Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates

SUMMARY :

The Rhysida ransomware gang, formerly known as Vice Society, is conducting an ongoing malicious ad campaign to deliver OysterLoader malware. This initial access tool establishes a foothold on devices for dropping a persistent backdoor. The campaign uses Bing search engine advertisements to direct users to malicious landing pages impersonating popular software downloads. To evade detection, the malware is packed and uses code-signing certificates, including Microsoft Trusted Signing. The gang's activity has expanded, with over 40 certificates tracked in 2025 compared to 7 in 2024. They're also using Latrodectus malware for initial access. The campaign's scale and use of legitimate services highlight the gang's sophistication and resource investment.

OPENCTI LABELS :

code-signing,latrodectus,ransomware,initial access,malvertising,microsoft trusted signing,oysterloader


AI COMMENTARY :

1. Certified OysterLoader Emergence. The Rhysida ransomware gang, previously known as Vice Society, has intensified its operations with the deployment of OysterLoader. This initial access tool creates a foothold on compromised devices and facilitates the installation of a stealthy persistent backdoor. Tracking the evolution of this campaign provides critical visibility into emerging threat patterns.

2. Malvertising Mechanisms Fueling Initial Access. Rhysida's operators exploit malvertising by purchasing ads on the Bing search engine to redirect users to counterfeit download sites. These malicious landing pages are designed to mimic legitimate software repositories, enticing victims to initiate downloads. Once the victim interacts, the campaign delivers the OysterLoader payload and gains initial access undetected by standard defenses.

3. Techniques and Tools Behind OysterLoader. OysterLoader is deliberately packed to evade sandbox analysis and signature based detection. Its primary objective is to establish persistence and serve as a staging platform for further ransomware deployment. The tool leverages a compact architecture that simplifies code injection and backdoor provisioning while maintaining a low profile against endpoint protection solutions.

4. Abuse of Code-Signing Certificates. A hallmark of this campaign is the use of code-signing certificates, including Microsoft Trusted Signing, to lend legitimacy to malicious binaries. In 2025, security researchers have tracked over 40 certificates associated with this operation, up from just seven in 2024. By abusing these trusted credentials, Rhysida bypasses trust checks and accelerates malware distribution without raising immediate alarms.

5. Latrodectus as an Initial Access Vector. Complementing OysterLoader, the gang employs Latrodectus malware to secure an entry point into targeted networks. Latrodectus establishes a covert channel for reconnaissance and credential harvesting before transitioning to the deployment of the primary ransomware payload. This sequential approach underscores the group's emphasis on initial access precision and operational stealth.

6. Scale, Sophistication, and Resource Investment. The expansion of certificate usage, reliance on legitimate services, and integration of multiple malware families illustrate Rhysida's growing sophistication. The coordinated malvertising campaign and certificate acquisition efforts reflect substantial resource investment. These factors position the gang as a formidable threat that continuously refines its techniques to exploit evolving trust models in software distribution.

7. Defensive Recommendations and Outlook. Organizations should scrutinize code-signing certificates for anomalies and verify their provenance before accepting signed binaries. Regularly monitoring Bing ad placements and user traffic patterns can reveal malicious redirections early. Integrating threat intelligence on Latrodectus and OysterLoader indicators into security controls will strengthen detection capabilities. As Rhysida advances its tactics, a proactive stance combining certificate analysis and malvertising threat hunting will be essential to mitigate future incursions.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates