Researchers Uncover OysterLoader, an Advanced Obfuscated Loader Powering Rhysida Attacks

A sophisticated malware loader known as OysterLoader, also referred to as Broomstick and CleanUp, has emerged as a significant threat since its inception in mid-2024. This multi-stage downloader is closely linked to ransomware attacks and extensive data theft, particularly associated with the notorious Rhysida ransomware group.

Written in C++, OysterLoader primarily infiltrates systems through malicious websites that masquerade as legitimate software download platforms. Attackers cleverly impersonate widely-used IT tools, including PuTTY, WinSCP, and Google Authenticator, as well as AI software installers. Victims, believing they are downloading safe applications, inadvertently execute a signed Microsoft Installer (MSI) that stealthily launches the malware.

Recent security reports indicate that OysterLoader is not only utilized by the Rhysida ransomware group but may also be linked to affiliates within the Wizard Spider cybercrime ecosystem. Researchers have noted that the malware can deliver various commodity threats, such as the Vidar information-stealing trojan, often initiated through Gootloader campaigns that redirect users to counterfeit download pages.

Multi-Stage Infection and Stealth Techniques

OysterLoader employs a sophisticated four-stage infection chain designed to evade detection effectively. The initial stage utilizes a packer named TextShell, which loads hidden code directly into memory. This process involves allocating executable memory and copying encrypted data in small blocks.

To create an illusion of legitimacy, the malware inundates the system with numerous harmless Windows API calls, thereby confusing security tools. Additionally, it checks for the presence of debuggers and halts execution if any analysis is detected.

In the second stage, the shellcode decompresses a concealed payload using a modified LZMA algorithm. This alteration complicates unpacking efforts by common tools. The shellcode subsequently adjusts memory addresses, loads necessary libraries, and executes the next component.

The third stage functions as a downloader and environment tester, assessing system language, counting running processes, and implementing timing delays to identify sandbox environments. If the conditions appear favorable, the malware establishes contact with its command-and-control (C2) server via HTTPS, disguising its traffic with fake headers and a “WordPressAgent” user-agent. The server responds with an innocuous icon file containing encrypted malware data concealed through steganography.

Command-and-Control and Ransomware Delivery

Upon decoding the payload, OysterLoader installs a malicious DLL that executes every 13 minutes through the Windows Task Scheduler. This final stage communicates with multiple hardcoded servers, transmitting critical system information such as the username, computer name, domain, and operating system version.

The malware employs customized Base64 encoding, random shifting keys, and variable communication endpoints to elude network detection. Newer iterations even send lists of running processes and dynamically update encryption alphabets during communication.

According to researchers at Sekoia, the primary objective of OysterLoader is to ensure persistence and facilitate the delivery of additional payloads, including ransomware and credential stealers. This makes it a crucial entry point for breaches within enterprise environments.

With its continuous updates, evolving infrastructure, and advanced obfuscation techniques, security analysts predict that OysterLoader will remain a formidable threat through 2026, particularly for organizations that frequently download administrative tools from unverified sources.

IOC Table

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google