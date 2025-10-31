The Rhysida ransomware gang’s most recent malvertising campaign to spread OysterLoader has used more than 40 code-signing certificates to conceal its malicious nature, Expel reported Friday

OysterLoader, also known as Broomstick and CleanUpLoader, serves to gain initial access to a victim’s machine for the deployment of a persistent backdoor and, ultimately, additional payloads including the Rhysida ransomware.

Rhysida has historically utilized malvertising on Google and Bing to distribute the loader, with initial campaigns seen between May and September 2024. The most recent campaign, which first launched in June 2025, primarily uses Bing advertisements to draw in potential victims, imitating popular software like Microsoft Teams, PuTTy and Zoom, according to Expel.

These malicious Bing advertisements can not only appear as a top search result for users searching for the legitimate software, as shown by a screenshot posted by a senior security operations analyst at Huntress, but also in the Windows 11 start menu when searching for software in the task bar, Expel showed.

The fake advertisements lead to spoofed pages that closely resemble legitimate download pages, fooling users into installing the OysterLoader malware.

The threat actor uses code-signing certificates as a means to avoid detection, fraudulently obtaining certificates that make the malware appear as trusted software.

Through tracking the code-signing certificates used by Rhysida in its most recent campaign, Expel found this campaign to be of a larger scale than that seen in 2024, with more than 40 different certificates used compared to just seven last year.

Certificate issuers regularly revoke certificates for software later discovered to be malicious, leading the threat actors to obtain new certificates as the campaign goes on, and each new certificate enables Expel to track a new phase of the campaign, the researcher explained.

The increase in certificates used in the 2025 campaign compared with 2024 indicates a more aggressive campaign and a willingness to invest more resources in obtaining fresh certificates as previous certificates are revoked.

Rhysida has also been known to abuse the Microsoft Trusted Signing system to attempt to obtain certificates issued by Microsoft for their malware; earlier this month, Microsoft announced that it had revoked more than 200 certificates associated with the campaign, most of which were disrupted before they could be actively abused.

In addition to OysterLoader, Expel discovered the Rhysida threat actors were also using Latrodectus malware in its campaign, as both OysterLoader and Lactrodectus samples were found to be signed by the same code-signing certificate signed by Art en Code B.V.