Microsoft Disrupted Vanilla Tempest Attack by Revoking Certificates Used to Sign Fake Teams File
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Microsoft announced that it had revoked more than 200 digital certificates exploited by the notorious Vanilla Tempest hacking group.<\/p>\n
This action effectively disrupted an ongoing campaign where attackers impersonated Microsoft Teams installations to infiltrate corporate networks and deploy ransomware.<\/p>\n
The operation, uncovered in late September, highlights the evolving tactics of ransomware operators who leverage legitimate-looking software to bypass security defenses.<\/p>\n
Vanilla Tempest<\/a>, also tracked by cybersecurity firms as VICE SPIDER and Vice Society, has emerged as a persistent menace in the ransomware landscape.<\/p>\n This financially driven actor specializes in data exfiltration for extortion, often pairing theft with encryption attacks to maximize payouts.<\/p>\n Over the years, the group has wielded a variety of ransomware strains, including BlackCat, Quantum Locker, and Zeppelin. However, in recent months, Rhysida ransomware<\/a> has become their weapon of choice, targeting sectors like healthcare, education, and manufacturing for high-impact disruptions.<\/p>\n The latest campaign preyed on unsuspecting users seeking legitimate Microsoft Teams updates<\/a>. Attackers hosted counterfeit MSTeamsSetup.exe files on deceptive domains such as teams-download[.]buzz, teams-install[.]run, and teams-download[.]top.<\/p>\n These sites likely gained traction through search engine optimization (SEO) poisoning, where manipulated search results direct victims to malicious downloads instead of official Microsoft resources.<\/p>\nFake Teams Downloads Via Search Engines<\/strong><\/h2>\n