Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates

This report describes an ongoing malvertising campaign by the Rhysida ransomware gang that uses Bing search ads and fake download pages (impersonating Teams, PuTTY, Zoom) to distribute OysterLoader — an initial access tool — which enables deployment of persistent backdoors and ransomware; the actors evade detection using packing and numerous code-signing certificates (including abused Microsoft Trusted Signing), and the report includes extensive indicators (signer names and file hashes) and tracking data for defenders.