Rhysida Ransomware Gang Launches Malvertising Campaign Deploying OysterLoader
Date: October 31, 2025
Overview: The ransomware-as-a-service group Rhysida has initiated a new malvertising campaign that uses fake search-ads and spoofed download portals to deliver the loader/backdoor known as OysterLoader (also previously identified as Broomstick or CleanUpLoader) to unsuspecting users. The campaign is designed to establish initial access to enterprise networks ahead of follow-on ransomware or data-extortion operations.
Delivery Vector & Tactics:
• Attackers purchase search engine ads targeting keywords such as “Microsoft Teams download”, “PuTTY installer”, “WinSCP update” and similar trusted software titles.
• The ads lead to spoofed domains or counterfeit download portals that closely mimic legitimate vendor download pages.
• When a user clicks the link and initiates the download, the package appears innocuous but contains a modified installer that drops OysterLoader onto the system.
• The malware is typically signed with recently issued code-signing certificates that appear valid, helping evade detection and bypassing application-whitelisting controls.
• Once executed, the loader establishes persistence, disables telemetry/logging, contacts the command-and-control (C2) infrastructure, and facilitates the deployment of additional payloads including credential-stealers, network reconnaissance tools and ultimately ransomware modules.
Technical Anatomy:
• The malicious installer initiates via a common Windows process (e.g., rundll32 or msiexec) and loads a compact DLL that leverages living-off-the-land binaries (LOLBins).
• OysterLoader creates scheduled tasks (e.g., every three minutes), writes files to random sub-folders under %APPDATA%, and may use no-op graphics device interface (GDI) calls and obfuscated functions to bypass static analysis.
• Communication to C2 uses HTTPS via cloud-based infrastructure or fast-flux domains, with headers and user-agent strings made to mimic normal browser or update-traffic.
• After foothold, the attacker conducts lateral movement, credential dumping (LSASS, SAM, etc.), establishes backdoors, and prepares the environment for ransomware deployment or data exfiltration.
Current Scale & Focus: According to detection telemetry, the campaign entered a heightened phase within the past 24 hours: dozens of newly registered spoof domains, multiple signed installer binaries, and active ad-campaigns running in English-speaking markets targeting IT practitioners and enterprise users seeking productivity tools. The operational tempo indicates a wide net of potential targets and suggests the Rhysida group is scaling its access vector ahead of larger intrusions.
Why this matters:
• By exploiting malvertising, the attacker bypasses traditional email + phishing defences and leverages search engine trust and ad-placement visibility.
• The use of legitimate-looking code-signing certificates undermines many security models that treat signed binaries as inherently trustworthy.
• Once inside, the access chain leads directly into corporate networks and supports ransomware-style extortion attacks — meaning the campaign is not just a loader drop, but a full threat pipeline.
• Enterprises often focus on protecting endpoint email gateways and user phishing behaviour, but this campaign emphasises the risk of legitimate software channels and trusted downloads being weaponised.
Recommendations for Organisations:
• Immediately audit and restrict what software users may download and install, especially privileged or admin-level tools.
• Implement application allow-listing tied to known legitimate certificates or trusted publisher lists; scrutinise any recently issued or unrecognised code-signing certificate.
• Ensure a robust endpoint detection and response (EDR) solution is in place that monitors for scheduled tasks creation, unusual rundll32/LOLBin usage, and DLL loads outside of known vendor paths.
• Monitor ad infrastructures and proxy logs for sudden spikes in downloads of “setup.exe” or “installer.msi” from domain names that are not vendor-owned. Pay special attention to domains registered within the past 30 days.
• Educate users that search-engine ads may be weaponised; promote the habit of navigating to official vendor sites rather than clicking sponsored ads or top-ranking links uncritically.
Indicators of Compromise (IoCs) & Behavioural Signals:
• Installer files with unusual publisher names, new certificates and low AV detection counts.
• Scheduled tasks named deceptively (e.g., “Security Updater”, “System Service Host”) running a rundll32 command referencing a randomly named DLL under %APPDATA%.
• Outbound connections from endpoints to domains registered recently or known fast-flux providers.
• Rapid creation of service accounts, lateral spread from initial host, and credential-dump behaviour (LSASS memory access, SAM dumps).
• Unexpected privilege escalation and new remote-access tools dropping shortly after installer execution.
What to Expect Next: With the initial access vector now active and rolled out at scale, security teams should anticipate follow-on campaigns that inject full ransomware payloads, data-exfiltration tools and potentially public-data extortion notices. Organisations compromised by the loader may only realise the risk when lateral movement or encryption begins — making early detection and response critical.
Conclusion: The Rhysida group’s shift to malvertising via OysterLoader marks a dangerous evolution in the ransomware-threat landscape. By combining search-engine trust, fake installers and legitimate certificates, the attackers are dramatically lowering barriers for initial access. Organisations must expand their threat model beyond phishing emails and focus on the software supply-chain and advertisement channels that can be weaponised. Vigilance, hardened download controls and rapid forensic readiness are now essential to defending against these next-generation intrusion campaigns.
