A notorious ransomware group is spreading fake Microsoft Teams ads to snare victims

Users searching for Microsoft Teams need to be extra careful lately, as the Rhysida ransomware group has been pushing fake ads to trick people into downloading malware. Cybersecurity firm Expel uncovered that these misleading ads deliver a type of malware called OysterLoader, which was previously known as Broomstick and CleanUpLoader. This isn’t the first time Rhysida has impersonated Microsoft Teams; it’s actually their second campaign in just the last year and a half. OysterLoader acts as an initial access tool (IAT), meaning once it's installed, it opens a backdoor on the victim’s device and network, allowing attackers to maintain long-term access. The attack method here is quite clever and relies heavily on malvertising. Rhysida buys ads on Bing’s search engine that look legitimate and direct users to download pages that seem official but are actually malicious. Aaron Walton, a threat intelligence analyst at Expel, explained that these ads make it easy for victims to find and download the malware because it’s right there in the search results. While Microsoft Teams is the current bait, the group has previously used other popular apps like PuTTY and Zoom to lure victims. To make detection harder, Rhysida uses packing tools that mask the malware’s true functions, which results in low detection rates when the malware first appears. The group also employs code-signing certificates that are usually reserved for genuine software publishers. This trick boosts the trustworthiness of their malicious files and helps them avoid immediate suspicion. Interestingly, these certificates tend to get revoked quickly, which actually helps security firms spot when new waves of the campaign begin, since fresh certificates indicate new batches of malware being released. Besides OysterLoader, Rhysida is also deploying another malware called Latrodectus for initial network access. Expel observed this while analyzing files for developing detection rules. Rhysida stands out among cybercriminal groups because it uses Microsoft’s Trusted Signing service to acquire code-signing certificates—something designed to prevent certificate misuse. It seems they’ve figured out ways to bypass the built-in protections meant to stop this kind of abuse. Originating as Vice Society in 2021, the group rebranded as Rhysida in 2023 and operates under a Ransomware as a Service (RaaS) model with a double extortion tactic. Since then, they’ve publicly listed about 200 victims on their data leak site, including government agencies, healthcare providers, and critical infrastructure. Notable victims this year include the Oregon Department of Environmental Quality, Cookville Regional Medical Center in Tennessee, the Sunflower Medical Group in Kansas, and the Community Care Alliance focused on mental illness and addiction. They’ve also targeted the Maryland Department of Transportation and the British Library. These developments underscore the ongoing risks posed by sophisticated ransomware groups like Rhysida, who continuously adapt their tactics to evade detection and maximize impact. It's a stark reminder for organizations and individuals alike to remain vigilant, especially when downloading software from online sources. Always verify download links through official channels to avoid falling prey to such malicious schemes.