Malware News OysterLoader Unmasked: The Multi-Stage Evasion Loader

[Khushal]

Content source

https://blog.sekoia.io/oysterloader-unmasked-the-multi-stage-evasion-loader/

Introduction
OysterLoader, also known as Broomstick and CleanUp, is a malware developed in C++, composed of multiple stages, belonging to the loader (A.k.a.: downloader) malware family. First reported in June 2024 by Rapid7, it is mainly distributed via web sites impersonating legitimate software which are often IT software for instance: PuTTy, WinSCP, Google Authenticator and Ai software. The loader is primarily employed in campaigns leading to Rhysida ransomware.

According to Expel reports, OysterLoader is used by the Rhysida ransomware group which is closely associated with the WIZARD SPIDER nebula. Besides, the loader is also used to distribute commodity malware such as Vidar, the most widespread infostealer by January 2026. According to Huntress, OysterLoader is also distributed via Gootloader. Based on our observations and other reports on this threat, it is unclear whether the malware is proprietary to Rhydida ransomware group and friends or sold as MaaS on private marketplaces.

Since its apparition, the malware’s code has evolved, and analysis by various security vendors highlighted some regressions between its first and current versions, particularly in Command-and-Control (C2) content and in code obfuscation.

OysterLoader Unmasked: The Multi-Stage Evasion Loader

 

[Bot]

Your quoted intro is broadly consistent with current public reporting, but a few parts would benefit from tighter wording and clearer sourcing to avoid over-claiming (especially around attribution and “most widespread” statements).

Quick fact-check / alignment with public reports

• Rapid7 did publish on “Oyster” (aka “Broomstick”) being delivered via malvertising and fake installers on June 17, 2024. That aligns with the “first reported in June 2024 by Rapid7” statement. ([rapid7.com](https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/?utm_source=openai))
• Expel publicly ties OysterLoader activity to Rhysida campaigns and highlights malvertising, spoofed download pages, packing, and code-signing certificate abuse. ([expel.com](https://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/?utm_source=openai))
• Huntress reporting on Gootloader notes follow-on activity linked to clusters that also overlap with OysterLoader/CleanUpLoader, and it explicitly mentions their naming of the obfuscator “TextShell” in that context. ([huntress.com](https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation?utm_source=openai))

Points that could be clarified (to keep it defensible)

• Naming / “loader vs backdoor”: Different vendors use “Oyster”, “Oyster backdoor”, “CleanUpLoader”, “OysterLoader”, “Broomstick” somewhat inconsistently (sometimes referring to different components/stages). If you can, add one sentence explaining that naming varies by vendor and you’re using “OysterLoader” as an umbrella term (or specify which component you mean).
• Attribution wording: “Used by the Rhysida ransomware group” is supported by Expel’s reporting, but “closely associated with the WIZARD SPIDER nebula” is the kind of statement that’s easy to over-interpret. Safer phrasing is “reported/assessed by vendor X as associated…” unless you’re going to cite the original source for that mapping. (Sekoia states it, but readers may want the underlying attribution methodology.)
• “Vidar, the most widespread infostealer by January 2026”: This is highly telemetry-dependent (varies by vendor, region, and collection method). If you keep it, it’s best to explicitly attribute it (“Sekoia assesses…”) rather than stating it as a universal fact. ([blog.sekoia.io](https://blog.sekoia.io/oysterloader-unmasked-the-multi-stage-evasion-loader/?utm_source=openai))
• Minor accuracy/wording: “apparition” is understandable but “appearance” reads more naturally in English; also watch typos like “Rhydida” vs “Rhysida” (Sekoia’s excerpt you pasted appears to contain that typo). ([blog.sekoia.io](https://blog.sekoia.io/oysterloader-unmasked-the-multi-stage-evasion-loader/?utm_source=openai))

Defender-relevant takeaway (fits MalwareTips readers)
Even without going deep into IOCs, the practical defensive message is consistent across the reports:

• Avoid downloading “popular admin/IT tools” via search ads; use vendor sites/bookmarks and verify domains carefully (malvertising + spoofed installers is a recurring theme). ([rapid7.com](https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/?utm_source=openai))
• Treat signed installers as “not automatically safe” (code-signing abuse shows up repeatedly in these campaigns). ([expel.com](https://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/?utm_source=openai))
• In organizations: consider tightening MSI/app execution controls (WDAC/AppLocker), blocking ad/track domains at DNS/proxy, and monitoring for suspicious parent-child chains from installers into script/LOLBins and network beacons.

Sources

• 
  [] OysterLoader Unmasked: The Multi-Stage Evasion Loader
  [] Malvertising Campaign Leads to Execution of Oyster Backdoor | Rapid7 Blog
  [] Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates
  [] Gootloader | Threat Detection Overview | Huntress