The Rhysida hacking group has begun distributing malware via fake Bing ads targeting users of Microsoft Teams, Zoom, and Putty. The attackers are forging official download pages, using Microsoft-signed certificates to bypass protection and infect the system with the OysterLoader malware loader. Rhysida, also known as Vice Society, has launched a new malvertising campaign targeting business users of popular corporate tools — Teams, Zoom, and Putty.
The attack looks like this:
attackers buy ads on Bing;
the user goes to a fake website;
sees the “official” Download button;
receives a file that installs OysterLoader.
OysterLoader is an initial penetration tool that allows attackers to gain a foothold in the system, evade detection, and download additional modules. Researchers have also noticed the use of Latrodectus, often signed with the same certificates.
The main feature of the campaign is the abuse of Microsoft Trusted Signing: certificates that the OS uses to confirm the legitimacy of files. Rhysida finds a way to sign malware en masse and spread them until it is blocked.
Microsoft has already revoked more than 200 certificates, but analysts warn that the attacks continue, and the broken signature model allows the group to bypass classic protections.
Rhysida has evolved in recent years from a ransomware group into a sophisticated cybercriminal collective with mixed tactics:
malvertising
social engineering
attack chain with multiple tools
bypassing controls through legitimate certificates
According to researchers, 40+ unique certificates have been recorded since June alone, while only seven during the same period a year ago. This indicates the scaling of attacks and automation of malware signature tools.
Rhysida campaign highlights critical trend: even signing a file with a certificate no longer guarantees security. Malvertising attacks on popular business applications are becoming the new norm. Companies should:
verify download sources
block suspicious advertising domains
use behavioral EDR systems
train employees not to trust “official” banners
Today’s threats are becoming more sophisticated — and they use the same channels that businesses trust.
