A newly identified malware loader called OysterLoader is posing significant challenges to cybersecurity efforts due to its sophisticated evasion techniques. This threat employs complex layers of obfuscation to bypass security measures and deliver harmful payloads to targeted systems.
Emergence and Distribution
OysterLoader first came to light in June 2024, identified by security experts at Rapid7. This C++-based malware primarily spreads through counterfeit websites that mimic legitimate software platforms like PuTTy, WinSCP, Google Authenticator, and various AI applications. By masquerading as Microsoft Installer (MSI) files, often with digital signatures, it deceives users into believing they are downloading authentic software.
Infection Mechanism and Ransomware Links
OysterLoader executes a multi-stage infection process beginning with a TextShell packer, progressing to custom shellcode execution, and eventually deploying its primary malicious payload. The loader is notably linked to Rhysida ransomware operations, although it also distributes other malware like Vidar, a prevalent infostealer as of early 2026. These connections underscore the substantial threat level posed by OysterLoader, particularly due to its association with the notorious WIZARD SPIDER group.
Advanced Evasion and Control Techniques
Analysts at Sekoia have revealed that OysterLoader uses a dual-layer command and control (C2) framework, with initial delivery servers and final C2 servers for managing victim interactions. The malware’s advanced anti-analysis features include API hammering and dynamic API resolution, coupled with timing-based sandbox detection. Developers of OysterLoader continually refine its codebase, enhancing communication protocols and obfuscation methods to counteract security defenses.
OysterLoader’s infection strategy is marked by technical prowess in hiding and deploying its components. The malware conducts initial checks to confirm that the infected system has at least 60 active processes before establishing secure communication with C2 servers via HTTPS. During this stage, it utilizes steganography to conceal further payloads within icon image files, cloaking malicious code as innocuous visual content.
Employing RC4 encryption with a hardcoded key, OysterLoader encrypts its payload within these images, marked by a specific pattern dubbed “endico,” making conventional detection methods ineffective. Once decrypted, the payload is stored as a DLL file in the AppData directory and scheduled to execute every 13 minutes, ensuring ongoing access to compromised systems. The malware’s use of custom JSON encoding and a non-standard Base64 alphabet complicates network traffic analysis, challenging security teams tasked with monitoring infected networks.
Stay updated on emerging cybersecurity threats by following us on Google News, LinkedIn, and X. Make CSN your primary source for the latest industry updates.
