VERY IMPORTANT

The Rhysida ransomware gang, formerly known as Vice Society, is conducting an ongoing malicious ad campaign to deliver OysterLoader malware. This initial access tool establishes a foothold on devices for dropping a persistent backdoor. The campaign uses Bing search engine advertisements to direct users to malicious landing pages impersonating popular software downloads. To evade detection, the malware is packed and uses code-signing certificates, including Microsoft Trusted Signing. The gang's activity has expanded, with over 40 certificates tracked in 2025 compared to 7 in 2024. They're also using Latrodectus malware for initial access. The campaign's scale and use of legitimate services highlight the gang's sophistication and resource investment.