Vanilla Tempest

Vanilla Tempest is a financially motivated cybercriminal threat actor also tracked as DEV-0832, Vice Society, and Vice Spider; BlueVoyant also links it to the name Rapid Brigantine. The content ties the actor to ransomware and extortion activity since at least June 2021 or mid-2022, with frequent targeting of education, healthcare, IT, manufacturing, and other critical organizations. Multiple sources describe Vice Society/Vanilla Tempest as an intrusion, exfiltration, and extortion group that has disproportionately targeted the education sector, including K-12 institutions, and also targeted healthcare organizations. The actor is notable for using multiple ransomware families rather than a single exclusive strain. Across the provided content, Vanilla Tempest/Vice Society is associated with deployment of Hello Kitty/Five Hands, Zeppelin, BlackCat, Quantum Locker, Rhysida, and more recently INC ransomware. The content also describes a possible rebrand or linkage between Vice Society and Rhysida, and states that Check Point linked Vice Society with the Rhysida ransomware gang. In late 2024, Vice Society was observed deploying INC ransomware against the healthcare industry, and Microsoft reported Vanilla Tempest targeting U.S. healthcare organizations with INC ransomware attacks. Observed tradecraft includes initial access via exploitation of internet-facing applications, compromised valid accounts, compromised RDP credentials, spear phishing, SEO poisoning, and malware delivery through fake Microsoft Teams installers and later ClickFix lures on compromised WordPress sites. The actor has been linked to Gootloader- and Storm-0494-enabled access in at least one INC intrusion. Reported post-compromise behavior includes use of Cobalt Strike, SystemBC, PowerShell Empire, Rubeus, Mimikatz, PowerShell, AnyDesk, MEGA, WMI, RDP, DLL side-loading, scheduled tasks, undocumented Registry autostarts, process injection, masquerading, internal reconnaissance, data exfiltration, shadow-copy deletion, event-log clearing, and use of living-off-the-land techniques. The group has also exploited PrintNightmare vulnerabilities CVE-2021-1675 and CVE-2021-34527 for privilege escalation. The content further links Vanilla Tempest to the Lorem Ipsum malware campaign. BlueVoyant assessed with high confidence that the Lorem Ipsum ecosystem is attributable to Vanilla Tempest/Rapid Brigantine/Vice Society/Vice Spider. That campaign shifted from trojanized Microsoft Teams installers signed via fraudulently obtained Microsoft Trusted Signing certificates to ClickFix lures on compromised WordPress sites after Microsoft disrupted Fox Tempest. BlueVoyant said the infection chain used fake browser update prompts, PowerShell execution, Node.js-based JavaScript payloads, DLL side-loading, encrypted payloads, dead-drop C2 via LetsDiskuss[.]com, and ultimately handed off to the actor’s established post-exploitation tooling, primarily for Rhysida deployment. Microsoft also identified Vanilla Tempest as a customer and co-conspirator in its legal action against Fox Tempest, the malware-signing-as-a-service operation that abused Microsoft Artifact Signing. According to the content, Vanilla Tempest used that service to deploy malware including Oyster, Lumma Stealer, and Vidar, as well as ransomware including Rhysida. Microsoft additionally states that Vanilla Tempest is associated with INC ransomware and was among the threat groups using malware signed through the Fox Tempest service. Within the Vice Society reporting specifically, the actor is described as well resourced, opportunistic, and capable of rapid operations, with some reporting noting dwell times of up to six days and that it does not operate like a typical ransomware-as-a-service affiliate model. The content states Vice Society has used double extortion, threatened publication of stolen data on its leak site, and in some cases made ransom demands exceeding $1 million. Sub-group information is not directly provided beyond the aliases and linked names above.