Vanilla Tempest

Vanilla Tempest is a financially motivated threat actor tracked by Microsoft as DEV-0832 and associated in the provided content with Vice Society and Vice Spider. The content also states that Microsoft court documents referred to Vanilla Tempest as aka Vice Spider, Vice Society, and Rhysida, but the Rhysida relationship is inconsistently described elsewhere as a link or association rather than a strict alias, so that overlap should be treated cautiously. The actor has been active since at least June 2021 and has targeted organizations in the education, healthcare, IT, and manufacturing sectors. Multiple sources in the content describe disproportionate targeting of the education sector, especially K-12 and higher education, and also note attacks on healthcare organizations and manufacturing entities. Microsoft states that Vanilla Tempest has targeted U.S. healthcare organizations using INC ransomware, and other reporting in the content says the group has targeted schools, hospitals, and other critical organizations worldwide. The group is described as an intrusion, exfiltration, and extortion actor using double-extortion tactics. Before ransomware deployment, it explores victim networks and exfiltrates data, then threatens publication of stolen data if victims do not pay. Reported initial access methods include exploitation of internet-facing applications, compromised valid accounts, public-facing website exploitation, compromised RDP credentials, and access via Storm-0494 using Gootloader. Observed tooling and tradecraft in the content include Cobalt Strike, Rubeus, Mimikatz, PowerShell, SystemBC, PowerShell Empire, WMI, RDP, AnyDesk, MEGA, Supper malware, scheduled tasks, undocumented autostart registry keys, DLL side-loading, masquerading, process injection, sandbox evasion, account creation, privilege escalation including exploitation of PrintNightmare vulnerabilities CVE-2021-1675 and CVE-2021-34527, disabling Windows Defender, deleting shadow copies, clearing event logs, and deleting RDP traces. The content states that Vanilla Tempest has used multiple ransomware families rather than a single unique strain. Reported ransomware used by the actor includes Hello Kitty/Five Hands, Zeppelin, BlackCat, Quantum Locker, Rhysida, and INC ransomware. Trend Micro reporting in the content says Vice Society previously deployed Hello Kitty/Five Hands and Zeppelin and later appeared to develop its own custom ransomware builder. Unit 42 reporting says the group uses multiple ransomware payloads across Windows and Linux hosts and does not operate like a typical ransomware-as-a-service affiliate model with broad affiliates. Microsoft also links Vanilla Tempest to Fox Tempest’s malware-signing-as-a-service platform. According to the content, Vanilla Tempest began using Fox Tempest’s service as early as June 2025 to sign malicious payloads, including trojanized Microsoft Teams installers. Those signed binaries were distributed through malvertising, SEO poisoning, fake ads, and bogus download pages, leading to deployment of Oyster and in some cases Rhysida ransomware. Microsoft further states that Vanilla Tempest used Fox Tempest-signed malware including Oyster, Lumma Stealer, and Vidar, and names Vanilla Tempest as a co-conspirator in its legal complaint against Fox Tempest. Known aliases and related names directly mentioned in the content include DEV-0832, Vice Society, and Vice Spider.