- Rhysida spoofed Microsoft Teams ads on Bing to deliver malware via fake download pages
- Victims received OysterLoader and Latrodectus, which deploy ransomware, backdoors, and information stealers.
- The group operates with the RaaS model; Previous targets include US airports, libraries and school districts.
Security researchers have once again found poisoned ads on popular ad networks, spoofing major brands to deliver all sorts of nasty things.
Expel experts detected a new malware distribution campaign carried out by the Rhysida ransomware group that apparently began in June 2025 and is still ongoing at the time of this publication.
For the campaign, Rhysida agents created landing pages to mimic the download sites for Microsoft Teams, one of the world’s most popular online collaboration platforms. They then set up new ads on Microsoft’s Bing search engine to promote these pages.
Abusing .LNK files
Victims who would search for Microsoft Teams through Bing would likely see an ad at the top of their search engine results page and, given the good reputation of Microsoft and Bing, would probably trust them enough to click on the links. They would then be redirected to a page that is seemingly identical to the real Teams download page, but with one big difference: this one deploys two pieces of malware: OysterLoader and Latrodectus.
Both Latrodectus and OysterLoader are, as the latter’s name suggests, a loader that delivers different stage two malware depending on the attacker’s needs at any given time. This can include data stealers, backdoors, various remote access Trojans, and most notably, ransomware.
In fact, the Rhysida group is a famous ransomware operator. It works on a RaaS principle: it develops and maintains the encryptor, while its affiliates breach their targets’ networks and deploy malware, to get a share of the profits.
There were several notable breaches attributed to the Rhysida gang, including the 2023 attack on the British Library (when approximately 600 GB of files were taken), the 2024 attack on Seattle-Tacoma International Airport, as well as multiple attacks on government and educational organizations (the city of Columbus, multiple US districts and school institutions, and more).
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
