• Home
  • cyber
  • Rhysida and Vidar: OysterLoader Multi‑Stage Evasion Loader Uncovered with Advanced Obfuscation and Rhysida Ransomware Links
cyber Ransomware

Rhysida and Vidar: OysterLoader Multi‑Stage Evasion Loader Uncovered with Advanced Obfuscation and Rhysida Ransomware Links

Jun 1, 2024 2 min read
Rhysida and Vidar: OysterLoader Multi‑Stage Evasion Loader Uncovered with Advanced Obfuscation and Rhysida Ransomware Links

OysterLoader: A Sophisticated Malware Threat Delivering Ransomware and Infostealers

A newly identified malware loader, OysterLoader, has emerged as a major cybersecurity threat, leveraging advanced obfuscation techniques to evade detection and deploy malicious payloads. First detected in June 2024 by Rapid7, this C++-based malware spreads through fake websites impersonating trusted software like PuTTY, WinSCP, Google Authenticator, and AI tools, often disguised as digitally signed Microsoft Installer (MSI) files to appear legitimate.

OysterLoader operates through a four-stage infection chain, beginning with a TextShell packer and progressing to custom shellcode execution before delivering its final payload. While primarily linked to Rhysida ransomware a group tied to the WIZARD SPIDER threat actor it has also been observed distributing Vidar, a prevalent infostealer as of January 2026.

Security researchers, including Sekoia analysts, have identified a two-tiered command-and-control (C2) infrastructure, with delivery servers handling initial connections and final C2 servers managing victim interactions. The malware employs anti-analysis techniques, such as API hammering, dynamic API resolution via custom hashing, and timing-based sandbox detection, to evade security measures.

Advanced Evasion and Persistence Mechanisms

OysterLoader’s infection process demonstrates high technical sophistication, including:

  • Environment checks to ensure the target system has at least 60 running processes before proceeding.
  • Steganography to conceal payloads within icon image files, using RC4 encryption with a hardcoded key.
  • Custom JSON encoding with a non-standard Base64 alphabet and random shift values, complicating network traffic analysis.
  • Persistence via scheduled tasks that execute a malicious DLL in the AppData directory every 13 minutes.

The malware’s developers have continuously updated its code, refining communication protocols and obfuscation to maintain effectiveness against security solutions. Its connection to Rhysida ransomware and commodity malware underscores its role in high-impact cyberattacks, making it a critical concern for organizations.

Source: https://cybersecuritynews.com/oysterloader-multi-stage-evasion-loader-uncovered/

ViDARR Inc. cybersecurity rating report: https://www.rankiteo.com/company/vidarr-inc

Red Canary, a Zscaler company cybersecurity rating report: https://www.rankiteo.com/company/redcanary

"id": "VIDRED1770978271",
"linkid": "vidarr-inc, redcanary",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': ['Malicious websites',
                   'Fake software installers',
                   'Phishing'],
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally identifiable '
                                              'information',
                                              'Payment information',
                                              'Credentials']},
 'date_detected': '2024-06',
 'description': 'A newly identified malware loader, OysterLoader, has emerged '
                'as a major cybersecurity threat, leveraging advanced '
                'obfuscation techniques to evade detection and deploy '
                'malicious payloads. It spreads through fake websites '
                'impersonating trusted software like PuTTY, WinSCP, Google '
                'Authenticator, and AI tools, often disguised as digitally '
                'signed Microsoft Installer (MSI) files. OysterLoader operates '
                'through a four-stage infection chain and is primarily linked '
                'to Rhysida ransomware and Vidar infostealer.',
 'impact': {'data_compromised': True,
            'identity_theft_risk': True,
            'payment_information_risk': True},
 'initial_access_broker': {'entry_point': ['Fake websites impersonating '
                                           'trusted software']},
 'motivation': ['Financial gain', 'Data theft'],
 'post_incident_analysis': {'root_causes': ['Advanced malware obfuscation',
                                            'Phishing via fake software '
                                            'installers',
                                            'Lack of user awareness']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'Rhysida'},
 'references': [{'source': 'Rapid7'}, {'source': 'Sekoia analysts'}],
 'threat_actor': 'WIZARD SPIDER',
 'title': 'OysterLoader: A Sophisticated Malware Threat Delivering Ransomware '
          'and Infostealers',
 'type': ['Malware', 'Ransomware', 'Infostealer']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.