious domains mimicking legitimate Microsoft Teams download sites. The fake installers delivered the Oyster backdoor (also known as Broomstick or CleanUpLoader), which facilitated the deployment of Rhysida ransomware. The campaign was detected in late September 2025 and disrupted by Microsoft in October 2025. Vanilla Tempest has been active since at least July 2022, known for deploying ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida. The attackers used SEO poisoning to manipulate search engine results, directing users to malicious download sites. They exploited trusted code signing services including Trusted Signing, SSL.com, DigiCert, and GlobalSign to sign their malware, increasing the likelihood of bypassing security controls and user suspicion. Microsoft updated its security products to flag these malicious signatures and revoked the certificates to prevent further abuse. This attack vector leverages user trust in well-known brands and search results, highlighting the ongoing risks of supply chain and software distribution attacks. The campaign underscores the importance of verifying software sources and the challenges posed by sophisticated threat actors using legitimate certificates for malicious purposes.

European organizations face significant risk from this threat due to the widespread adoption of Microsoft Teams as a collaboration tool across public and private sectors. The use of fraudulent certificates to sign malware increases the likelihood of successful delivery and execution, potentially bypassing endpoint protections and user suspicion. Once the Oyster backdoor is installed, attackers can deploy Rhysida ransomware, leading to data encryption, operational disruption, financial losses, and reputational damage. Critical infrastructure, healthcare, finance, and government entities in Europe could be targeted due to their reliance on Microsoft Teams and the strategic value of their data. The SEO poisoning technique increases the attack surface by exploiting everyday user behavior, making initial access easier. The abuse of trusted code signing services undermines confidence in digital certificates and complicates detection efforts. Overall, the threat could lead to widespread ransomware incidents, data breaches, and significant business interruptions across European organizations.

European organizations should enforce strict software procurement policies mandating downloads only from verified official sources such as Microsoft’s official website or authorized app stores. Implement advanced endpoint detection and response (EDR) solutions capable of detecting anomalous code signing certificates and unusual installer behaviors. Regularly audit and monitor certificate usage within the environment to detect any unauthorized or suspicious certificates. Enhance user awareness training focusing on the risks of downloading software from search engine results and recognizing signs of SEO poisoning. Employ DNS filtering and web proxy solutions to block access to known malicious domains mimicking legitimate software sites. Collaborate with threat intelligence providers to stay updated on indicators of compromise related to Vanilla Tempest and Rhysida ransomware. Utilize multi-factor authentication and network segmentation to limit lateral movement if initial compromise occurs. Finally, maintain robust, tested backup and recovery processes to mitigate the impact of ransomware attacks.