Rhysida ransomware campaign is leveraging fake Microsoft Teams advertisements in search results to deliver the OysterLoader malware and establish initial access in enterprise environments. Security firm Expel reports that the group buys Bing search ads that impersonate legitimate Teams download pages, funneling users to convincing but malicious landing sites. When victims download what appears to be the Teams installer, they instead execute a packed loader with low static detection designed to deploy OysterLoader and, in some cases, the Latrodectus malware family. The operators further increase trust by signing binaries with valid code-signing certificates, including misuse of Microsoft’s own Trusted Signing service, blurring the line between legitimate and malicious software. Rhysida ransomware campaign activity shows a maturation of malvertising tactics that specifically exploit user trust in search engines and popular collaboration tools. The group, which rebranded from Vice Society and has listed around 200 victims on its data leak site, targets governments, healthcare providers, critical infrastructure, and other high-value organizations. By focusing on Teams, PuTTY, Zoom, and other widely used software, Rhysida maximizes the chance that well-intentioned employees will seek downloads via search and unwittingly launch the loader. Once installed, OysterLoader acts as a long-term backdoor, giving attackers time to stage credential theft, lateral movement, and eventual ransomware deployment under the guise of normal software usage. Rhysida ransomware campaign mitigation requires tightening how organizations distribute and approve software, particularly for remote and hybrid workers. Security teams should steer users toward internal software catalogs or vendor-verified stores, monitor for suspicious Teams and collaboration-tool installers, and create detections for newly observed Trusted Signing certificates associated with loader activity. Proactive hunting for OysterLoader and Latrodectus behaviors, combined with strong EDR controls on endpoints used for administration and critical operations, can reduce the likelihood that a single malicious download turns into a full-scale extortion incident.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: Rhysida ransomware campaign transforms everyday software downloads into high-impact extortion events, targeting organizations that rely heavily on collaboration tools like Microsoft Teams. Successful infections can disrupt operations, expose sensitive data, and force difficult ransom decisions across government, healthcare, and critical infrastructure sectors. Technical Context: The group’s use of malvertising, signed binaries, and Trusted Signing certificates allows OysterLoader and related malware such as Latrodectus to blend into normal software distribution flows. By compromising endpoints via fake installers rather than brute-force intrusion, Rhysida bypasses many perimeter controls, underscoring the need for code-signing validation, EDR visibility, and strict control over how enterprise users obtain core collaboration tools.
⚡Strategic Intelligence Guidance
- Centralize software distribution through managed app catalogs or device management platforms, explicitly forbidding employees from downloading collaboration tools via search engine ads.
- Deploy EDR rules and threat hunting playbooks focused on OysterLoader and Latrodectus behaviors, including unusual child processes spawned by newly installed collaboration software.
- Monitor code-signing telemetry to flag binaries signed with unexpected or recently revoked certificates, especially for installers claiming to be Microsoft Teams or other widely used tools.
- Reinforce user awareness programs to highlight malvertising risks, demonstrating real-world examples of fake download pages impersonating Teams, Zoom, and other business-critical applications.
Threats
Rhysida ransomwareOysterLoaderLatrodectusMalvertising
Targets
Microsoft Teams usersEnterprise endpointsGovernment organizationsHealthcare providers
Impact
Data Volume:Around 200 victims on data leak site