- Rhysida spoofed Microsoft Teams ads on Bing to deliver malware via fake download pages
- Victims received OysterLoader and Latrodectus, which deploy ransomware, backdoors, and info stealers
- The group operates according to the RaaS model; past targets include airports, libraries and US school districts
Security researchers have once again found poisoned ads on popular ad networks that spoof big brands to deliver all sorts of nastiness.
Experts at Expel discovered a new malware distribution campaign by the Rhysida ransomware group that apparently began in June 2025 and is still ongoing at press time.
For the campaign, Rhysida’s operators created landing pages to mimic download sites for Microsoft Teams, one of the world’s most popular online collaboration platforms. Then they create new ads on Microsoft’s Bing search engine to promote those pages.
Abusing .LNK files
Victims who would search for Microsoft Teams through Bing would likely see an ad at the top of their search engine results page, and given Microsoft’s and Bing’s reputation, would likely trust them enough to click on the links. They would then be redirected to a page that appears identical to the actual Teams download page, but with one big difference – this one deploys two pieces of malware: OysterLoader and Latrodectus.
Both Latrodectus and OysterLoader are, as the latter’s name suggests, a loader that delivers different stage-two malware depending on the attacker’s needs at any given time. It can include info thieves, backdoors, various remote access Trojans and especially – ransomware
In fact, the Rhysida group is a famous ransomware operator. It operates on a RaaS principle – developing and maintaining the encryption while its affiliates breach their targets’ networks and deploy malware – for a share of the profits.
There had been several notable breaches attributed to the Rhysida gang, including the 2023 attack on the British Library (when around 600 GB of files were taken), the 2024 attack on Seattle-Tacoma International Airport, as well as numerous attacks on government and educational organizations (City of Columbus, several US school districts and institutions, and more).
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
