Comprehensive Threat Exposure Management Platform
OysterLoader, a sophisticated multi-stage malware loader first identified in September 2023, continues to evolve throughout 2026 with advanced obfuscation techniques and command-and-control (C2) infrastructure. This malware loader targets global organizations across technology and IT sectors, primarily distributing through malvertising campaigns that redirect users to fake download sites impersonating popular software applications including PuTTY, WinSCP, Google Authenticator, Microsoft Teams, and Google Chrome.
The OysterLoader malware, also known as Broomstick, CleanUp, and CleanUpLoader, operates on Windows platforms and leverages valid Authenticode certificates from legitimate companies to establish trust and bypass security controls. OysterLoader functions as a delivery mechanism for dangerous payloads including Rhysida ransomware and Vidar infostealer, making it a significant threat to enterprise security.
Since its initial discovery, OysterLoader has demonstrated sustained development with continuous updates to C2 endpoints, obfuscation methods, and fingerprinting schemas. This ongoing evolution signals active and committed threat actor operations behind the malware loader, with OysterLoader campaigns expanding through integration with the Gootloader malware framework to broaden initial access vectors.
OysterLoader Distribution and Initial Compromise
OysterLoader spreads primarily through malvertising campaigns that exploit search engine results to direct potential victims to counterfeit websites. These fraudulent sites masquerade as legitimate download portals for widely-used software applications such as Microsoft Teams, Google Chrome, PuTTY, and WinSCP. The malicious websites employ typosquatted domains designed to deceive users into believing they are accessing official software sources.
The malware loader installers distributed through these fake sites are signed with valid Authenticode certificates obtained from legitimate companies, significantly enhancing the illusion of authenticity and allowing OysterLoader to bypass security controls that rely on code signing verification. OysterLoader distribution methods have expanded through integration with the Gootloader malware framework, broadening the threat actor’s initial access capabilities.
Multi-Stage Infection Process
Upon execution, OysterLoader initiates a sophisticated four-stage infection process. The first stage, known as TextShell, employs API call flooding with hundreds of legitimate Windows DLL calls, including GDI functions, specifically designed to evade heuristic detection systems, confuse sandbox analysis environments, and hinder reverse engineering efforts. This stage also implements anti-debugging techniques using methods like IsDebuggerPresent, trapping execution in infinite loops if debugging is detected. The packer dynamically resolves critical API functions through custom hashing algorithms, making signature-based detection extremely difficult.
The third stage functions as an intermediate downloader that validates the compromised environment, creates a mutex to prevent duplicate malware instances, and establishes communication with command-and-control servers. The OysterLoader C2 protocol has evolved from a simple two-endpoint model to a more sophisticated three-step process consisting of an initial empty GET request, followed by system fingerprint submission, and concluding with dynamic beaconing to new endpoints.
Persistence and Payload Delivery
In the fourth stage, OysterLoader establishes persistence mechanisms and prepares for final payload delivery. The malware drops a DLL file into the %APPDATA% or Temp directory and creates a scheduled task named “ClearMngs” that executes the DLL via rundll32.exe at intervals ranging from 13 minutes to three hours. Additionally, OysterLoader uses Registry Run Keys for persistence, ensuring the malware survives system reboots and maintains long-term access to compromised systems.
Block Unsigned and Untrusted MSI Installers
Configure endpoint protection policies to prevent execution of MSI files that are not signed by verified, trusted publishers. Implement application whitelisting to restrict software installation to approved sources only, reducing the attack surface for OysterLoader and similar malware loader threats.
Monitor for Suspicious Scheduled Task Creation
Deploy detection rules to alert on the creation of scheduled tasks that invoke rundll32.exe to load DLLs from user-writable directories such as %APPDATA% and %TEMP%. Specifically monitor for task names matching known OysterLoader patterns like ClearMngs to identify potentially compromised endpoints.
Detect Anomalous API Call Patterns
Tune endpoint detection and response (EDR) solutions to identify processes exhibiting high volumes of GDI and system API calls that are inconsistent with their declared purpose, which may indicate API flooding obfuscation techniques employed by OysterLoader malware.
Enforce TLS Inspection for Outbound Traffic
Implement TLS inspection on egress traffic to identify custom HTTP headers, non-standard user-agent strings, and anomalous Base64-encoded payloads characteristic of OysterLoader command-and-control communications.
Hunt for Known Mutex Values
Conduct threat hunting across the enterprise for the creation of mutex objects matching known OysterLoader patterns, such as ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1, to identify potentially compromised endpoints and enable rapid incident response.
Restrict Rundll32 Usage
Implement policies to monitor and restrict the use of rundll32.exe for loading DLLs from non-standard or user-writable locations. Alert on any rundll32.exe invocations referencing DLLs in %TEMP%, %APPDATA%, or other suspicious paths to detect OysterLoader persistence mechanisms.
Domains: supfoundrysettlers[.]us, whereverhomebe[.]com, retdirectyourman[.]eu, prodfindfeatures[.]com, micrsoft-teams-download[.]com, impresoralaser[.]pro
Filenames: CleanUp30.dll, COPYING3.dll, MSTeamsSetup_c_l_.exe, TMSSetup.exe, CleanUp.dll, DiskCleanUp.lnk
IPv4 Addresses: 85[.]239[.]53[.]66, 51[.]222[.]96[.]108, 135[.]125[.]241[.]45, 149[.]248[.]79[.]62, 64[.]95[.]10[.]243, 206[.]166[.]251[.]114
Mutex: ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1
SHA256 Hashes: 9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43, 574c70e84ecdad901385a1ebf38f2ee74c446034e97c33949b52f3a2fddcd822, cfc2fe7236da1609b0db1b2981ca318bfd5fbbb65c945b5f26df26d9f948cbb4, 82b246d8e6ffba1abaffbd386470c45cef8383ad19394c7c0622c9e62128cb94
URLs: hxxps[:]//grandideapay[.]com/api/v2/facade, hxxp[:]//nucleusgate[.]com/api/v2/facade, hxxps[:]//cardlowestgroup[.]com/api/v2/facade, hxxps[:]//socialcloudguru[.]com/api/v2/facade, hxxps[:]//coretether[.]com/api/v2/facade, hxxps[:]//registrywave[.]com/api/v2/facade
Resource Development: T1583.001 – Acquire Infrastructure: Domains
Initial Access: T1189 – Drive-by Compromise
Execution: T1204.002 – User Execution: Malicious File, T1059.001 – Command and Scripting Interpreter: PowerShell, T1106 – Native API, T1129 – Shared Modules
Persistence: T1053.005 – Scheduled Task/Job: Scheduled Task, T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion: T1027.007 – Obfuscated Files or Information: Dynamic API Resolution, T1027.002 – Software Packing, T1140 – Deobfuscate/Decode Files or Information, T1553.002 – Subvert Trust Controls: Code Signing, T1218.007 – System Binary Proxy Execution: Msiexec, T1497.001 – Virtualization/Sandbox Evasion: System Checks, T1497.003 – Time Based Checks, T1622 – Debugger Evasion, T1036.005 – Masquerading: Match Legitimate Resource Name or Location, T1055.012 – Process Injection: Process Hollowing
Discovery: T1082 – System Information Discovery, T1057 – Process Discovery, T1016 – System Network Configuration Discovery, T1069.002 – Permission Groups Discovery: Domain Groups
Collection: T1005 – Data from Local System
Command and Control: T1071.001 – Application Layer Protocol: Web Protocols, T1001.002 – Data Obfuscation: Steganography, T1132.001 – Data Encoding: Standard Encoding, T1132.002 – Non-Standard Encoding, T1105 – Ingress Tool Transfer, T1573 – Encrypted Channel
https://blog.sekoia.io/oysterloader-unmasked-the-multi-stage-evasion-loader/
Get through updates and upcoming events, and more directly in your inbox