The **Rhysida ransomware gang** exploited **malvertising** to impersonate **Microsoft Teams** in search engine ads (Bing), tricking users into downloading a fake installer laced with **OysterLoader malware** (also known as Broomstick/CleanUpLoader). The campaign, active since **June 2024**, used **typosquatting** and **code-signing certificates** (over 40 in the latest wave) to bypass antivirus detection, with some malware samples evading **VirusTotal** for days. Once executed, the loader deployed **Rhysida ransomware**, encrypting systems and exfiltrating data for extortion. Rhysida operates as a **RaaS (Ransomware-as-a-Service)**, with affiliates conducting attacks under the core group’s infrastructure. Since **2023**, they’ve leaked data from **~200 organizations** (27 in 2024 alone), targeting those refusing ransom payments. Microsoft revoked **200+ malicious certificates** tied to this campaign, but the gang’s **obfuscation techniques** (packing tools, delayed AV detection) ensured persistent infections. The attack chain—from **fake ads to ransomware deployment**—demonstrates a **highly coordinated, evolving threat** leveraging **trust in Microsoft’s brand** to compromise enterprises globally.
Source: https://www.theregister.com/2025/10/31/rhysida_abuses_fake_teams_ads/
TPRM report: https://www.rankiteo.com/company/microsoft
"id": "mic0502205110125",
"linkid": "microsoft",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'location': ['global (targeted via Bing ads)'],
'name': 'Unspecified organizations (27+ since June '
'2024, ~200 since 2023)',
'type': ['private companies',
'public sector (possible)',
'non-profits (possible)']},
{'customers_affected': 'users who clicked malicious ads',
'industry': 'software/IT',
'location': 'global',
'name': 'Microsoft (indirectly, via abuse of Teams '
'branding)',
'size': 'large enterprise',
'type': 'technology corporation'}],
'attack_vector': ['malvertising (Bing ads)',
'typosquatting',
'fake Microsoft Teams download pages',
'malicious installer (OysterLoader/Latrodectus)',
'packed malware with obfuscation',
'code-signing certificate abuse'],
'customer_advisories': ['Users advised to download Microsoft Teams only from '
'official sources '
'(https://www.microsoft.com/en-us/microsoft-teams/download-app).',
'Organizations warned to monitor for '
'OysterLoader/Latrodectus infections.'],
'data_breach': {'data_encryption': ['yes (ransomware encrypts files '
'post-infection)'],
'data_exfiltration': ['confirmed (Rhysida posts non-paying '
"victims' data on leak site)"],
'number_of_records_exposed': ['millions (exact number '
'undisclosed)'],
'personally_identifiable_information': ['likely (based on '
"Rhysida's historical "
'targeting)'],
'sensitivity_of_data': ['high (includes PII and proprietary '
'data)'],
'type_of_data_compromised': ['potentially PII',
'corporate data',
'credentials',
'financial information (if '
'exfiltrated)']},
'date_detected': '2024-06-01',
'date_publicly_disclosed': '2024-10-18',
'description': 'The Rhysida ransomware gang has been placing fake ads for '
'Microsoft Teams in search engines (primarily Bing) to infect '
'victims with OysterLoader (also known as Broomstick and '
'CleanUpLoader) and Latrodectus malware. The campaign, ongoing '
'since June 2024, leverages malvertising and typosquatting to '
'trick users into downloading malicious installers. The group '
'operates as a ransomware-as-a-service (RaaS) and has '
'compromised at least 27 organizations since June 2024, with '
'~200 victims posted on their leak site since 2023. The '
'malware uses packing tools and code-signing certificates to '
'evade detection, with Microsoft revoking over 200 '
'certificates tied to this activity.',
'impact': {'brand_reputation_impact': ['damage to trust in Microsoft Teams '
'downloads',
'reputational harm to affected '
'organizations'],
'data_compromised': ['potentially millions of records (exact '
'number undisclosed)',
'sensitive organizational and personal data'],
'identity_theft_risk': ['high (due to stolen PII)',
'risk of credential stuffing attacks'],
'legal_liabilities': ['potential regulatory fines for data '
'breaches',
'legal actions from affected parties'],
'operational_impact': ['disruption of business operations due to '
'ransomware encryption',
'incident response and recovery efforts'],
'payment_information_risk': ['potential exposure if financial data '
'was exfiltrated'],
'systems_affected': ['Windows machines via malicious Teams '
'installer',
'networks compromised post-initial access']},
'initial_access_broker': {'backdoors_established': ['OysterLoader and '
'Latrodectus used for '
'persistence'],
'data_sold_on_dark_web': ['likely (Rhysida operates '
'a data leak site for '
'non-paying victims)'],
'entry_point': ['malvertising (Bing ads)',
'fake Microsoft Teams download '
'pages'],
'high_value_targets': ['corporate networks',
'data-rich organizations'],
'reconnaissance_period': ['ongoing since June 2024 '
'(second wave)',
'previous campaign: '
'May–September 2024']},
'investigation_status': 'ongoing (Expel and Microsoft continue tracking)',
'lessons_learned': ['Malvertising remains an effective initial access vector, '
'especially when abusing trusted brands like Microsoft '
'Teams.',
'Code-signing certificate abuse can bypass security '
'controls, requiring proactive revocation by CAs.',
'Obfuscation techniques (e.g., packing tools) can delay '
'AV detection, emphasizing the need for behavioral-based '
'defenses.',
'RaaS models like Rhysida enable rapid scaling of attacks '
'with varied malware (OysterLoader, Latrodectus).',
'Typosquatting and fake download pages exploit user trust '
'in search engines and legitimate software.'],
'motivation': ['financial gain (ransom payments)',
'data exfiltration for extortion',
'selling stolen data on dark web'],
'post_incident_analysis': {'corrective_actions': ['Search engines (e.g., '
'Bing) should enhance ad '
'verification for software '
'downloads.',
'Certificate authorities '
'(CAs) must improve '
'validation and revocation '
'processes.',
'Organizations should '
'implement allow-listing '
'for software '
'installations.',
'Security vendors need to '
'prioritize behavioral '
'detection for '
'packed/obfuscated '
'malware.'],
'root_causes': ['Over-reliance on search engine '
'ads as a trusted software '
'distribution channel.',
'Delayed detection of obfuscated '
'malware by traditional AV '
'solutions.',
'Abuse of legitimate code-signing '
'certificates to bypass security '
'controls.',
'Lack of user awareness about '
'typosquatting and fake download '
'pages.']},
'ransomware': {'data_encryption': ['yes (post-infection)'],
'data_exfiltration': ['yes (double extortion model)'],
'ransomware_strain': ['Rhysida',
'OysterLoader (loader)',
'Latrodectus (initial access)']},
'recommendations': ['Organizations should educate employees on verifying '
'download sources and avoiding search engine ads for '
'software.',
'Implement certificate transparency monitoring to detect '
'abuse of code-signing certificates.',
'Deploy behavioral-based detection (e.g., EDR/XDR) to '
'catch obfuscated malware like OysterLoader.',
'Segment networks to limit lateral movement '
'post-infection.',
'Monitor dark web/leak sites for signs of exfiltrated '
'data.',
'Regularly update and patch systems to mitigate '
'post-exploitation vulnerabilities.',
'Use multi-factor authentication (MFA) for high-risk '
'actions like software installation.'],
'references': [{'date_accessed': '2024-10-18',
'source': 'The Register',
'url': 'https://www.theregister.com/2024/10/18/rhysida_ransomware_malvertising/'},
{'date_accessed': '2024-10-18',
'source': 'Expel Blog',
'url': 'https://expel.com/blog/rhysida-malvertising-campaign/'},
{'date_accessed': '2024-10-15',
'source': 'Microsoft Threat Intelligence (X/Twitter)',
'url': 'https://x.com/MsftSecIntel/status/[redacted]'},
{'date_accessed': '2024-10-18',
'source': 'Expel GitHub Indicators',
'url': 'https://github.com/expel-io/[redacted]'}],
'regulatory_compliance': {'regulatory_notifications': ['likely required for '
'affected '
'organizations (e.g., '
'GDPR, state breach '
'laws)']},
'response': {'communication_strategy': ['Expel blog post (2024-10-18)',
'Microsoft social media advisory '
'(2024-10-15)'],
'containment_measures': ['Microsoft revoked malicious '
'certificates',
'AV vendors updating detection '
'signatures'],
'enhanced_monitoring': ['Expel tracking indicators on GitHub',
'recommended for potential targets'],
'incident_response_plan_activated': ['likely by affected '
'organizations',
'Microsoft revoked 200+ '
'malicious certificates'],
'network_segmentation': ['recommended for affected '
'organizations'],
'recovery_measures': ['restoration from backups (if available)',
'rebuilding compromised systems'],
'remediation_measures': ['removal of OysterLoader/Latrodectus '
'malware',
'patch management for exploited '
'vulnerabilities'],
'third_party_assistance': ['Expel (threat intelligence tracking)',
'Microsoft Threat Intelligence Team']},
'stakeholder_advisories': ['Microsoft revoked malicious certificates and '
'issued a public advisory.',
'Expel published technical details and indicators '
'of compromise (IoCs).'],
'threat_actor': ['Rhysida (formerly Vice Society/Vanilla Tempest)',
'RaaS affiliates'],
'title': 'Rhysida Ransomware Gang Uses Malvertising to Distribute '
'OysterLoader and Latrodectus Malware via Fake Microsoft Teams Ads',
'type': ['ransomware', 'malvertising', 'malware distribution', 'data breach'],
'vulnerability_exploited': ['user trust in search engine ads',
'lack of multi-factor authentication for '
'downloads',
'delayed AV detection due to obfuscation',
'abuse of legitimate code-signing certificates']}