Close Menu
Cybercrime and Ransomware

Weaponized Putty and Teams Ads Enable Malware Attacks on Networks

Staff WriterBy No Comments4 Mins Read4 Views

Essential Insights

  1. A malicious advertising campaign is using legitimate software downloads, like Microsoft Teams and PuTTY, to distribute OysterLoader malware, serving as an entry point for Rhysida ransomware.

  2. Rhysida, evolving since 2021, purchases Bing ads and even targets Windows 11 start menu searches, impersonating trusted software to deceive users and facilitate malware delivery.

  3. OysterLoader employs obfuscation, code-signing certificates, and exploits Microsoft’s Trusted Signing to evade detection, with over 40 certificates used in 2025 indicating high operational investment.

  4. The campaign also deploys additional malware like Latrodectus and exploits certificate revocation protocols, emphasizing the need for vigilance in software verification and cybersecurity defenses.

Underlying Problem

The story details a sophisticated cyberattack campaign where malicious advertising cleverly disguises malware downloads by leveraging legitimate software services. Cybercriminals use targeted ads on platforms like Bing and even within Windows 11’s start menu to direct unsuspecting users to fake yet convincing download pages of popular software such as Microsoft Teams, PuTTY, and Zoom. These fake pages are designed with high accuracy, often misspelling software names to deceive users into downloading harmful files. The malware behind these operations, notably OysterLoader (also known as Broomstick and CleanupLoader), employs advanced techniques like encryption, obfuscation, and exploiting Windows’ trust mechanisms through code-signing certificates to evade detection and appear legitimate. This campaign, linked to the Rhysida ransomware group that originated from Vice Society, has been ongoing since 2021 with increased intensity and resource investment, as evidenced by their use of over 40 different code-signing certificates. Security researchers from Expel have uncovered that Rhysida also deploys other malware, such as Latrodectus, and exploits Microsoft’s trusted signing services to stay operational despite infrastructure revocations, illustrating a persistent and adaptive threat targeting enterprises worldwide.

Risks Involved

The threat of “Weaponized Putty and Teams Ads Deliver Malware” can impact any business by transforming seemingly harmless tools—like office putty or in-product advertisements—into malicious gateways for hackers to infiltrate internal networks, hence allowing unauthorized access to sensitive data, disrupting operations, and damaging reputations. Once inside, cybercriminals can exfiltrate confidential information, deploy ransomware, or establish persistent backdoors that enable ongoing espionage or sabotage, thereby inflicting substantial financial losses, legal liabilities, and operational setbacks. In today’s interconnected environment, even minor vulnerabilities such as compromised collaborative tools or embedded advertisements pose severe risks, underscoring that any business—regardless of size or industry—must vigilantly protect its digital assets against sophisticated, weaponized threats hiding within everyday resources.

Possible Action Plan

Ensuring swift and effective remediation for threats like weaponized putty and malicious team ads delivering malware is crucial to prevent unauthorized network access, minimize damage, and maintain organizational integrity.

Detection & Identification
Promptly identify malicious activity using intrusion detection systems, antivirus scans, and threat intelligence to confirm the presence of weaponized putty and compromised ads.

Containment
Isolate affected systems immediately to prevent lateral movement of malware and minimize network exposure.

Eradication
Remove malicious files, disable suspicious processes, and eliminate malicious code or scripts from the infected endpoints.

System Restoration
Restore affected systems from trusted backups, ensuring malware is completely eradicated before reconnecting to network.

Patch & Update
Apply the latest security patches, updates, and configuration changes to prevent exploit reuse and close vulnerabilities.

Monitoring & Logging
Enhance continuous monitoring and detailed logging around the affected areas to detect any recurring or residual malicious activity.

User Awareness & Training
Educate users about the nature of malicious ads and weaponized tools, promoting cautious behavior and immediate reporting of anomalies.

Policy Revision
Review and tighten security policies regarding ad content, third-party scripts, and endpoint access to mitigate future threats.

Incident Response Planning
Develop and rehearse incident response procedures to ensure rapid action when similar threats are detected in the future.

Stay Ahead in Cybersecurity

Discover cutting-edge developments in Emerging Tech and industry Insights.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.