OysterLoader
OysterLoader is a C++ multi-stage malware loader used to deploy ransomware and commodity malware, including Vidar. It has been linked to the Rhysida ransomware gang and is also referred to as Broomstick and CleanUp. Delivery has been observed via compromised websites impersonating legitimate software download pages, with the malware distributed as a Microsoft Installer (MSI) file.
Reported infection chains consist of four stages. The first stage is a packed obfuscator called TextShell, which loads obfuscated shellcode in memory. A subsequent shellcode layer uses a custom LZMA decompression routine. An intermediate downloader performs environment checks, creates a mutex, and initiates command-and-control communications. The final stage delivers a DLL payload, drops a DLL on the victim host, and establishes persistence via a scheduled task configured to run every 13 minutes.
OysterLoader uses multiple anti-analysis and evasion techniques, including API call flooding, custom dynamic API resolution, anti-debugging checks, obfuscated HTTP headers, custom user-agent strings, and a proprietary Base64-like encoding scheme. It also uses steganographic payload delivery through PNG icons. Its command-and-control architecture uses tiered HTTPS infrastructure with hard-coded IP addresses and domains. More recent reporting indicates a change in network behavior from fixed registration and beaconing endpoints to an initialization flow using an empty GET request to /api/v2/init that submits a fingerprint before beaconing to an assigned endpoint.
High-confidence indicators and behaviors mentioned in the source include MSI-based delivery from fake software sites, mutex creation, scheduled-task persistence, rundll32.exe loading DLLs from %APPDATA%, and a dropped DLL named COPYING3.dll.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
OysterLoader, also known as Broomstick and CleanUp, is a malware developed in C++, composed of multiple stages, belonging to the loader (A.k.a.: downloader) malware family.
OysterLoader, also known as Broomstick and CleanUp, is a malware developed in C++, composed of multiple stages, belonging to the loader (A.k.a.: downloader) malware family.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe loader is typically delivered through fraudulent websites impersonating legitimate IT tools including PuTTY and WinSCP.
Execution
2 techniquesPersistence is maintained by a scheduled task configured to run every 13 minutes.
It spreads through compromised sites that impersonate legitimate software installers and is delivered as a Microsoft Installer (MSI).
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
11 techniquesthe code of the initial stage is full of useless API calls to legitimate DLL... the first stage employs common techniques such API hammering and dynamic API resolution.
The C2 responds with an image... the malware uses steganography to hide the next stage payload as an icon.
Dynamic API resolution often implemented through custom hashing algorithms... The packer is no exception: it relies on dynamically imported APIs, but each sample uses a slightly different hashing algorithm.
It spreads through compromised sites that impersonate legitimate software installers and is delivered as a Microsoft Installer (MSI).
Stage 2: Custom shellcode that decompresses the core payload using a modified LZMA routine.
Alert on scheduled task name patterns and the use of rundll32.exe to load DLLs from %APPDATA%.
The report outlines four stages: a packed obfuscator (TextShell), a shellcode layer that inflates content with LZMA, a downloader that performs environment checks and creates a mutex, and a final stage that drops a DLL and installs a scheduled task.
Stage 3: An intermediate downloader that performs environment checks and initiates C2 contact.
The main function uses EnumProcess to count the number of running processes , if the count is below 60 , the malware exits.
Uses NtAllocateVirtualMemory to allocate memory with RWX permissions. Copies data into the allocated buffer... Executes a specific fixed offset in the shellcode previously allocated.
Discovery
8 techniquesThe first data that is sent to the C2 is a JSON... "a5": "[domain info]", "a7": "[domain name]"
The first data that is sent to the C2 is a JSON... "a3": "[username]"
The main function uses EnumProcess to count the number of running processes , if the count is below 60 , the malware exits.
the latest iteration introduces a three-step process, beginning with an empty GET request to /api/v2/init, followed by a fingerprint submission to /api/v2/facade
Stage 3: An intermediate downloader that performs environment checks and initiates C2 contact.
The main function uses EnumProcess to count the number of running processes , if the count is below 60 , the malware exits.
The function checks whether the host executing the malware has its system language set to Russian.
Command and Control
6 techniquesOysterLoader communicates with its C2 servers over HTTP and HTTPS using spoofed headers and deceptive user-agent strings to blend with normal web traffic.
More sophisticated command-and-control and obfuscation tactics have been integrated into the OysterLoader malware... While only two endpoints were previously used by OysterLoader for registration and beaconing, the malware has since pivoted to sending an empty GET request to /api/v2/init, where a fingerprint is also submitted, before beaconing to an assigned endpoint.
OysterLoader communicates with its C2 servers over HTTP and HTTPS using spoofed headers and deceptive user-agent strings to blend with normal web traffic.
OysterLoader... has been deployed through an updated multi-stage infection chain... Multiple environment checks are then conducted by an intermediate downloader, which also begins C2 communications, before the delivery of the core payload as a DLL.
a final stage that drops a DLL and installs a scheduled task
The loader talks to a tiered HTTPS C2 infrastructure using obfuscated HTTP headers and a proprietary Base64-like encoding.
IOCs tracked for this family
15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
No public activity tracked yet. Mallory keeps watching.
No public activity observed for this malware family.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.