Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates
· Published 03/11/2025 10:15 · Modified 03/11/2025 12:13
Essential information
- Published
- 03/11/2025 10:15
- Modified
- 03/11/2025 12:13
- Tags
- 2025-11-03 code-signing initial access latrodectus malvertising microsoft trusted signing oysterloader ransomware
- Related entities
- 200 observables, 1 intrusion sets (apt), 10 techniques (mitre), 2 malware
Description
The Rhysida ransomware gang, formerly known as Vice Society, is conducting an ongoing malicious ad campaign to deliver OysterLoader malware. This initial access tool establishes a foothold on devices for dropping a persistent backdoor. The campaign uses Bing search engine advertisements to direct users to malicious landing pages impersonating popular software downloads. To evade detection, the malware is packed and uses code-signing certificates, including Microsoft Trusted Signing. The gang's activity has expanded, with over 40 certificates tracked in 2025 compared to 7 in 2024. They're also using Latrodectus malware for initial access. The campaign's scale and use of legitimate services highlight the gang's sophistication and resource investment.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Observables (200)
veloraio.comfunkyfirmware.comteams-app.betdoctorreportcard.comcybersavvynetwork.comtechwisenetwork.comteams-install.icue9f05410293f97f20d528f1a4deddc5e95049ff1b0ec9de4bf3fd7f5b8687569e25db8020f7fcadaec5dd54dd7364d8eaa9efd8755fb91a357f3d29bf2d9fbaddae9df9ce0f5286cfe871fda680e4de440c8444a44ceb434c28d5ccf786f5e8d51c85e40fb4f5bc3fd872261ffef181485791e2ffbe84ab96227461040a1ca4d0bcdbd79c13fc50955804d0f2666c878542157fc3d4987d18d13c72e9697209efe64f1f91c70de3d20503d70c30072b42a13b3feb3cba961c0892026ac9c17a9fdfae96c3e943c16f7946d820598b2d205395fe7483b5b82e4a9903dc96c1eb1fb7dd033eafb8f2c16542755b7e629bbc7959ce223d3948478ea1dbc85de8844fad9aa1c52f3a9453bccb343626aa5cf3e37d09109bed07c20bf1dd3027088a5fa48ee3e0cd60dc00ecda22b6136d5312bf207bc3bfa88430230483d10e73f9af9fe65a2938b3b36d619f2c6881ac509c4117ebada6c01fbd1585fc87522e6fef994a1ba402bc29ac7f770d5d11772de6e2575895f50850d7ee9808c484dadcdf961943a6e1142a419ab779f8a0283309d9dab20f40cb2651eeb91932bfa34d9f79ca66eba8c25d4e96b5afafbe1299c0d1e73816c6668df827776ad8362a5def70bbef58a5dfb9d4fb5ca114fd9a63a4443dcccb59187ae4f3a28031b97cd85f6ae12f9d02688598d5ee38b7656723521c49a89fb284347b407a0fd4f59befbf21483536cbd1fa4f5cb1e996adbe6a82522ca90e14975f6172794995ed9e9a2eef6d4b6bdf48a605cade0b517d5a51fc4f4570e505f3d8b9b66158902dcd4afedfd6951dfcd90b2cd8df3b9ed4aa3be022969f8c70045f11ec1677ea7445006ed68817d107f411686943f182c5422070287d81dab6763802a5915110de01da6eddc26773927d95ab78778a259279e668f52710844f7e3eb4fbdffb5552dc4f1ed37ed84f20fc4555128db196ac72402a6ebf4ba5b975fc3fafe1e80a629987aeb56b8c537a20ffcefa4140ab30a2b6ee009c531c6c9748935574b7b3d7f41b0e72755cc9530632feecb80c0c13d544de42569a9e8c9a4bbe989c68c43118608e8d5019707065a8c894faf2c08ae2595d6b12381f1a850bfe9c9d693a5a6a8dfe3de506891264da9ef37f3c277aac590d1038c264805bd51e3fd9df8ff4b4050e393249cf381a0516aa10d9a8f6c2ae5ed6f6aee438da3b3d956dbb09fbc91bde23ad69a19501fbd40a5319ce2b002272579831ee85922f6a08da85c6836915ade33a49ea5e783f82443e4fdd79a82917df0b67b3365f63172e117efbc8afd3adcdbcba9c56a123c2a494e23521ef80eb6cd69ba3b53d10f06b04cdc9477e2eddcd82f7f01855769e9a2dad934be7231d6a7c50254077c094f4c3324daeed715dcaed940e8f38d862b4d3262431dbfab9bf2cf9615243f4245eb4841d40aeebfdb16458f707d77cecc73c0f52db943bfd40970d9074f2d405e1fe1fd84fa5b32dae7fd577ae78efb038ec5dcb732a544d4813b6b3182e82cf2a5d01933a29f64da9f5bc07713fb952904c262458f3aec1a7a85855acc0ec9a5295122a35757b0daaa1c9233a8690ded9f093d5a114f3bbaa92aad269d21d36cb15a442249b070da6fbd0983a51f8a5f00bbcb2e26f7cb4adee36fa515c7e8cf12b9b4ea3acdecd8db253683e711069ef60ea3c60ad23d4ff1bc5cb70eba7ac87fdcbddb83634ad6d859b3b9461b96c26e5d0ba3e2d9bcbd3827aff952258a6f695b3d98fd86e0d668fd0963491a27dcd57980fe42eef14d202f7299863cc1f264dceceab203bfd60281b86c6061ee623b7b96de9cdf7c8886a09ef4ebc8f3f09cfbdb21788f88d32b4924143948935a74f03ae921a4c2efa4a94848d49274208e7007c0102f73d2d6c8e73ac2fa79597f47453e7f0a135eafdda26683b0a67bafabeaa2f9d495d207830298fda267c7ea01afe5b429453587729040f525875cdd36eb4e606dc7d19a497670314a3bbff5bc958db3eacfe591c04f866f779cbc06e0f0f48b991fd1855b064845c449eabacb2789f2822af7cabe921030c5da1389ca168c9f4998ce7996e11fba3009bfbbfa39ce99cf072f74e52e72ff0c297c741a26ba82bde5d0f732eb0dc281749c1b6fbf43897e67e136743357879f6375dc6fd510a1a214cd671cfa42714a6d517476add60690081a16a5c6abaacce25fcb9c5ddf41b7d3c92081585c525afba5abcb773c7ca9532fba6ce5e7aca340a226e2b05ff3b0d2c8166ccb6734a53a45223fe6ecbff80e713ebcb356a24b2709cf6be20e150ae8c799ca5758b37776466fa3a95a9e2291c2b09273a31e5e91af7fc21c8bfc141cc66540bc726ae996fdc876819e41cdc0af4bdb092acb16ed5aefe031a3f20403c5551ad82db5fb10fd0af5bfd272bc8e0a23b9f622b0421d235a90925793f064c431436792ee701826dd1661e415ee4def0e8c81e71edd7500a6f0d45cdc935fc3dc4aa8991f1e257d4cce5338c2798b91f3a3eb576c627f866028106e7526b4c41f42e11e699f45a77ac4e8aef455a07b052180863748f96589d45525e250f6c08d5d2647f298c493475fe5ad22b6e6e71f9cd5ee24ed0e62acf98eee119271c036e6d3d4cda6b936f6cbb06bc7cc83491fbbfc6df8b67bbcb3140c3a22d8a5bfd8f9fa906e5c0162f20189584d97aa4557b40646474a2563df21b4a7adca2fbed5b5fc062b0f6ee73166818978dc533ce621066172ec5eecb183ad2e0a0ef3bdcf136481e93e7773346c1dbff9dafaf295d85206437d767df8829ac0266e53bd6ad2e1b62b2d0994adf322011f2a3afbb14f097efa3cbe741bc4c963e48889ba688e06db97044e50632f4cfce8f6206ba47353a21bc33d5e93620baa6ace81b659389cde06f5e01e592dca458fe1be07a302c40dc2a820c7f76d4ee788bad3b61b51ba6ad7f7fe6465093a7c3f3f10d1079159febe33efb26fd64fa80408f1b52dddf4022ee45243ad01705d5a8d5070cd62aa89174f1ab83f5b58f66d577ab51148194480762881da57fddbf7158ae9ffb5964a5e0f57a57922151296d1bfb4a4d565a4d69e1e54557044809fc281591cdc5781126f978df8094467ba59fdb41e0c36f941fb3bf2fcb3e9a336240dab2c1184b5b28d2a52369cd80be5c974b339fed7fef43e82877fa606d19ae94b1393d75e09637066acc69777478a3799b2fb041a0f642f624a99ac5509b1008f18d8aedb74a9753f26d577ba99914c6eb289560c80e340f5d18b30313cd40caac409ce42dbb224f14baa20faf89c6d06b21feb4af9562de182710e13f91b10c0a1d0305e126da6beac57a2b0e3a4308db0bed317b0288fdedc2f122876f37284d6f654c0fbedd525a0f396069a304e9eb0b384818cb093d0324c4676faf163aee95be6639399ad2e6bc805d4ba9d0856ada8654dcc9b01811e2e902e857d2b1960b5b58ac4f86b0b67147f5d8c6ca3a5abb0e6628c891bcd8ed54bf08790718eeb0c7a44f157d28ced18adfebe4dce21a9522fbe86712f17679ad5d900408cb1258886896c219bd647253ef54c36648aa78d9be1dc0ad300aae19c3c1c4b443732adb621c674addea99c3c46ffffaa1ca783f7aad42661ce2425cb50911448b55622477f4e8c0c93f6b0649a76d87c17a6b6b6d3404398f096963f60149d5c98409f3d565cb181bf285e7212323c646ca653b4f7f76ee8e6bd9ffa816c0a14dca2d591a84ee570d4b6245079064b5794a3b858014d60eaa5b356b7e707a263d98b111b53835ae326cd4e0fb19e7f5b35a4e1c33b1280a0b2daab512b5a4cfdd775743a1980c9b63eb4bfb739356378aea3b7ad3ac10b437dbe004aa6ec90b480a14304f2d5c59b77cb8559e96e1a6841a18489fcf785fff454dc2df15ca8e4b6b411de2505ffb732e8100ad9f87bf722a240be5b9acf1b32643347496d51b1ff3dabfcd4a6d7bd6bd43735ef3fdb6477a0cd096c55a97b4c7782335bb4d4a14a47a910cbe55a5db7c666365237ab62f29e89d9f820c118b446cc8cebc02c614442a858c80a5678920acf1dc898a1a6c09e2f77b3db4a2ba81b35d69ec759fbe881821916a6ea75fd817433d1bea05d1b9ceb03fa1f0fc5084b856c4e099cb8391eef74b9ce1d1278bf01908469f7de7c9ce7fa41d8088472dcda120012d025f16c638c57511ac4b337f16893c45801059cc65abf806c44ce3c2162d0e8538c6e2f669b6cb378a612a37058ca84b921f39c71b13284540257ea41e3746cb230cee5a57f2d300ac78ff3f54efa41e7c71b9ac7c82eba9200fb11ac047bf259f30d4e6929e1f8a472557a3a81cdd1a492db99f94e85906c99a44f3bdaf3750eb2870f082afba32f94899438f00fa85a5e929aa596a4abdc5b5b00f4100df28b2fdc634c725e4948f3f8605f9f09e447db6a99d4306711abda3bed21dd2bb16d0a8e316022b8eca2f56e2ba25b615794a487993c35592d2e24f4ffa7c5135bef3381c8c99267eeb8d9eb6024e98edb45318198ecdcc1c1f723f38bbbb3f33d870dea34eaeb2e832a6a88618104406057da51956514e60299b120b91d97ae09ad2550cc62b568312a657ffffc3baea68491cf950c4a7eba7fc1b1555f94ba696a792df45145313c71993eaed30f339576ebbd93c518eacce858d46c296f76ccd0e3fbf13f426f7d5b63320dc27987f8b1f4fc920b4a80e1d5723dd255619ea05788a5ab7fff420fed86e636307c38fc2c809391b0fddece24cd9a6a02184e1f1e1b484a2b63fbd647d10935b01a7f25ca85289135d8d30a0be1c26ad2730e440e66f29c36e47d866b40d5dfcbf77eb515eb25910d5d87a5ca499523607e4a7455059e7bed48d5b9889a696f5c13fe0aa6fe608f97cf05cb9bc42e20b8ebabb743060b37b9ce1142531a0f74f21c23d720834490fec9c7fd0111679d72970a15c520d49e8bb8edd108d5d74bc2bb24a055c1268c9dd760471ebe024ffff773d6ab71a6c5935966666d58a9ac4f770fa04b9f9e8b152e373d6beea6e48fe5d8f919dd2c8e5aa0ddd21c8e91f44811b32c0aee9989ac3ba2bb3811358ecdfbfcdd3cac4c4bca9e7c2bd65303e3d9c338aa0b888888e9c1f5026834ebcdaed98f56d52b5f23547ac2c03aa43c5e50e7d8e1b82b3a8703dad18a0c3a3759850c468c768e9b704f9299c16ea2ad3851ba399b5cf5d08339392bded530e54115016e1a78b2f692a9c15a42f5f9c956de51f3f4aa1278823d5f021eab4e91a7d592931ef57d8382871e7dad92d4fafb826f0d4051f9e38113fc3b4f82fb49f8dd853ca8e1275e0dfb06e48f39830708e4437fe8afbdfb80c8a6ecd5619d137aa57ddf252ab5dc9044266fca87f3e90c5b7f3664c5142f7e6dfeb5e87453cb9999e592d76f8b5ba4bb4d0e5c6eeb6f12de03fa17801a477fd1251942a234fdce00670965d5f3b5161b3c74c3965c40035856879e2687177d05d66447c03feefe7a3493218137b38a9915f66392873829afe6f5d218152e7c88fc26ab4abd3798d8e0c1de7d2bb8f05d73ea2a209b443f01681b3cfc624c7c74d74c6d6a4ffc724a7800ddf18e165e582e2e4b0aace1b5266ec3d25a977579cbf3a8c78fd709a96a1a9b2041ff6cabb307149377996ff3b96ca74b6396c5777bc86e3796d5d470950d84be16d51fd4e7b9c644cb95fd3db915fc53f5f80e7746be73ef46672cd2ecc850fb48606204ec99b1affbd0a4d09067aef72db2a876bad29eb451c1c19b2ea6c416ffd71de33e495965c83c00b1556ad79860b46d76b87bf2b60a62af93b9a711e59d90dfbd871c3c86f2740336b802b5db6a9f7f76889ef23dc327c0a63da2e296e079ce1f6844da185c3160402341557e6bccfa765816c6e2c600c379014b4923f3d05eff5e91f46712da0fb21de99a6ca6802175a83017f6d55223d90188f05a3efd9d4c19fe2c3e0cd0a17d4bd1e6375592f172bed9b26a7747252156b65d24a9a737d70b9bf6aca069c514c1c7b9e04ef9b671aa6bd5515fd2ed8ce7f6de0cbb9dfb9875fcc91ae4b06cfc30d6e9d244125a70f12e989284b2f2909e2df05e8e82ab1720ddb1e832b9abdf2ae541ac3048d6700d425033a588f6cf399bdaaa0e29694f54233380085225e38f9f1544dac3166f43cd3f05a27c95a9dd0f9550e53130dbce7be82b1451649ac7c02253c8d01e6e937cf174aafb9c97ffb1e04eb11a59406a55cb8bc217e46837e45ba08763be6e160815c18c6b011a59101f15d00c8cf035bff1549ff6c4c70e1ec9826b51d46c842bf4b20a67750ec5d6505a62f1533e56fa88f8fa14c10b1270b7b6184af96bfaa362a46f0c5e7b10f43575523628b36c69a1086c5acd1c512db5465ed12e6b3e43c17908ee10944c2453983444da0f0242eac47534d0fb6111a03df0c66c6b36a472b274661d11f93f4d7dadafad2416f6d633a151d473b73cf4035f6a0167c668d317076373447e8354a648c612043a667204889ca6e4cc10f8463f66846772d49e6e3fa5e44f79ad5a4c9d16eda8946b7f2aded41afc939c52633c3eea66f9b7151c90113d00480fa2038ac2bebf10c364f9bd72c7af87e73fb702fe3465d50bb63d3d0176059ec26a63cd781aad016202b51cb6e4477f36ca6d1e7f82658d1e166dcc723974013f42121d5ad9365e5059851e9b7a5964c4d175a8637764a0ab00d90682b1807c5d7da1a4ae67cde4c5757fc7d995d8f126f0ec8ae98363f754cfa7d35fafc2b7d266dedc9b0e0ff9bdd26ded697d0103a165c57fb332623cf7b5a12c9e2a54f6d1ea2162371cdfba23806d443f2dc55aed1d7f2d907761b5c52d4771029eb8c2d3457fd4e9118ad8cf5b02fc792fc4efb81543942d8a6190923b28679eb8230010aff9b1d1a4184e8697540cc021a5be38126f3f6d9960e0a433c0114a628856f671e42d21f2e573b1b9b06ba545d77b8e2e12685a2f5d3040ceeb03c1cde7d1da81d6ed5523f056d2289efb99dd5350de4cf56b2bc85ca57caeb3808e338d05bfd336c5ea582e3881c0976b5fb91f73bde13faba8a95c797080fa605cab2cd581645f00843f9c91c9c2d0ad4598ccb7886f990c916b5a416afcb1f459e25c02aa5495298ced3b2db330e1a04960dd456fb968b0d45959e47f0db72ce4dfe02eed7bddc0324d13f0762ad33f25fe40ef234f888a91ec5968beab954b01ae92d3ae0af52606da5e7dbfddc23783de51089871d51f5f6f593e272ecd0642a19ea21b086b494ac4e9098e6ff585b00b5b98b5ab0dd5b21a59374a1831e3eeba4e7553828b06636058535a6b7fb0bf7d28abae42bf47c15b512a7207048876f3d3edb588847bce9beee620675dd2a280a0efd4f08b0550d64e4a3751581252e210f6f45881d778d1f482146f92dc790504bfbcd2bdfa01294ddb9521976c04879613601ae1399b7b9809dcd33d58869b2a2053e716d3544249af54b21ac46de4d87b2c1067bf3f62d379800fb8616d0a4b3500ae7656ac714c04ff5df6341af1e27d91a837c1749036c73723eb393383c3691bbbc16db5a34963e646f9a4dc009e1d0f49b212d380818be69ea631af53f54b5b877515b0314926a7479d5802b57571624084d94a50e35e6fc357ff96e2c38d03528dfc58a747664ebbec8945fa44458cd3cb232d6d961fe8367360d7d6a426ca0adaacbd15464db7461d6d67d99132eeaa9962d3691a3efc73f194fb660b4b8c77c10d9591455979f3887f9ce119d56291df97dd71a3760676b498689e68495f329489e88644a26915bfe1a0f2823d81c08e9d9a96aab65ca73fa9186d09781b2a447e77b6414af9a01ad4aa98a4e9cb3056acfde26b3d67a40670d90a9d51916400f3b9b1401e3fe6d27a438016a82c4bbc710dfca5ff3c8f533f5eadc7393ce4f1c2d4983fc5cb5b0a4436d51736eb1dc36ff47bd6ce8966077adf909bed4c95435ab20a3d22a974677164d6bd7166e521e96d07cd00c884b0aeacb5555505c6a62a1c263cfe02c2ed86c9a68c60113a531700a93bcd7364026e954793fb04768aaa4b6c3a5e4bc5239f76e4bbb39515b50a2be61177e1a668ee6c49d01bfba6887abdc13826898251b22807fc011e04f2f6d88976a2d3699ac1ecbe5e5fff63c25b43f438040afcce0e490d76c3be336a4754fed3095d075b22753e3f93004ddb45eef937d0bda4af155625931d030c23594d450a272549ddb32380d3c5ee94feb03a25378127a840393f72bc2e98a1a3f54a57d05c08650dd485183a5554f0658632a8352d0c75c5bfa7c0df18837ba845f47689fe480ce1a36920298c2302040255263654c9585f3e86fe347b078cf44a35b6f8deb1516cdcd84e19bf3965ca86a95b32f886142de76f09b1e7229a79e66eb46889251ebf871e4df3b6de7fd5cef74932d8e4285515e9926da32796f3f8d743db7a410d0758e1237bd750428389ae2332b0f69e2d046cb835060751fcda28b633cbbd964e6e54dbbc1482fff4d51b57328a8fb3ff41093c3b3352a6b3771e1d3351a04861ee73c7260ecb0e84aa51ff31ebdf2d6fb973f648c05226b57ff264d8b650dfe03f995deba0fa795d76f37c315c072b30d77e1fc5aa61122e2bbbcdee0eab9942ee985d23615612809411c53073e0b73031e1cd8cc6ea2fef729ff65b5d9695742a0686a87aa7a6864e9f2c3051f4843918b093df99429a9d84a8b9f285deaf767b6264f5cafaf40e2de53d
Intrusion sets (APT) (1)
-
Ransomware.Live Confidence 100
Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks …
First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 08:53 · Modified 21/12/2025 18:19
Techniques (MITRE) (10)
-
Software Packing
-
Malicious Link
-
Malicious File
-
Process Injection
-
Deobfuscate/Decode Files or Information
-
Obfuscated Files or Information
-
Exploit Public-Facing Application
-
External Remote Services
-
Valid Accounts
-
Command and Scripting Interpreter
Malware (2)
-
FamilyPublished 03/11/2025 10:15 · Modified 03/11/2025 10:15
-
FamilyPublished 12/06/2026 21:29 · Modified 12/06/2026 21:29