The Rhysida ransomware group—previously known as Vice Society—is exploiting trust in Microsoft platforms to spread malware through deceptive advertisements. In a newly discovered campaign, the gang is targeting users of Microsoft Teams, Zoom, and PuTTY by buying malicious Bing search ads that redirect unsuspecting victims to fraudulent download pages. Once users click the prominent “Download” button, they unknowingly install malware called OysterLoader, a stealthy initial-access tool that opens the door for deeper network intrusions.
Malvertising Campaigns Exploit Microsoft Platforms and Certificates
According to researchers at Expel, Rhysida’s latest campaigns impersonate legitimate download pages for popular communication and remote-access tools. The attackers leverage malvertising—the use of paid ads to distribute malware—to reach enterprise users searching for trusted software online. Once executed, OysterLoader acts as a first-stage downloader that deploys additional payloads, helping Rhysida maintain persistence and steal sensitive company data.
“The most recent campaigns push ads for Microsoft Teams and impersonate the download pages,” researchers from Expel explained.
The malware itself is heavily encrypted to mask its functions, reducing the likelihood of early detection. Analysts note this marks “a common first step in a larger network intrusion,” suggesting that OysterLoader is primarily used to establish access before deploying more destructive or data-stealing malware strains.
Widespread Abuse of Microsoft’s Trusted Signing Certificates
Beyond malvertising, Rhysida has been abusing Microsoft’s Trusted Signing service to make its malware appear legitimate. Code-signing certificates are used by operating systems to verify software authenticity—but the gang found a way to bypass these controls by generating and using legitimate certificates for malicious binaries.
Microsoft has since revoked more than 200 compromised certificates, but the threat persists. Security analysts have identified over 40 unique code-signing certificates abused by Rhysida between June and October 2025—a dramatic increase from just seven during the same period last year.
To amplify the attack’s reach, Rhysida’s operators rapidly signed their malware within the 72-hour lifespan of Trusted Signing certificates, enabling widespread distribution before the credentials expired. This high-speed abuse allowed the gang to infect more systems while evading detection by endpoint defenses.
Expanding Arsenal: From OysterLoader to Latrodectus
While OysterLoader serves as Rhysida’s entry mechanism, researchers have also linked the group to Latrodectus malware, a sophisticated downloader frequently used in ransomware operations. In several cases, both strains have been discovered signed with the same stolen or abused certificates, suggesting a coordinated effort to diversify infection vectors and maintain persistence across networks.
Rhysida’s tactics align with a broader trend of ransomware groups using malvertising and certificate abuse to evade modern security controls. By exploiting brand trust, legitimate advertising networks, and cryptographic validation systems, the gang continues to blur the line between authentic and malicious software sources.
Defensive Recommendations for Organizations
To mitigate exposure, cybersecurity experts recommend that enterprises:
- Avoid downloading software from advertisements or sponsored search results.
- Verify URLs and publishers before downloading collaboration tools or remote clients.
- Deploy browser-based ad filtering and network traffic inspection to block known malvertising domains.
- Monitor for abnormal certificate usage and revoke any internal signing keys showing suspicious activity.
While Microsoft’s revocation of compromised certificates has disrupted some of Rhysida’s infrastructure, the campaign remains. Organizations are urged to remain vigilant against deceptive ads masquerading as legitimate Microsoft products, as the ransomware group continues to refine its intrusion techniques.
