Threat actors behind the Rhysida ransomware gang are hijacking search ads for popular tools like PuTTY to distribute OysterLoader malware, a stealthy initial access tool that unlocks full device and network control for hackers.
This ongoing malvertising campaign, active since June 2025, preys on unsuspecting users seeking legitimate software downloads, blending deception with technical evasion to bypass defenses.
By impersonating trusted applications, attackers ensure high infection rates, potentially leading to ransomware deployments that cripple enterprises.
The Malvertising Deception
The attack begins with poisoned search results on Bing, where sponsored ads mimic official download pages for PuTTY, a widely used SSH client for IT professionals.
Users searching for “PuTTY download” might click on a top result leading to fake sites like putty.bet or updaterputty.com, hosted on innocuous domains to evade quick takedowns.
These pages host trojanized installers, such as PuTTY-setup.exe, that appear legitimate but pack hidden malware payloads.
This SEO poisoning tactic, first noted in similar campaigns in 2024, has escalated in 2025, with ads even surfacing in Windows 11’s Start menu for broader reach.
Rhysida’s persistence in recycling this method underscores their reliance on proven social engineering to target IT admins and remote workers, who often download tools without scrutiny.
As of November 2025, the campaign shows no signs of slowing, with fresh domains and ads detected weekly.
OysterLoader’s Stealthy Intrusion
Once executed, OysterLoader also dubbed Broomstick or CleanUpLoader serves as a loader to deploy a persistent backdoor, granting hackers remote command execution, data exfiltration, and lateral movement across networks.
To dodge antivirus detection, the malware employs packing techniques that obfuscate its code, resulting in initial VirusTotal scans flagging it with fewer than five engines, often taking days for broader alerts.
More insidiously, Rhysida abuses code-signing certificates, including those from Microsoft’s Trusted Signing service, to lend an air of legitimacy; over 200 such certificates have been revoked since June 2025.
This signed malware establishes persistence via scheduled tasks like “FireFox Agent INC,” stealing credentials and system info while downloading secondary payloads, such as Latrodectus infostealers.
The Rhysida gang, evolved from the Vice Society crew since 2023, uses these footholds for ransomware extortion, hitting sectors from healthcare to government.
Defending Against The Threat
Security teams can counter this by enforcing endpoint detection rules for suspicious signed executables and monitoring Bing ad traffic for anomalies.
Revocations of abused certificates aid mitigation, but user education on verifying download sources remains crucial.
As Rhysida invests heavily tracking over 47 unique certificates across campaigns continued vigilance is essential to disrupt their operations.
This blend of malvertising and evasion highlights the evolving ransomware landscape, where everyday tools become gateways to devastation.
