An ongoing malicious advertising campaign is weaponizing legitimate software downloads to deploy OysterLoader malware, previously identified as Broomstick and CleanUpLoader.
This sophisticated initial access tool enables cybercriminals to establish footholds in corporate networks, ultimately serving as a delivery mechanism for the notorious Rhysida ransomware gang.
The Rhysida ransomware operation has targeted enterprises since emerging from the Vice Society group in 2021, later rebranding in 2023. Despite attempts to evade law enforcement through name changes, security researchers continue tracking their evolving tactics.
The current campaign uncovered by Expel represents their second major malvertising operation, building on tactics proven successful during their initial run from May to September 2024. Since June 2025, threat actors have maintained persistent operations with dramatically increased intensity and scope.
Rhysida’s Evolution and Persistent Threat
Rhysida operators purchase advertisements on Bing’s search engine, directing unsuspecting users toward convincing but malicious landing pages. These sponsored results appear prominently in search results and even within Windows 11 start menu searches, placing malware downloads directly before potential victims.
Recent campaigns have impersonated popular software, including Microsoft Teams, PuTTY, and Zoom, with threat actors creating nearly identical fake download pages.
The malicious PuTTY advertisements demonstrate this technique, with sponsored results intentionally misspelling “PuTTY” as “Putty” while appearing legitimate enough to deceive users seeking the authentic remote access tool.
OysterLoader’s effectiveness stems from two primary evasion techniques. First, attackers pack the malware through compression and obfuscation, hiding its true capabilities from security tools.
This results in remarkably low initial detection rates, with fewer than five antivirus engines typically flagging new samples. Second, threat actors employ code-signing certificates, exploiting Windows trust mechanisms to appear legitimate.
The scale of this operation is evident in certificate usage. While the 2024 campaign utilized seven certificates, the current 2025 campaign has burned through over 40 unique code-signing certificates, indicating substantial resource investment and operational commitment.
Rhysida doesn’t rely solely on OysterLoader. Expel researchers discovered the gang simultaneously deploying Latrodectus malware, confirmed when identical code-signing certificates appeared on both malware families.
Additionally, Rhysida has exploited Microsoft’s Trusted Signing service, circumventing its 72-hour certificate validity restrictions. Microsoft reports revoking over 200 certificates associated with this campaign, yet operations remain active.
Security teams should remain vigilant against malvertising campaigns and verify software downloads exclusively through official channels to avoid compromise.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
