OysterLoader virus, formerly known as Broomstick and CleanUpLoader, is being weaponized through an ongoing malicious advertising campaign.
Cybercriminals can gain access to corporate networks thanks to this advanced initial access tool, which eventually acts as a distribution system for the infamous Rhysida ransomware group.
Since leaving the Vice Society organization in 2021 and changing its name in 2023, the Rhysida ransomware campaign has targeted businesses. Security experts continue to monitor their changing strategies despite attempts to avoid law enforcement by changing their names.
Building on strategies that worked during their first run from May to September 2024, Expel’s current campaign is their second significant malvertising operation. Threat actors have been conducting ongoing operations with significantly greater breadth and intensity since June 2025.
By purchasing ads on Bing’s search engine, Rhysida operators trick unwary people into visiting malicious yet convincing landing pages.
These sponsored results put malware downloads right in front of potential victims by showing up prominently in search results and even within Windows 11 start menu searches.
Threat actors have created almost similar phony download pages in recent campaigns that mimic well-known software, such as Microsoft Teams, PuTTY, and Zoom. This strategy is exemplified by the malicious PuTTY ads, which purposefully misspell “PuTTY” as “Putty” while yet looking authentic enough to trick users looking for the real remote access program.
The efficacy of OysterLoader is based on two main evasion strategies. To conceal the malware’s true capabilities from security systems, attackers first bundle it using compression and obfuscation.