October 16, 2025 By Sergiu Gatlan
Microsoft has disrupted a wave of Rhysida ransomware attacks in early October by revoking over 200 certificates used to sign malicious Teams installers.
Vanilla Tempest, the threat group behind the attacks, used domains that mimic Microsoft Teams, such as teams-install[.]top, teams-download[.]buzz, teams-download[.]top, and teams-install[.]run, to distribute fake MSTeamsSetup.exe files that infected victims with the Oyster backdoor.
These attacks were part of a late September malvertising campaign that used search engine ads and SEO poisoning to push fake Microsoft Teams installers that backdoored Windows devices with Oyster malware (also known as Broomstick and CleanUpLoader).
The ads and the domains led to websites that impersonated the Microsoft Teams download site. Clicking the prominently displayed download link downloads a file named "MSTeamsSetup.exe," the same filename used by the official Teams installer.
