Ransomware gang runs ads for Microsoft Teams to pwn victims

Steven

Ransomware gang runs ads for Microsoft Teams to pwn victims

Summary

The Rhysida ransomware group is running malvertising campaigns that impersonate Microsoft Teams download pages. Victims clicking top search-engine ads (notably on Bing) are directed to realistic but fraudulent download sites that serve OysterLoader (aka Broomstick / CleanUpLoader) and sometimes Latrodectus, which then provide initial access and enable full ransomware deployment and data theft. The campaign started in June 2025 and is ongoing; Rhysida is using typosquatting, packing tools to evade detection, and dozens of code-signing certificates to make malicious installers appear trusted.

Key Points

  • Rhysida buys search ads impersonating Microsoft Teams to lure victims to fake download pages.
  • Clicking the ads results in a malicious installer: primarily OysterLoader, with Latrodectus used in some cases.
  • The campaign began in June 2025 and continues, with new ads, domains and malware observed recently.
  • Attackers use typosquatting, packing/obfuscation and code-signing certificates (40+ in the recent wave) to reduce AV detection and increase trust.
  • Rhysida operates as a ransomware-as-a-service (RaaS) group with a history dating back to Vice Society; it has published dozens of victims on its leak site.
  • Microsoft revoked hundreds of abused certificates and security teams (Expel, Microsoft) are tracking indicators and sharing IOCs for defenders.
  • Packed samples can evade many antivirus engines initially — only a handful may flag them until more engines catch up.

Why should I read this?

Because this is sneaky, widespread and could hit anyone searching for Teams — yes, even an innocent click on a top result can drop a loader that leads to ransomware. If you manage IT, helpdesk or anyone who deals with Windows installs, this is the kind of attack that wastes your day (and your backups).

Author style

Punchy: this matters. The campaign is current, evolving and pragmatic — Rhysida is spending resources (ads, certificates, obfuscation) to get into organisations. Read the detail if you want practical IOCs and mitigation context.

Context and Relevance

Malvertising is an effective initial-access vector because it abuses user trust in search results and platform ad placement. Combined with typosquatting and stolen/issued code-signing certificates, it raises the bar for defenders — traditional AV and casual inspection can be bypassed. This fits wider trends of organised RaaS groups professionalising their operations, investing in evasion and expanding victim counts. Organisations should harden download procedures, monitor for suspicious installer activity, apply allowlisting where possible, and consume shared IOCs (Expel’s GitHub list and Microsoft’s revocation notices were referenced by researchers).

Source

Source:https://go.theregister.com/feed/www.theregister.com/2025/10/31/rhysida_abuses_fake_teams_ads/