Microsoft Halts Vanilla Tempest Cyberattack by Revoking Malicious Teams Installer Certificates

Microsoft has successfully disrupted a major cyberattack campaign orchestrated by the Vanilla Tempest threat group in early October 2025.

The tech giant revoked over 200 fraudulent certificates that the cybercriminals had used to sign fake Microsoft Teams installation files, which were designed to deliver the Oyster backdoor and deploy Rhysida ransomware on victim systems.

In early October 2025, Microsoft disrupted a Vanilla Tempest campaign by revoking over 200 certificates that the threat actor had fraudulently signed and used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware.

We identified this… pic.twitter.com/FeTitSrTbi

— Microsoft Threat Intelligence (@MsftSecIntel) October 15, 2025

Discovery and Response to the Threat

Microsoft security researchers discovered this Vanilla Tempest campaign in late September 2025 after monitoring several months of suspicious activity involving fraudulently signed binary files.

The company took swift action by not only revoking the malicious certificates but ...