The threat actor is weaponizing Microsoft’s trusted signing system to deliver its OysterLoader malware through fake search ads.
November 3, 2025 By Nidhi Singal
Credit: Gorodenkoff / Shutterstock
The Rhysida ransomware gang, known for targeting enterprises, has shifted to using malvertising campaigns to spread its malware. In its recent campaigns, the threat actor has impersonated fake download pages mimicking legitimate software such as Microsoft Teams, PuTTY and Zoom.
Rhysida group is deploying a malvertising technique to attack. The group purchases Bing search engine advertisements to put the links for convincing-looking, malicious landing pages for downloading software right in front of potential victims.
The ongoing malicious ad campaign has been delivering a malware called OysterLoader. An initial access tool (IAT), previously known as Broomstick and CleanUpLoader, is used to establish a foothold on a device so a second-stage persistent backdoor can be dropped on the system and establish long-term access, noted cybersecurity firm Expel.
