Oyster

Ransomware operators and other threat groups primarily deployed these fraudulent certificates in ads or SEO poisoning, which brought their malicious software and infostealers to the top of search rankings, ensnaring unsuspecting victims who thought they were downloading and running legitimate applications.

Since at least early 2026, Microsoft Threat Intelligence has observed malvertising campaigns that use AI-themed terms such as “Awesome AI Windows Plugin” and “Flux Pro AI” in social engineering lures ... Microsoft attributes this malvertising activity to an initial access broker and malware distributor tracked as Storm-3075.

Further analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.

Attackers then distributed the signed malware through tactics such as search manipulation and malicious ads, where users are more likely to trust what they encounter.

Analysis of the redirection chain determined that the attack likely originated from free movie streaming sites. Infections on such sites typically begin when users interact with embedded movie players or click popups.

...attacks also entailed the installation of legitimate Microsoft Teams software and a PowerShell script to evade detection and ensure persistence...

When unsuspecting victims executed the falsely named Microsoft Teams installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware.

Victims were presented with a malicious MSTeamsSetup.exe in place of the legitimate client... Execution of the counterfeit installer resulted in the deployment of the Oyster backdoor.

The archives contained a heavyweight Win32 PE that masqueraded as the DeepSeek installer.

the North Koreans added three custom modules: browserlogin... companywallet... and cleanup (anti-forensic removal of workspace artifacts).

File Hash (SHA-256) 16474e9e4773fbc1e0b48a5025fad31b7f084b1beffb9a42687b4d01979885fe Dave-crypted IceNova

The operation enabled cybercriminals to sign malicious software with fake trusted certificates, making it appear legitimate and easier to distribute.

Microsoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates... The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.

The malware executable was signed with a fraudulently obtained Microsoft-issued code-signing certificate obtained through Artifact Signing... Microsoft attributes the signing service used by the threat actor to Fox Tempest.

Execution of the counterfeit installer resulted in the deployment of the Oyster backdoor ... collects host-level information

C2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.

Researchers found that the malware-signing operation enabled customers to upload malicious files and receive code-signed versions using fraudulently acquired certificates.