In July, the Rhysida ransomware group was observed using the Oyster backdoor malware as part of its attacks. This tactic is part of a broader malvertising campaign first reported in June by security researchers. In this new campaign, fake websites disguised as sites like Microsoft Teams are used to trick users into downloading what they believe are legitimate versions of the software, but instead are malicious installers that drop the Oyster backdoor on the victim’s system.
What’s Notable and Unique
- Oyster malware – also known as Broomstick – uses a loader that looks like a legitimate software installer. When a user downloads the loader, the installer deploys the Oyster backdoor, which allows the threat actor to gather information about the victim’s system and steal credentials.
- Although researchers observed Rhysida using the Oyster backdoor in an attack in July, Arete has observed the ransomware group using this technique since at least May 2024.
- Rhysida is a ransomware-as-a-service (RaaS) that has been active since May 2023, but Arete has observed that the group has been considerably more active in 2024, with a notable spike in activity between June and August. Most recently, the group was responsible for the attack against the Port of Seattle in August, which disrupted systems at Seattle-Tacoma International Airport and resulted in several flight delays.
Analyst Comments
This recent malvertising campaign is a prime example of threat groups actively using search engine optimization (SEO) poisoning to lure victims to legitimate-looking websites and trick them into downloading malware. Although this technique is known to be exploited by a variety of actors, Rhysida has found recent success in using it to gain access to multiple victim systems and will likely continue to do so for as long as it remains effective. Even when using common search engines like Google, it is important that users pay attention to any links that have typos or seem suspicious. Employing active endpoint detection and response solutions is also critical in disrupting threat actor activity and mitigating the risk of a cyber-attack.
Sources
Arete Internal Data
Rhysida using Oyster Backdoor to deliver ransomware
Malvertising Campaign Leads to Execution of Oyster Backdoor
Port of Seattle hit by Rhysida ransomware in August attack
Related Resources
![]()
Telegram Changes Privacy Policy
Telegram – the instant messaging platform popular with ransomware groups and cybercriminals because of its user privacy features – recently updated its privacy policy in an effort to discourage criminals from abusing the platform.
Read more![]()
New Group Emerges with Similarities to ALPHV/BlackCat
Cicada3301, a new RaaS group, emerged in June 2024. Using double extortion, they target Windows and Linux/VMware ESXi systems, posting victims on their dark website. Their methods show strong similarities to ALPHV/BlackCat ransomware.
Read more![]()
Iranian Hackers Working with Ransomware Groups
An Iranian threat group linked to the GOI collaborates with ransomware affiliates, aiding network access and extortion for a ransom share.
Read more
