- Rhysida spoofed Microsoft Teams ads on Bing to deliver malware via fake download pages
- Victims received OysterLoader and Latrodectus, which deploy ransomware, backdoors, and infostealers
- Group operates on RaaS model; past targets include airports, libraries, and U.S. school districts
Security researchers have once again found poisoned ads on popular ad networks, spoofing major brands to deliver all sorts of nasties.
Experts at Expel spotted a new malware distribution campaign conducted by the Rhysida ransomware group which apparently began in June 2025, and is still ongoing at press time.
For the campaign, Rhysida’s operatives created landing pages to imitate download sites for Microsoft Teams, one of the world’s most popular online collaboration platforms. Then, they set up new ads on Microsoft’s Bing search engine to promote these pages.
Abusing .LNK files
Victims who would search for Microsoft Teams via Bing would likely see an ad at the top of their search engine results page and, given Microsoft’s and Bing’s good standing, would probably trust them enough to click on the links. Then, they would be redirected to a page that is seemingly identical to the actual Teams download page, but with a big difference – this one deploys two pieces of malware: OysterLoader, and Latrodectus.
Both Latrodectus and OysterLoader are, as the latter’s name suggests, a loader, delivering different stage-two malware depending on the attacker’s needs at any given time. That can include infostealers, backdoors, various remote access trojans, and most notably – ransomware
In fact, the Rhysida group is a famous ransomware operator. It works on a RaaS principle – developing and maintaining the encryptor, while its affiliates breach their targets’ networks and deploy the malware – for a share of the profits.
There had been several notable breaches attributed to the Rhysida gang including the 2023 attack on the British Library (when roughly 600GB of files were taken), the 2024 attack on the Seattle-Tacoma International Airport, as well as multiple attacks on government and education organizations (City of Columbus, multiple US school districts and institutions, and more).
Via The Register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
