Rhysida Ransomware Abuses Microsoft Trusted Signing to Deploy OysterLoader Via Teams Malvertising

The Rhysida ransomware gang, previously known as Vice Society, has launched an aggressive malvertising campaign leveraging Microsoft’s Trusted Signing certificates to distribute OysterLoader malware—a stealthy initial access tool (IAT) that sets the stage for larger network intrusions.

In its latest report, Expel Threat Intelligence revealed that Rhysida has been “targeting enterprises for years now. First working as Vice Society in 2021, and then rebranding to Rhysida in 2023.” The group’s rebrand appears to have been an attempt to “divert law enforcement,” but as Expel notes, “defenders don’t forget just because of changed names or time passed.”

Expel’s research shows that Rhysida’s current campaign has been active since June 2025, following an earlier run between May and September 2024. Both operations rely on a sophisticated malvertising model—placing fake ads on Bing search results to lure users into downloading malicious installers disguised as legitimate software like Microsoft Teams, PuTTY, and Zoom.

“Threat actors buy Bing search engine advertisements to direct users to convincing-looking, but malicious landing pages,” Expel explained. “The most recent campaigns push ads for Microsoft Teams and impersonate the download pages. However, they’ve also cycled through other popular software such as PuTTY and Zoom.”

Expel notes that because Bing ads appear in the Windows 11 Start Menu, users can be tricked into downloading these trojanized applications directly from their desktops, increasing infection rates across both enterprise and home users.

At the core of Rhysida’s operation is OysterLoader, also known as Broomstick or CleanUpLoader. It serves as an initial access loader—the first stage in a multi-step compromise designed to establish persistence and deliver follow-on payloads like ransomware or remote access tools.

“OysterLoader is, fundamentally, an initial access tool (IAT),” Expel wrote. “Its sole function is to establish a foothold on a device so a second stage persistent backdoor can be dropped on the system and establish long-term access.”

To ensure stealth, the attackers rely on two major evasion techniques:

• Packing the malware to obfuscate its code and reduce detection rates.
• Using stolen or abused code-signing certificates to make the software appear legitimate.

Expel found that VirusTotal detection rates for new OysterLoader samples start extremely low—often flagged by fewer than five antivirus engines—and it can take days before broader detection improves.

One of the most alarming findings from Expel’s report is that Rhysida is abusing Microsoft’s own Trusted Signing service to digitally sign their malware.

“In addition to this one certificate, the Rhysida ransomware gang are also one of the few cybercriminals leveraging Trusted Signing from Microsoft—Microsoft’s own service for issuing code-signing certificates,” Expel reported. “They use these Trusted Signing certificates for both OysterLoader and the second stage dropped from Latrodectus.”

Microsoft’s Trusted Signing system issues certificates valid for only 72 hours, making it difficult for attackers to buy and resell them at scale. However, Rhysida or one of its suppliers “identified a means to abuse Microsoft’s Trusted Signing system, allowing them to sign files at scale.”

Expel’s telemetry indicates that over 200 certificates associated with Rhysida’s campaigns have already been revoked by Microsoft. Yet, the gang continues to exploit this system—a tactic that gives their malicious binaries a veneer of legitimacy and makes detection more difficult for endpoint security tools.

“The Rhysida ransomware gang uses certificates to give their own malicious files a higher level of trust,” Expel wrote. “These new certificates further indicate steady investment into their campaign.”

The data collected by Expel reveals a sharp escalation in Rhysida’s activity: