The Rhysida ransomware gang has been running a sophisticated malvertising campaign that delivers OysterLoader malware through deceptive search engine advertisements, giving attackers complete access to compromised devices and networks.
The Rhysida gang, formerly known as Vice Society before rebranding in 2023, has perfected a dangerous infection chain using paid Bing search advertisements.
The gang purchases ads targeting popular software downloads, including PuTTY, Microsoft Teams, and Zoom, then directs users to convincing counterfeit landing pages designed to trick victims into downloading malware instead of legitimate software.
The tactic is particularly effective because these ads appear prominently in search results, and in Windows 11, they can even surface directly in the system’s start menu.
OysterLoader serves as an initial access tool, meaning its primary purpose is to establish a foothold on victim systems.
Once installed, it enables attackers to deploy a persistent backdoor that grants long-term access to both the device and the broader network.
This two-stage approach is a common tactic in enterprise-targeting attacks, where gaining initial access is the critical first step in a larger compromise.
The current campaign, which began in June 2025, represents a dramatic escalation from the gang’s previous malvertising efforts that ran from May to September 2024.
The increase in operational intensity is evident in the number of code-signing certificates tracked the gang has used over 40 certificates in 2025 compared to just 7 during their initial campaign.
This substantial increase demonstrates sustained investment and commitment to this attack vector.
To evade detection, the Rhysida gang employs two key techniques. First, they use malware packers that compress, encrypt, and obfuscate the malware’s functionality, resulting in extremely low detection rates when the files are first encountered.
Security analysis shows that packed samples often trigger alerts from five or fewer antivirus engines initially, with detection rates improving only over several days.
Second, they abuse code-signing certificates to give their malicious files the appearance of legitimacy, exploiting the trust that both users and operating systems place in properly signed software.
The gang’s use of code-signing certificates has inadvertently provided defenders with a tracking advantage.
When certificates are revoked by issuing authorities, new certificates with fresh validity indicate renewed campaign activity.
Expel actively reports discovered certificates for revocation, helping operating systems and security tools identify and block the malware more effectively.
Perhaps most concerning, the Rhysida gang has discovered ways to abuse Microsoft’s own Trusted Signing service, which issues certificates with 72-hour validity periods.
The gang has exploited this system to sign files at scale, prompting Microsoft to revoke over 200 certificates associated with the group.
Despite these revocations, the gang continues operating, showing no signs of abandoning these proven attack methods.
Enterprises should remain vigilant when downloading software, verify URLs carefully, and consider blocking malvertising through network controls.
The success of this campaign underscores how attackers leverage legitimate services and user trust to compromise organizations at scale.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
