Oyster

Oyster, most commonly referred to as OysterLoader and also known as Broomstick, CleanUp, and CleanUpLoader, is a C++ multi-stage loader/backdoor. Reporting describes it as a modular implant used to establish persistent remote access, initiate command-and-control communications, collect host-level information, and deliver additional payloads. It is closely linked to campaigns associated with the Rhysida ransomware group and has also been used to distribute other malware including Vidar.

Observed delivery vectors include trojanized or deceptive installers masquerading as legitimate software such as Microsoft Teams, Google Chrome, PuTTY, WinSCP, Google Authenticator, and other popular tools, often distributed via malvertising, fake download pages, search manipulation, SEO poisoning, and compromised WordPress sites. In one documented chain, a fake Microsoft Teams installer executed a signed binary that deployed Oyster and in some cases led to Rhysida ransomware deployment. Microsoft also described signed fake Teams installers delivering Oyster through the Fox Tempest malware-signing-as-a-service ecosystem.

Capabilities directly described in the reporting include persistence, command-and-control, host reconnaissance, host data exfiltration, and remote code execution. Microsoft’s Trojan:Win64/Oysterloader.AO!MTB reporting states that a deceptive downloader extracts a legitimate installer and a malicious DLL to the Temp directory, launches the legitimate installer as a decoy, and executes the DLL via rundll32.exe with the argument "Test." Persistence has been observed via a scheduled task named ClearMngs running every three hours; other reporting describes scheduled-task execution of a dropped DLL such as COPYING3.dll via rundll32.exe every 13 minutes. OysterLoader performs host enumeration including computer name, username, domain, OS version, local IP address, privilege level, and DLL version, formats the data as JSON, and sends it to C2 infrastructure.

The malware uses a four-stage infection chain in public reporting: a TextShell packer, custom shellcode with bespoke LZMA decompression and relocation handling, an intermediate downloader that performs environment checks, and a final core DLL payload. Reported anti-analysis and evasion features include API hammering, anti-debugging with IsDebuggerPresent, dynamic API resolution using custom hashing, modified LZMA routines, obfuscated embedded C2 domains, custom encoding, spoofed headers, deceptive user-agent strings, and use of signed MSI installers or signed binaries to appear legitimate.

Reported network behavior includes earlier use of /reg and /login endpoints over HTTPS, with fake User-Agent strings such as WordPressAgent and FingerPrint, and later evolution to /api/v2/init, /api/v2/facade, and dynamically assigned beacon endpoints. Microsoft also reported HTTP POST communications to api/connect and api/session. Publicly reported C2-related indicators include domains supfoundrysettlers[.]us, whereverhomebe[.]com, and retdirectyourman[.]eu, and IPs 85.239.53[.]66, 51.222.96[.]108, and 135.125.241[.]45. Additional artifacts directly mentioned include MSTeamsSetup_c_l_.exe, CleanUp30.dll, COPYING3.dll, the ClearMngs scheduled task, and mutexes ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1 and h6p#dx!&fse?%AS!.

Oyster has repeatedly been associated with Fox Tempest’s code-signing abuse operation, which Microsoft said was used by threat actors including Vanilla Tempest and others to sign and distribute malware such as Oyster, Lumma Stealer, and Vidar, helping the binaries bypass Windows and other security controls. Downstream activity tied to this ecosystem has affected sectors including healthcare, education, government, and financial services globally.