{
	"id": "4d2fc51f-45b1-42e6-ba98-227478c5525d",
	"created_at": "2026-04-06T00:10:36.447615Z",
	"updated_at": "2026-04-10T13:12:29.876564Z",
	"deleted_at": null,
	"sha1_hash": "535c200e8f2d1982d134dd36f465b226bdbbf8d1",
	"title": "Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1313586,
	"plain_text": "Certified OysterLoader: Tracking Rhysida ransomware gang activity\r\nvia code-signing certificates\r\nBy Aaron Walton\r\nPublished: 2025-10-31 · Archived: 2026-04-05 13:59:39 UTC\r\nTL;DR\r\nThere’s an ongoing malicious ad campaign delivering a malware called OysterLoader, previously known as\r\nBroomstick and CleanUpLoader\r\nThe malware is an initial access tool (IAT) that gets onto devices to run a backdoor to gain access to the device\r\nand network\r\nThe malware is being leveraged by the Rhysdia ransomware gang \r\nThe Rhysida gang has been targeting enterprises for years now. First working as Vice Society in 2021, and then\r\nrebranding to Rhysida in 2023 [1, 2, 3]. While they may have rebranded to divert law enforcement, defenders don’t\r\nforget just because of changed names or time passed. \r\nWe’re tracking Rhysida’s current campaign leveraging malicious advertisements to deliver OysterLoader malware\r\n(also known as Broomstick and CleanUpLoader). The first campaign ran from May to September 2024, and the\r\ncurrent campaign has been running since June of this year. \r\nhttps://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/\r\nPage 1 of 8\n\nOysterLoader is, fundamentally, an initial access tool (IAT). Its sole function is to establish a foothold on a device so a\r\nsecond stage persistent backdoor can be dropped on the system and establish long-term access. Getting the first stage\r\ninto a network is a common first step step in a larger network intrusion.\r\nThe delivery: malvertizing\r\nThe current infection chain is built on a highly successful malvertising model. Threat actors  buy Bing search engine\r\nadvertisements to direct users to convincing-looking, but malicious landing pages. These search engine ads put links\r\nto the download right in front of potential victims. The most recent campaigns push ads for Microsoft Teams and\r\nimpersonate the download pages. However, they’ve also cycled through other popular software such as PuTTy and\r\nZoom.\r\nExample malicious PuTTy Ad shared by Tanner via X on July 18, 2025.\r\nhttps://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/\r\nPage 2 of 8\n\nDue to Bing ads showing up in the Windows 11 start menu, malicious ads can be served here too. Note\r\nthat one result is sponsored and misspells PuTTy as “Putty”.\r\nhttps://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/\r\nPage 3 of 8\n\nAn example of teams-app[.]bet as captured by URLScan.io.\r\nUsing ads for Teams and other products is an identical tactic to what was seen by the same actors in 2024. This\r\ntechnique is a clear indicator of the gang’s commitment to proven tactics, mimicking a highly effective campaign they\r\nexecuted previously.\r\nTo insure the first stage’s success, the actors do two things to achieve low detection rates:\r\n1. They pack the malware\r\n2. They use code-signing certificates\r\nPacking is a technique used to compress, encrypt, or obfuscate the function of the software. In the case of Rhysida,\r\ntheir packing tool effectively hides the capabilities of the malware and results in a low static detection rate when the\r\nmalware is first seen.\r\nhttps://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/\r\nPage 4 of 8\n\nThis graph of the detection rate by VirusTotal illustrates the general trend. Due to their obfuscation, it is\r\ncommon for 5 or less detection engines to flag the malware and it can take several days before more AV\r\nengines flag the malware. (This example is\r\n32b0f69e2d046cb835060751fcda28b633cbbd964e6e54dbbc1482fff4d51b57.)\r\nCode-signing certificates are standard for legitimate software. The Windows operating system uses code-signing as a\r\nmeasure of confidence that a file came from a valid source. The trust comes from the software publisher listed in the\r\ncertificate going through a vetting process to get the code-signing certificate, but this system isn’t without its flaws.\r\nThe Rhysida ransomware gang uses certificates to give their own malicious files a higher level of trust.  \r\nSigning as signal\r\nDue to their use of code-signing certificates, we gain an advantage in tracking and identifying new campaigns. The\r\ncertificates they use regularly get revoked by the certificate’s issuer, so new instances of the malware with a valid\r\ncertificate indicate a new run of the campaign. Expel actively reports these certificates to be revoked as we encounter\r\nthem, and the revocations help operating systems, antivirus, and browsers better identify and mitigate the malware. \r\nOn any given day the bad actors may use multiple certificates, but seeing their files with a new fresh certificate also\r\nhelps us know they’re still active. These new certificates further indicate steady investment into their campaign.\r\nCampaign period\r\nCode-signing\r\ncertificates tracked\r\nContext\r\n2024 activity (May\r\n– September)\r\n7 certificates The gang’s first Microsoft Teams malvertising campaign.\r\n2025 activity (June\r\n– current)\r\n40+ certificates\r\nThe second campaign with a dramatic increase of files and\r\ncertificates, indicating higher operational tempo and resource\r\ninvestment.\r\nCertCentral.org currently documents a total of 47 unique certificates used to sign OysterLoader across the 2024 and\r\n2025 timeframes, underscoring the larger scale of this campaign.\r\nNot all Rhysida’s eggs are in one basket\r\nThough the main focus of this blog is OysterLoader, Rhysida’s activity isn’t limited to this one malware. During the\r\ncurrent campaign, they’re also using the Latrodectus malware to get initial access to networks. We identified this\r\nwhen analyzing files for the purpose of building detection rules: we observed that our YARA rules developed to detect\r\ntheir packer also detected Latrodectus malware. This was further confirmed when we observed an instance where the\r\nsame code-signing certificate was used to sign both malware.\r\nSigner\r\nMalware \u0026\r\ncontext\r\nDate\r\nseen\r\nHash\r\nhttps://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/\r\nPage 5 of 8\n\nArt en\r\nCode\r\nB.V.\r\nOysterLoader\r\ndisguised as\r\nMS Teams\r\n2025-\r\n09-12\r\n4e4a3751581252e210f6f45881d778d1f482146f92dc790504bfbcd2bdfa0129\r\nArt en\r\nCode\r\nB.V.\r\nLatrodectus\r\ndelivered\r\nthrough\r\nClickFix lure\r\n2025-\r\n09-15\r\n88e9c1f5026834ebcdaed98f56d52b5f23547ac2c03aa43c5e50e7d8e1b82b3a\r\nIn the majority of situations, Rhysida has smartly avoided using the same certificate across campaigns. However, this\r\nactivity highlights their involvement with both campaigns.\r\nIn addition to this one certificate, the Rhysida ransomware gang are also one of the few cybercriminals leveraging\r\nTrusted Signing from Microsoft—Microsoft’s own service for issuing code-signing certificates—and they use these\r\nTrusted Signing certificates for both OysterLoader and the second stage dropped from Latrodectus.\r\nMicrosoft Trusted Signing\r\nMicrosoft Trusted Signing certificates were created with certain features to limit misuse, however, the Rhysida\r\nransomware gang appear to have found ways around those restrictions. The certificates are issued with a 72-hour\r\nvalidity period. After that, the certificates expire and need to be renewed. This short period makes the standard process\r\nof purchasing and reselling certificates infeasible. However, the Rhysida ransomware gang—or a supplier of theirs—\r\nhas identified a means to abuse Microsoft’s Trusted Signing system, allowing them to sign files at scale. Microsoft\r\nthemselves report having revoked more than 200 certificates associated with the Rhysida ransomware gang and\r\nOysterLoader. The majority of these were revoked before they were actively abused to sign malware and deployed,\r\nthough there is no sign of Rhysida ransomware stopping their use of Microsoft’s service.\r\nKeeping track\r\nThis campaign is likely to continue and may change as a result of this blog and we plan to continue to monitor it and\r\ntrack it. Indicators associated with these campaigns are on GitHub here: https://github.com/expel-io/expel-intel/blob/main/2025/10/Rhysida_malware_indicators-01.csv\r\nSigner Malware Hash\r\nAlternative Power\r\nSystems Solutions\r\nLLC\r\nOysterLoader e25db8020f7fcadaec5dd54dd7364d8eaa9efd8755fb91a357f3d29bf2d9fbad\r\nAssurance\r\nProperty\r\nLatrodectus,\r\nstage 2\r\n9ce7fa41d8088472dcda120012d025f16c638c57511ac4b337f16893c4580105\r\nhttps://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/\r\nPage 6 of 8\n\nManagement\r\nL.L.C\r\nBRANCH\r\nINVESTMENTS\r\nHAWAII LLC\r\nOysterLoader,\r\nstage 2\r\nf21483536cbd1fa4f5cb1e996adbe6a82522ca90e14975f6172794995ed9e9a2\r\nCARLMICH\r\nMANAGEMENT,\r\nLLC\r\nOysterLoader,\r\nstage 2\r\nc41f42e11e699f45a77ac4e8aef455a07b052180863748f96589d45525e250f6\r\nChidiac\r\nEntreprises\r\nCommerciales\r\nInc.\r\nOysterLoader b52dddf4022ee45243ad01705d5a8d5070cd62aa89174f1ab83f5b58f66d577a\r\nDELANEY\r\nHOME\r\nINSPECTIONS\r\nLLC\r\nOysterLoader 5c797080fa605cab2cd581645f00843f9c91c9c2d0ad4598ccb7886f990c916b\r\nECHO PADDLES\r\nINC.\r\nOysterLoader fdfae96c3e943c16f7946d820598b2d205395fe7483b5b82e4a9903dc96c1eb1\r\nGALVIN \u0026\r\nASSOCIATES\r\nLLC\r\nOysterLoader dae9df9ce0f5286cfe871fda680e4de440c8444a44ceb434c28d5ccf786f5e8d\r\nHCCO Retail Ltd.\r\nOysterLoader,\r\nstage 2\r\nd19a497670314a3bbff5bc958db3eacfe591c04f866f779cbc06e0f0f48b991f\r\nIceCube\r\nSoftware, Inc.\r\nOysterLoader 0bcdbd79c13fc50955804d0f2666c878542157fc3d4987d18d13c72e9697209e\r\nIMMEUBLES\r\nDAVECLO INC.\r\nLatrodectus,\r\nstage 2\r\nc92081585c525afba5abcb773c7ca9532fba6ce5e7aca340a226e2b05ff3b0d2\r\nKUTTANADAN\r\nCREATIONS\r\nINC.\r\nOysterLoader 32b0f69e2d046cb835060751fcda28b633cbbd964e6e54dbbc1482fff4d51b57\r\nMicros in Action,\r\nIncorporated\r\nOysterLoader cd671cfa42714a6d517476add60690081a16a5c6abaacce25fcb9c5ddf41b7d3\r\nMobiquity\r\nTechnologies, Inc.\r\nOysterLoader,\r\nstage 2\r\nb4a4d565a4d69e1e54557044809fc281591cdc5781126f978df8094467ba59fd\r\nhttps://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/\r\nPage 7 of 8\n\nNEW VISION\r\nMARKETING\r\nLLC\r\nOysterLoader e9f05410293f97f20d528f1a4deddc5e95049ff1b0ec9de4bf3fd7f5b8687569\r\nNitta-Lai\r\nInvestment Corp.\r\nOysterLoader a3b858014d60eaa5b356b7e707a263d98b111b53835ae326cd4e0fb19e7f5b35\r\nNRM\r\nNETWORK\r\nRISK\r\nMANAGEMENT\r\nINC.\r\nOysterLoader ac5065a351313cc522ab6004b98578a2704d2f636fc2ca78764ab239f4f594a3\r\nQUANT QUEST\r\nACADEMY INC.\r\nLatrodectus,\r\nstage 2\r\n2528df60e55f210a6396dd7740d76afe30d5e9e8684a5b8a02a63bdcb5041bfc\r\nTOLEDO\r\nSOFTWARE\r\nLLC\r\nOysterLoader 51c85e40fb4f5bc3fd872261ffef181485791e2ffbe84ab96227461040a1ca4d\r\nSource: https://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/\r\nhttps://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/"
	],
	"report_names": [
		"certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates"
	],
	"threat_actors": [
		{
			"id": "a6814184-2133-4520-b7b3-63e6b7be2f64",
			"created_at": "2025-08-07T02:03:25.019385Z",
			"updated_at": "2026-04-10T02:00:03.859468Z",
			"deleted_at": null,
			"main_name": "GOLD VICTOR",
			"aliases": [
				"DEV-0832 ",
				"STAC5279 ",
				"Vanilla Tempest ",
				"Vice Society",
				"Vice Spider "
			],
			"source_name": "Secureworks:GOLD VICTOR",
			"tools": [
				"Advanced IP Scanner",
				"Advanced Port Scanner",
				"HelloKitty ransomware",
				"INC ransomware",
				"MEGAsync",
				"Neshta",
				"PAExec",
				"PolyVice ransomware",
				"PortStarter",
				"PsExec",
				"QuantumLocker ransomware",
				"Rhysida ransomware",
				"Supper",
				"SystemBC",
				"Zeppelin ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0",
			"created_at": "2024-02-02T02:00:04.041676Z",
			"updated_at": "2026-04-10T02:00:03.537352Z",
			"deleted_at": null,
			"main_name": "Vanilla Tempest",
			"aliases": [
				"DEV-0832",
				"Vice Society"
			],
			"source_name": "MISPGALAXY:Vanilla Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434236,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/535c200e8f2d1982d134dd36f465b226bdbbf8d1.pdf",
		"text": "https://archive.orkl.eu/535c200e8f2d1982d134dd36f465b226bdbbf8d1.txt",
		"img": "https://archive.orkl.eu/535c200e8f2d1982d134dd36f465b226bdbbf8d1.jpg"
	}
}