Microsoft Revokes 200+ Certificates Used to Disguise Rhysida Ransomware

Microsoft has revoked more than two hundred digital certificates that had been exploited in attacks involving the Rhysida ransomware. These signatures were used to distribute malicious builds disguised as legitimate Microsoft Teams installers, within which the Oyster backdoor was concealed. Threat actors tracked under the name Vanilla Tempest leveraged these forged installers to gain initial access, implant the backdoor, and subsequently deploy the full ransomware payload.

The counterfeit installers were hosted on websites mimicking official Microsoft Teams pages, including domains such as teams-download[.]buzz and teams-install[.]run. The attackers relied on search engine optimization (SEO) poisoning, ensuring that users searching for Teams downloads were redirected to their malicious sites. The convincing appearance of these pages and the legitimacy of the search results fostered trust among victims, facilitating initial compromise.

The digital signatures employed in these campaigns were obtained through Trusted Signing services and major certification authorities, including SSL[.]com, DigiCert, and GlobalSign. Once the system was compromised, these certificates allowed the malware to execute without triggering security warnings, as the code appeared legitimately signed. Among the tools used were the Oyster backdoor—also known as Broomstick and CleanUpLoader—and the Rhysida ransomware, previously distributed by the group known as Vice Society, also referred to as Vice Spider.

Microsoft reported that the malicious activity was detected in late September and neutralized in early October. Alongside the certificate revocation, the company updated detection rules across its security products to block signatures linked to this infection chain. However, Microsoft emphasized that such attacks underscore a persistent trend: the abuse of search engine optimization and paid advertising to propagate malicious installers disguised as trusted applications.

According to Blackpoint Cyber, this delivery method was at the core of the current attack sequence. Instead of downloading the official Teams client, users were served a malicious executable with an identical name, allowing the payload to slip past initial security filters and antivirus scans.

The threat is compounded by the use of legitimate system components and valid certificates, which makes these campaigns exceptionally difficult to detect. Such incidents highlight the crucial importance of downloading software exclusively from official sources and exercising extreme caution with advertised links in search results.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy