Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Vanilla Tempest late-September Microsoft Teams malvertising campaign

Campaign
First reported
Last updated
Happening score
H score 43
2 unique sources, 2 articles

Summary

Hide ▲

The late September 2025 Vanilla Tempest campaign used SEO poisoning and malvertising to push fake Microsoft Teams installers, including MSTeamsSetup.exe, to Windows users. The fake installers delivered the Oyster backdoor, which Microsoft said was later used in attacks that could lead to Rhysida ransomware. Microsoft Threat Intelligence revoked over 200 certificates fraudulently signed for the operation and said the group also used Trusted Signing, SSL.com, DigiCert, and GlobalSign to sign malicious installers and post-compromise tools. Microsoft said fully enabled Microsoft Defender Antivirus blocks the threat.

Related Happenings

Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)

Vulnerability
First: 21.05.2026 10:49 Last: 21.05.2026 10:49 Sources 1

About this happening: Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...

Open Happening

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

Open Happening

Microsoft civil action against Fox Tempest infrastructure takedown

Regulatory/Legal Action
First: 19.05.2026 18:00 Last: 19.05.2026 18:00 Sources 1

About this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...

Open Happening

KongTuke Microsoft Teams initial access campaign

Campaign
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Open Happening

JDownloader website hit by network compromise

Incident
First: 09.05.2026 22:27 Last: 09.05.2026 22:27 Sources 1

About this happening: The **JDownloader website** suffered a **supply-chain compromise** that replaced official **Windows** and **Linux** installer links with malicious payloads, putting users who down...

Open Happening

Timeline

  1. 20.10.2025 13:00 1 articles · 7mo ago

    Microsoft revokes 200+ fake Teams certificates used by Vanilla Tempest

    Mitigation Patch Update

    Microsoft Threat Intelligence revoked over 200 certificates fraudulently signed by Vanilla Tempest and used in fake MS Teams setup files to deliver the Oyster backdoor and Rhysida ransomware. Microsoft also said the group used Trusted Signing, SSL[.]com, DigiCert, and GlobalSign to sign fake installers and post-compromise tools, and that fully enabled Microsoft Defender Antivirus blocks this threat.

    Show sources
    Open in new tab
  2. 16.10.2025 19:58 2 articles · 7mo ago

    Vanilla Tempest late-September Microsoft Teams malvertising campaign

    Initial Disclosure

    The operation began in **late September 2025** with **search ad** and **SEO poisoning** lures that funneled victims to fake **Microsoft Teams** installers. The first phase centered on establishing an initial foothold on **Windows devices** through the **MSTeamsSetup.exe** payload and the **Oyster** backdoor.

    Show sources
    Open in new tab