A multi-stage malware loader known as OysterLoader has continued to evolve into early 2026, refining its command-and-control (C2) infrastructure and obfuscation methods.
The C++-based threat, also referred to as Broomstick and CleanUp, is primarily linked to campaigns associated with the Rhysida ransomware group and has also been used to distribute commodity malware such as Vidar.
First reported in June 2024, the loader is typically delivered through fraudulent websites impersonating legitimate IT tools including PuTTY and WinSCP. It arrives disguised as a signed Microsoft Installer file and unfolds across four distinct stages, each designed to hinder analysis and detection.
Multi-Stage Infection Chain
According to a new advisory by Sekoia Security, OysterLoader's latest infection process is structured as follows:
-
Stage 1: A packer known as TextShell that loads obfuscated shellcode into memory
-
Stage 2: Custom shellcode that decompresses the core payload using a modified LZMA routine
-
Stage 3: An intermediate downloader that performs environment checks and initiates C2 contact
-
Stage 4: The core payload, often deployed as a DLL for persistent execution
In the second stage, the malware uses a bespoke LZMA decompression routine. Although the compression parameters remain standard, the header format and bitstream are modified, preventing common tools from recognizing or extracting the payload. Once decompressed, the shellcode adjusts memory protections and resolves imports dynamically.
Dynamic API resolution is handled through custom hashing algorithms that vary slightly between samples. This variability complicates static detection and signature-based analysis.
Updated C2 Protocol and Infrastructure
OysterLoader communicates with its C2 servers over HTTP and HTTPS using spoofed headers and deceptive user-agent strings to blend with normal web traffic.
Earlier versions relied on two endpoints for registration and beaconing. However, the latest iteration introduces a three-step process, beginning with an empty GET request to /api/v2/init, followed by a fingerprint submission to /api/v2/facade, and concluding with beaconing to a dynamically assigned endpoint.
The malware encodes its JSON communications using a non-standard Base64 alphabet combined with a random shift value generated for each message. Recent updates allow the server to supply a new encoding alphabet during communication, further complicating traffic analysis.
Multiple endpoint revisions between May 2024 and January 2026 indicate sustained development efforts.
"The constant evolution in OysterLoader's code, including updated C2 endpoints and JSON fingerprinting schemas, signals the high level of activity and commitment from the threat actors," Sekoia explained.
"The quality and complexity of the malware's development strongly suggest that OysterLoader will remain a significant and persistent threat in the near term."