- Rhysida spoofed Microsoft Teams ads on Bing to deliver malware via fake download pages
- Victims received OysterLoader and Latrodectus, which deploy ransomware, backdoors and infostealers
- The group operates on the RaaS model; Past targets include US airports, libraries and school districts
Security researchers have once again discovered poison ads on popular ad networks, spoofing big brands to deliver all sorts of nastiness.
Expel experts have spotted a new malware distribution campaign led by the Rhysida ransomware group that apparently began in June 2025 and is still ongoing at the time of publication.
For the campaign, Rhysida agents created landing pages to mimic the download sites of Microsoft Teams, one of the most popular online collaboration platforms in the world. Then, they set up new ads on Microsoft’s Bing search engine to promote these pages.
Abusing .LNK Files
Victims searching for Microsoft Teams through Bing would likely see an ad at the top of their search engine results page and, given the good reputation of Microsoft and Bing, would likely trust them enough to click on the links. Then, they would be redirected to a page that is apparently identical to the actual Teams download page, but with one big difference: this one deploys two pieces of malware: OysterLoader and Latrodectus.
Both Latrodectus and OysterLoader are, as the latter’s name suggests, a loader, delivering different second-stage malware depending on the attacker’s needs at any given time. This can include information stealers, backdoors, various remote access Trojans and, most notably, ransomware.
In fact, Rhysida Group is a famous ransomware operator. The company operates on the RaaS principle: developing and maintaining the encryptor, while its subsidiaries hack their targets’ networks and deploy the malware – for a share of the profits.
Several notable breaches have been attributed to the Rhysida gang, including the attack on the British Library in 2023 (during which approximately 600 GB of files were seized), the attack on the Seattle-Tacoma International Airport in 2024, as well as multiple attacks on government and educational organizations (city of Columbus, several US school districts and institutions, etc.).
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
