Operators of the Rhysida ransomware launch their attacks by imitating well-known programs like Google Authenticator and PuTTY on phony websites This article explores operators rhysida ransomware. . Users are tricked by these malvertising campaigns into downloading signed MSI installers that install OysterLoader, a multi-stage C++ loader that was first discovered in the middle of 2024.

Attackers promote malicious websites that mimic IT software like PuTTY, WinSCP, or Google Authenticator by using SEO poisoning and sponsored advertisements on Bing or Google. To get around warnings, victims download what looks to be a genuine MSI installer, frequently signed with stolen certificates. A TextShell packer (Stage 1), custom shellcode (Stage 2), an intermediate downloader DLL (Stage 3), and the core loader (Stage 4) are the four stages of infection.

In order to imitate safe software and get around heuristics, Stage 1 uses API hammering, flooding code with pointless calls to GDI functions like CreateSolidBrush and GetDC. Basic anti-debug checks like IsDebuggerPresent() and dynamic API resolution using custom hashing, like h = (h * 0x2001 + ord(ch)), are among its features. NtAllocateVirtualMemory is used to allocate memory with RWX permissions, and before being executed, shuffled shellcode is copied in 8-byte chunks.

Decompiled code extraction using API flooding (Source: sekoia) To get around programs like 7-Zip, stage 2 shellcode uses a unique LZMA routine with a non-standard header to decompress the payload. It resolves imports using LoadLibraryA/GetProcAddress, applies relocation fixups for position-independent code, and uses VirtualProtect to set executable permissions.

Avoidance and Perseverance Stage 3 checks the environment by counting processes (if there are fewer than 60), creating mutexes (e.g., "h6p#dx!&fse?%AS! "), and timing tests using repeated Beep/Sleep loops. With spoof headers (WordPressAgent UA, x-amz-cf-id bot ID), it connects to C2 via HTTPS at /reg.

Then, at /login, it retrieves a steganographic ICO that conceals RC4-encrypted PE data with the key "vpjNm4FDCr82AtUf…." output of the API hash resolution Python snippet (Source: sekoia) When the Task Scheduler runs every 13 minutes, the DLL (COPYING3.dll, for example) drops to %APPDATA% and continues to run: schtasks /Create /SC MINUTE /MO 13 /TN “COPYING3” /TR “rundll32.exe … Stage 4, the core, employs beacons to hardcode IP addresses (85.239.53.66, 51.222.96.108, 135.125.241.45) over HTTP port 80 and reuses obfuscation techniques like LZMA unpacking.

With Mersenne Twister shifts, it transmits JSON fingerprints (username, OS version, and processes in more recent versions) encoded in a unique Base64 alphabet ("yog/N3fj5ISmbep=Wu2k+BZcP0t4CYR1dQxHUaXEwGDKJV7i9ML6snhzrlqO8vAFT"). Overview of the OysterLoader stage 2 shellcode graph (Source: sekoia) The most recent (January 2026) endpoints use /api/v2/init and /api/v2/facade on domains like grandideapay[.]com. Previously, endpoints used /api/kcehc for check-in and /api/jgfnsfnuefcnegfnehjbfncejfh for commands.

Rhysida Ties and IOCs OysterLoader distributes thieves like Vidar or through Gootloader chains, facilitates Rhysida ransomware, and is connected to WIZARD SPIDER. Rhysida cycled 47 certificates in 2025 campaigns and misused Microsoft Trusted Signing, resulting in more than 200 revocations. Grandideapay[. ]com and nucleusgate[.

]com are recent domains; mutexes are "h6p#dx!&fse?%AS!" and "s6p1dx!&fse?%AS! "; tasks are VisualUpdater and AlphaSecurity. Defenders should block these IOCs, keep an eye out for malware that targets PuTTY/Authenticator, check for signed MSIs from unidentified sources, and keep an eye on Task Scheduler for rundll32 persistence, advises Sekoia.

Endpoint tools identify custom LZMA and API flooding, while network filters identify unusual JSON/Base64 beacons.