In February 2025, GoSecure Threat Hunters identified Rhysida, a ransomware group actively exploiting stolen VPN credentials and search engine poisoning to infiltrate corporate networks. Rhysida’s double-extortion tactics involve encrypting files while threatening to leak stolen sensitive data. The group has been observed delivering malware disguised as legitimate software, such as Microsoft Teams or Google Chrome, via poisoned search results. Once installed, the malware establishes persistence through scheduled tasks and executes via rundll32.exe, providing long-term access to compromised systems.
Why This Matters
Unlike conventional ransomware that solely encrypts data, Rhysida also exfiltrates personally identifiable information (PII), including passports and driver’s licenses, increasing the risk of identity theft and regulatory fines. Their search engine poisoning tactic makes it easier for unsuspecting users to install malware without realizing it. This method bypasses traditional email phishing defenses, reinforcing the need for enhanced endpoint security and user awareness.
Detection and Monitoring
GoSecure’s Threat Hunters hypothesized that drive-by downloads were being leveraged for persistence in corporate environments. A high-severity detection rule was implemented to monitor for suspicious software installations executing schtasks.exe and rundll32.exe:
- Detection Rule: Schtasks Creating Task to Execute RunDLL32
Description: Detects when schtasks.exe is executed with “/create” and “rundll32” in the command line, a common persistence mechanism for malware.
- Detection Rule: PowerShell with RunDLL32 in Command Line
Description: Flags instances where powershell.exe launches rundll32.exe, which may indicate unauthorized execution of malware.
Recommendations
To mitigate the risks posed by Rhysida, GoSecure recommends the following measures:
- Train employees to recognize misleading search results and avoid downloading software from unverified sources.
- Enforce multi-factor authentication (MFA) on externally facing services such as VPN access points.
- Monitor scheduled tasks and system binaries for unauthorized modifications.
- Review endpoint logs for suspicious rundll32.exe executions originating from newly installed software.
Conclusion
This month’s Threat Hunt highlights the growing use of search engine poisoning as an attack vector and the importance of proactive threat hunting to uncover ransomware activity before encryption occurs. GoSecure Titan® MXDR continuously monitors, detects, and mitigates emerging ransomware threats, ensuring organizations remain protected.
For further details on strengthening your defenses or to discuss our findings, please contact us at (888)-287-5858 or info@gosecure.ai.
Stay secure!
Your GoSecure Threat Hunting Team
