OysterLoader, a multi-stage downloader associated with ransomware intrusions and widespread data theft, is a sophisticated malware loader. The malware, also referred to as CleanUp and Broomstick, has been in use since the middle of 2024. These days, it is closely linked to the operations that result in Rhysida ransomware attacks.

The main way OysterLoader spreads is through malicious websites that imitate trustworthy software download websites. It is written in C++. Attackers usually pose as well-known IT tools like Google Authenticator, WinSCP, PuTTY, and even installers for AI software. Despite running a signed Microsoft Installer (MSI) that covertly starts the malware, victims think they are installing safe apps.

According to security reports, the loader is utilized by the Rhysida ransomware group and potentially by collaborators connected to the Wizard Spider cybercrime network.

Decompiled code extraction using API flooding (Source: sekoia) The malware has also been seen by researchers to deliver commodity threats, such as the information-stealing trojan Vidar. Sometimes Gootloader campaigns lead users to phony download pages, which is how infections start. Techniques for Multi-Stage Infection and Stealth In order to avoid detection, OysterLoader employs a four-stage infection chain.

The first step involves loading hidden code straight into memory using a packer called TextShell. It copies encrypted data in tiny chunks and allots executable memory. The malware floods the system with hundreds of harmless Windows API calls to look legitimate and confuse security tools. Additionally, it looks for a debugger and, if analysis is found, freezes execution.

output of the API hash resolution Python snippet (Source: sekoia) OysterLoader uses custom hashing to resolve Windows functions dynamically rather than relying on visible imports to further conceal its behavior. Because of this, conventional antivirus software is unable to identify questionable API usage. The shellcode uses a modified LZMA algorithm in the second stage to decompress a hidden payload.

The compression format is changed, making it difficult to unpack with standard tools. After correcting memory locations and loading necessary libraries, the shellcode runs the following part. The third step serves as an environment tester and downloader. To find sandboxes, it performs timing delays, counts the number of processes that are active, and examines system language.

The malware uses HTTPS to connect to its command-and-control (C2) server if everything seems normal.

It uses a "WordPressAgent" user-agent and phony headers to mask traffic. A seemingly innocuous icon file with encrypted malware data concealed by steganography is the server's response. Delivery of Ransomware and Command-and-Control Once the payload has been decoded, OysterLoader uses Windows Task Scheduler to install a malicious DLL that runs every thirteen minutes.

Overview of the OysterLoader stage 2 shellcode graph (Source: sekoia) Several hardcoded servers are contacted by the last step. It transmits system data, including the operating system version, computer name, domain, and username. To evade network detection, the malware employs random shifting keys, modified Base64 encoding, and shifting communication endpoints. Newer versions even transmit running process lists and dynamically update encryption alphabets during communication.

Researchers caution that OysterLoader's goal is delivery and persistence, according to Sekoia.

It is a crucial point of entry for enterprise breaches since it downloads extra payloads, such as ransomware and credential thieves. The malware is actively being developed, as evidenced by its advanced obfuscation, changing infrastructure, and frequent updates. According to security experts, OysterLoader will continue to pose a serious risk in 2026, especially for businesses that depend on downloading administrative tools from unreliable sources.

IOC Table Type Indicator Mutex h6p#dx!&fse?%AS! Task COPYING3 (rundll32 DllRegisterServer) C2 Domain grandideapay[. ]com/api/v2/facade RC4 Key vpjNm4FDCr82AtUfhe39EG5JLwuZszKPyTcXWVMHYnRgBkSQqxzBfb6m75HZV3UyRY8vPxDna4WC2KMAgJjQqukrFdELXeGNSws9SBFXnYJ6ExMyu97KCebD5mTwaUj42NPAvHdkGhVtczWgfrZ3sLyRZg4HuX97AnQtK8xvpLU2CWDhVq5PEfjTNz36wdFasecBrkGSDApf83d6NMyaJCsvcRBq9ZYKthjuw5S27EVzWrPHgkmUxFL4bQSgMa4F IP 85.239.53.66