OysterLoader: Multi-Stage Loader Evolves to Evade Detection and Deliver Ransomware
Ddos 
A detailed analysis by the Sekoia TDR team has shed new light on OysterLoader, a sophisticated malware loader that has become a key tool for cybercriminals, including the notorious Rhysida ransomware group. Also known as Broomstick or CleanUp, this C++ based malware has evolved significantly since its discovery in 2024, deploying advanced evasion techniques and a custom communication protocol to slip past defenders.
OysterLoader typically arrives disguised as an installer for popular IT tools like PuTTY, WinSCP, or even Google Authenticator. The infection chain is composed of four distinct stages, beginning with a “packer” that uses noise to hide the signal.
“The initial stage leverages excessive legitimate API call hammering and simple anti-debugging traps to thwart static analysis,” the report explains.
By flooding its code with hundreds of useless calls to legitimate Windows functions, the malware creates a “chaotic path” that confuses security tools and human analysts alike. “They look legitimate, though, and that’s the point,” the researchers note.
One of the malware’s most effective tricks lies in its second stage: a custom implementation of the LZMA compression algorithm. Rather than using standard headers that security tools can easily recognize and unpack, OysterLoader uses a modified bitstream.
“The custom header format and modified bitstream prevent automated analysis by common tools like 7-Zip, xz-utils, or Python’s lzma module,” Sekoia TDR states.
The malware’s communication strategy is equally devious. In its third stage, it reaches out to a delivery server and downloads an image file. Hidden inside this innocent-looking icon is the next stage of the malware, encrypted and buried in junk data—a technique known as steganography.
For its final Command and Control (C2) channel, OysterLoader uses a “dual-layer” infrastructure. It employs a highly customized encoding scheme where every message is scrambled using a unique, random shift value.
“It uses a non-default Base64 alphabet with a unique, random shift value for each message, making traffic analysis and automated decoding challenging,” the report details.
The constant updates to OysterLoader’s code—including new C2 endpoints and evolving fingerprinting techniques—signal that its developers are actively maintaining it. Whether it is proprietary to the Rhysida group or sold as a service remains unclear, but its trajectory is not.
“The quality and complexity of the malware’s development strongly suggest that OysterLoader will remain a significant and persistent threat in the near term,” the researchers conclude.
Related Posts:
- Rhysida Ransomware Abuses Microsoft Trusted Signing to Deploy OysterLoader Via Teams Malvertising
- British Library Cyberattack: Rhysida Hackers Claim Responsibility
- Rhysida Ransomware Threat Grows: FBI and CISA Warn
- Rhysida Ransomware Strikes Again: China Energy Engineering Corporation Falls Victim
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
