A large-scale malvertising campaign is weaponizing sponsored search results to push a stealthy loader called OysterLoader, also tracked as Broomstick and CleanUpLoader. Attackers place convincing ads on Bing that appear in search results and even inside the Windows 11 Start menu, pointing victims to fake download pages that impersonate legitimate tools such as PuTTY, Microsoft Teams, and Zoom. Once downloaded, OysterLoader establishes a foothold for follow-on payloads, including ransomware operations attributed to the Rhysida group.
This campaign is notable for its scale, sophistication, and persistence. Ad placements deliberately use misspellings and near-identical pages to trick users who are actively seeking trusted software. The malware is heavily obfuscated, often packaged with valid code-signing certificates, and delivered alongside other families such as Latrodectus. Microsoft has revoked hundreds of implicated certificates, but attackers continue to cycle through new signing keys and abuse signing services to appear legitimate.
Why this matters now
- Sponsored search results and Start menu integrations reduce friction for attackers, placing malicious downloads directly in front of users who are actively looking for real software.
- OysterLoader’s obfuscation and use of code signatures lower detection rates by antivirus engines for days.
- The campaign ties directly into ransomware extortion: OysterLoader is an initial access tool that enables ransomware gangs to move laterally and deploy encryption or data theft tools.
- Abuse of code-signing and signing services means defenders must look beyond “signed equals safe” assumptions and verify provenance and certificate use.
What defenders should do immediately
- Enforce safe download policies: allow software installation only from approved internal repositories or verified vendor sites.
- Block or inspect sponsored ad destinations at the web proxy and DNS layers, and use URL reputation services to flag fake download pages.
- Harden endpoints: enable application allow-listing, restrict execution from downloads folders, and require administrative approval for new installers.
- Monitor for installer behaviors: look for unsigned installers, newly observed signed binaries, post-install persistence, unusual child processes, and network connections to unknown endpoints.
- Validate code signatures and certificate chains: check revocation status and monitor for sudden spikes in new certificates being used to sign widely distributed installers.
- Increase ad and search monitoring: track sponsored results for brand and product mentions tied to your organization and notify PR/legal for takedown requests when appropriate.
- Deploy threat hunting for known artifacts: hunt for OysterLoader indicators, Latrodectus overlaps, and certificate serial numbers reported by vendors and researchers.
- Educate users: train staff to verify download sources, prefer vendor pages, and report unexpected installers even if they appear in search results or inside the OS UI.
- Isolate affected hosts quickly: if an installer is suspected, isolate the endpoint, preserve artifacts, and run a forensic triage.
Conclusion
Malvertising campaigns are evolving beyond annoying redirects. By blending legitimate advertising channels, OS search integrations, and certificate misuse, sophisticated adversaries can put credible malware downloads directly in front of busy users. Mitigations must combine user education with technical controls: strict download policies, certificate and signature verification, runtime detection of suspicious installers, and active monitoring of ad ecosystems. Assume attackers will follow the path of least resistance, and make sure that path is closed.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
Additional services we provide specifically to counter malvertising and fake-download campaigns:
- Malvertising and search ad monitoring to detect and flag malicious sponsored results in real time
- Code-signing and certificate monitoring, including automated revocation checks and provenance verification
- Secure download governance: enterprise whitelists, vendor verification, and controlled download channels
- Installer and loader hunting: behavioral detection for staging loaders such as OysterLoader and post-install persistence artifacts
- Incident response playbooks for ad-driven initial access and ransomware containment
- Browser and endpoint hardening, plus user training focused on safe download practices
Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and to stay updated and cyber safe.