Beware - ransomware gang is tricking victims with fake Microsoft Teams ads

News
By published

Don't trust ads just because they're on a reputable network, experts warn

Microsoft Teams
(Image credit: Shutterstock / monticello)
  • Rhysida spoofed Microsoft Teams ads on Bing to deliver malware via fake download pages
  • Victims received OysterLoader and Latrodectus, which deploy ransomware, backdoors, and infostealers
  • Group operates on RaaS model; past targets include airports, libraries, and U.S. school districts

Security researchers have once again found poisoned ads on popular ad networks, spoofing major brands to deliver all sorts of nasties.

Experts at Expel spotted a new malware distribution campaign conducted by the Rhysida ransomware group which apparently began in June 2025, and is still ongoing at press time.

For the campaign, Rhysida’s operatives created landing pages to imitate download sites for Microsoft Teams, one of the world’s most popular online collaboration platforms. Then, they set up new ads on Microsoft’s Bing search engine to promote these pages.

Abusing .LNK files

Victims who would search for Microsoft Teams via Bing would likely see an ad at the top of their search engine results page and, given Microsoft’s and Bing’s good standing, would probably trust them enough to click on the links. Then, they would be redirected to a page that is seemingly identical to the actual Teams download page, but with a big difference - this one deploys two pieces of malware: OysterLoader, and Latrodectus.

Both Latrodectus and OysterLoader are, as the latter’s name suggests, a loader, delivering different stage-two malware depending on the attacker’s needs at any given time. That can include infostealers, backdoors, various remote access trojans, and most notably - ransomware

In fact, the Rhysida group is a famous ransomware operator. It works on a RaaS principle - developing and maintaining the encryptor, while its affiliates breach their targets’ networks and deploy the malware - for a share of the profits.

There had been several notable breaches attributed to the Rhysida gang including the 2023 attack on the British Library (when roughly 600GB of files were taken), the 2024 attack on the Seattle-Tacoma International Airport, as well as multiple attacks on government and education organizations (City of Columbus, multiple US school districts and institutions, and more).

Via The Register

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.