Ransomware, Threat Intelligence, Malware

October 31, 2025

The Rhysida ransomware gang’s most recent malvertising campaign to spread OysterLoader has used more than 40 code-signing certificates to conceal its malicious nature, Expel reported Friday.

OysterLoader, also known as Broomstick and CleanUpLoader, serves to gain initial access to a victim’s machine for the deployment of a persistent backdoor and, ultimately, additional payloads including the Rhysida ransomware.

Rhysida has historically utilized malvertising on Google and Bing to distribute the loader, with initial campaigns seen between May and September 2024. The most recent campaign, which first launched in June 2025, primarily uses Bing advertisements to draw in potential victims, imitating popular software like Microsoft Teams, PuTTy and Zoom, according to Expel.

These malicious Bing advertisements can not only appear as a top search result for users searching for the legitimate software, as shown by a screenshot posted by a senior security operations analyst at Huntress, but also in the Windows 11 start menu when searching for software in the task bar, Expel showed.

The fake advertisements lead to spoofed pages that closely resemble legitimate download pages, fooling users into installing the OysterLoader malware.

The threat actor uses code-signing certificates as a means to avoid detection, fraudulently obtaining certificates that make the malware appear as trusted software.

Through tracking the code-signing certificates used by Rhysida in its most recent campaign, Expel found this campaign to be of a larger scale than that seen in 2024, with more than 40 different certificates used compared to just seven last year.

Certificate issuers regularly revoke certificates for software later discovered to be malicious, leading the threat actors to obtain new certificates as the campaign goes on, and each new certificate enables Expel to track a new phase of the campaign, the researcher explained.

The increase in certificates used in the 2025 campaign compared with 2024 indicates a more aggressive campaign and a willingness to invest more resources in obtaining fresh certificates as previous certificates are revoked.

Rhysida has also been known to abuse the Microsoft Trusted Signing system to attempt to obtain certificates issued by Microsoft for their malware; earlier this month, Microsoft announced that it had revoked more than 200 certificates associated with the campaign, most of which were disrupted before they could be actively abused.

In addition to OysterLoader, Expel discovered the Rhysida threat actors were also using Latrodectus malware in its campaign, as both OysterLoader and Lactrodectus samples were found to be signed by the same code-signing certificate signed by Art en Code B.V.

Expel published indicators of compromise (IoC) for Rhysida attacks on GitHub as well as a list of signers of Rhysida’s code-signing certificates on its blog.

Rhysida, first established as Vice Society in 2021 and rebranded as Rhysida in 2023, has conducted numerous attacks against governments, healthcare organizations and other critical infrastructure industries. Earlier this year, Rhysida claimed responsibility for attacks on the Oregon Department of Environmental Quality, the Cookville Regional Medical Center in Tennessee and the Maryland Department of Transportation.

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Over 10.5M impacted by Conduent breach

SC StaffOctober 31, 2025

Conduent, a leading U.S. business services provider, had information from more than 10.5 million individuals compromised following a data breach last year, reports BleepingComputer.

Viz Media purportedly compromised in sweeping data breach

SC StaffOctober 31, 2025

Cybernews reports that major U.S. anime and manga publisher Viz Media, which is behind Naruto, Sailor Moon, and Death Note, was claimed to have had more than 250 GB of sensitive data stolen from its systems after compromising the account of its vice president.