Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign

Steven

Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign

Summary

Microsoft disclosed it has revoked more than 200 code-signing certificates abused by a threat actor tracked as Vanilla Tempest to sign malicious binaries used in a Rhysida ransomware campaign. The attacker distributed trojanised MSTeamsSetup.exe installers on lookalike domains (for example teams-download[.]buzz, teams-install[.]run) using SEO poisoning, delivering the Oyster backdoor which then deployed Rhysida.

Microsoft detected the activity in late September 2025, updated its security detections to flag the forged signatures and revoked the fraudulent certificates. The adversary reportedly used Trusted Signing and certificates from third-party CAs such as SSL.com, DigiCert and GlobalSign to make malicious installers appear legitimate.

The campaign highlights ongoing abuse of search results and malicious adverts to trick users into installing backdoors and ransomware; Microsoft and security vendors have rolled out mitigations, but user vigilance remains critical.

Key Points

  • Microsoft revoked over 200 fraudulent code-signing certificates tied to the Vanilla Tempest actor.
  • Fake Microsoft Teams installers (MSTeamsSetup.exe) hosted on malicious domains were used to deliver the Oyster backdoor and deploy Rhysida ransomware.
  • Attackers relied on SEO poisoning and malicious adverts to direct victims to bogus download pages that mimicked official sites.
  • The threat actor abused Trusted Signing and certificates issued by SSL.com, DigiCert and GlobalSign to sign malicious installers.
  • Microsoft updated its security detections to flag the signatures and revoked the certificates; organisations should download software only from verified sources and be wary of search ads.

Why should I read this

Short version: if you manage endpoints, distribute software, or just install apps on a work machine, pay attention. Attackers faked Teams installers and used legit-looking signatures to bypass trust — that’s the kind of trick that gets employees and organisations compromised. Read this to know what happened, what was revoked, and the simple checks to avoid getting stung by copycat download sites.

Source

Source: https://thehackernews.com/2025/10/microsoft-revokes-200-fraudulent.html