OysterLoader: A Stealthy Multi-Stage Malware Tied to Rhysida Ransomware
OysterLoader (also known as Broomstick or CleanUp) is a sophisticated C++-based malware loader actively used in campaigns linked to the Rhysida ransomware group. First observed in mid-2024, it spreads through malvertising and SEO-poisoning tactics, disguising itself as trojanized installers for popular IT tools like PuTTY, WinSCP, and Google Authenticator.
Once executed, OysterLoader establishes a covert foothold, capable of delivering Rhysida ransomware or commodity info-stealers such as Vidar. Rhysida operators, part of the broader WIZARD SPIDER/Vanilla Tempest cybercrime ecosystem, have heavily invested in this tool, leveraging fraudulent code-signing certificates and malicious ad infrastructure to sustain campaigns despite revocations.
While primarily associated with Rhysida, OysterLoader’s payload flexibility suggests it may circulate within a closed criminal network rather than being exclusive to a single group.
Evasion Tactics & Infection Chain
OysterLoader employs a four-stage infection process, beginning with a seemingly legitimate Microsoft Installer (MSI) package often signed to bypass trust checks. Key evasion techniques include:
- Stage 1: Acts as a packer/obfuscator, loading the next stage from a shuffled memory blob while flooding execution with superfluous Windows API calls (e.g., GDI functions) to mislead detection. Anti-analysis measures include debugger checks and dynamic API resolution via per-sample hashing.
- Stage 2: Uses shellcode with a custom LZMA-like decompression routine, dynamically resolving imports and adjusting memory protections before executing the reconstructed payload.
- Stage 3: Functions as a downloader and environment verifier, checking system language and process counts before contacting command-and-control (C2) servers. Earlier variants used HTTPS endpoints with spoofed headers, hiding the next stage in image files via steganography and RC4 encryption. Persistence is achieved via scheduled tasks (e.g.,
rundll32executingCOPYING3.dllin%APPDATA%). - Final Stage: Delivers Rhysida ransomware or other payloads via a DLL-based core, communicating over plain HTTP or domain-based C2 infrastructure. Recent versions use evolving API paths (e.g.,
/api/v2/init,/api/v2/facade) and non-standard Base64 encoding with dynamic alphabet shifts to evade detection.
C2 Infrastructure & Ongoing Threats
As of January 2026, active C2 domains include grandideapay[.]com, nucleusgate[.]com, and socialcloudguru[.]com, hosting endpoints like /api/v2/facade. The malware’s resilience stems from realistic browser user-agents, multi-server fallback logic, and adaptive encoding schemes, complicating static detection.
OysterLoader’s evolution highlights the growing sophistication of loader malware, blending legitimate-looking installers, steganography, and dynamic C2 protocols to evade defenses before deploying ransomware or data-stealing payloads.
Source: https://gbhackers.com/oysterloader-evasion-tactics/
Google TPRM report: https://www.rankiteo.com/company/google
WinSCP TPRM report: https://www.rankiteo.com/company/winscp
"id": "goowin1770971061",
"linkid": "google, winscp",
"type": "Cyber Attack",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['IT',
'Technology',
'Any industry using affected tools'],
'location': 'Global',
'type': 'General public and organizations'}],
'attack_vector': ['Malvertising', 'SEO-poisoning', 'Trojanized installers'],
'data_breach': {'data_encryption': 'Yes (if Rhysida ransomware is deployed)',
'data_exfiltration': 'Possible (via Vidar info-stealer or '
'Rhysida ransomware)',
'personally_identifiable_information': 'Possible',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally identifiable '
'information',
'Credentials',
'Payment information']},
'date_detected': '2024-06-01',
'date_publicly_disclosed': '2026-01-01',
'description': 'OysterLoader (also known as Broomstick or CleanUp) is a '
'sophisticated C++-based malware loader actively used in '
'campaigns linked to the Rhysida ransomware group. First '
'observed in mid-2024, it spreads through malvertising and '
'SEO-poisoning tactics, disguising itself as trojanized '
'installers for popular IT tools like PuTTY, WinSCP, and '
'Google Authenticator. Once executed, OysterLoader establishes '
'a covert foothold, capable of delivering Rhysida ransomware '
'or commodity info-stealers such as Vidar. Rhysida operators, '
'part of the broader WIZARD SPIDER/Vanilla Tempest cybercrime '
'ecosystem, have heavily invested in this tool, leveraging '
'fraudulent code-signing certificates and malicious ad '
'infrastructure to sustain campaigns despite revocations.',
'impact': {'data_compromised': 'Potential data exfiltration (e.g., personally '
'identifiable information, credentials)',
'identity_theft_risk': 'High (if info-stealers like Vidar are '
'deployed)',
'operational_impact': 'Potential ransomware deployment leading to '
'system encryption and operational '
'disruption',
'payment_information_risk': 'High (if info-stealers like Vidar are '
'deployed)',
'systems_affected': 'Windows systems with trojanized installers '
'(PuTTY, WinSCP, Google Authenticator)'},
'initial_access_broker': {'backdoors_established': 'Scheduled tasks (e.g., '
'rundll32 executing '
'COPYING3.dll in '
'%APPDATA%)',
'entry_point': 'Trojanized installers (PuTTY, '
'WinSCP, Google Authenticator)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The evolution of OysterLoader highlights the growing '
'sophistication of loader malware, blending '
'legitimate-looking installers, steganography, and dynamic '
'C2 protocols to evade defenses before deploying '
'ransomware or data-stealing payloads.',
'motivation': ['Financial gain', 'Data exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Revocation of fraudulent '
'code-signing certificates',
'Enhanced detection for '
'multi-stage malware '
'loaders',
'Improved monitoring of C2 '
'infrastructure (e.g., '
'grandideapay[.]com, '
'nucleusgate[.]com)'],
'root_causes': ['Use of malvertising and '
'SEO-poisoning to distribute '
'trojanized installers',
'Fraudulent code-signing '
'certificates to bypass trust '
'checks',
'Sophisticated evasion techniques '
'(API obfuscation, steganography, '
'dynamic C2 protocols)']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Possible',
'ransomware_strain': 'Rhysida'},
'recommendations': ['Enhance detection for malvertising and SEO-poisoning '
'campaigns',
'Monitor for trojanized installers of popular IT tools',
'Implement behavioral analysis to detect API obfuscation '
'and dynamic C2 communication',
'Update threat intelligence on Rhysida ransomware and '
'associated loaders',
'Educate users on the risks of downloading software from '
'untrusted sources'],
'references': [{'date_accessed': '2026-01-01',
'source': 'Cybersecurity Research'}],
'threat_actor': ['Rhysida ransomware group',
'WIZARD SPIDER',
'Vanilla Tempest'],
'title': 'OysterLoader: A Stealthy Multi-Stage Malware Tied to Rhysida '
'Ransomware',
'type': 'Malware Loader'}