On Thursday, October 17, 2025, Microsoft disclosed that it took significant action to disrupt a ransomware campaign, revoking more than 200 fraudulent certificates. The certificates were exploited by a financially motivated threat actor tracked as Vanilla Tempest to fraudulently sign malicious binaries used in cyberattacks.

According to the Microsoft Threat Intelligence team, the tech giant disrupted the activity earlier in October after it was first detected in late September 2025. The core of the operation involved using the fraudulently obtained certificates to make malicious files appear legitimate, thereby bypassing security measures and deceiving users.

Anatomy of the Attack Chain

The threat actor’s campaign relied on a specific multi-stage attack vector. Vanilla Tempest used the certificates to sign fake Microsoft Teams setup files. These counterfeit installers were the initial entry point for the malware. Once executed by an unsuspecting user, the fake setup file would deliver a malicious payload known as the Oyster backdoor. This backdoor provided the attackers with persistent access to the compromised system, paving the way for the final stage of the attack: the deployment of the Rhysida ransomware, which encrypts victim data for extortion.

Threat Actor Profile and Mitigation

The group behind these attacks, Vanilla Tempest (also known as Storm-0832, Vice Society, and Vice Spider), has been active since at least July 2022. This threat actor is known for its financially driven motives and its use of various ransomware strains over the years, including BlackCat, Quantum Locker, and Zeppelin, in addition to Rhysida. In response to this specific campaign, Microsoft not only revoked the more than 200 certificates but also updated its security solutions. These updates are designed to flag the specific digital signatures associated with the fake setup files, the Oyster backdoor, and the Rhysida ransomware payload to protect customers from the threat.