OysterLoader: A Sophisticated Malware Threat Delivering Ransomware and Infostealers A newly identified malware loader, OysterLoader, has emerged as a major cybersecurity threat, leveraging advanced obfuscation techniques to evade detection and deploy malicious payloads. First detected in June 2024 by Rapid7, this C++-based malware spreads through fake websites impersonating trusted software like PuTTY, WinSCP, Google Authenticator, and AI tools, often disguised as digitally signed Microsoft Installer (MSI) files to appear legitimate. OysterLoader operates through a four-stage infection chain, beginning with a TextShell packer and progressing to custom shellcode execution before delivering its final payload. While primarily linked to Rhysida ransomware a group tied to the WIZARD SPIDER threat actor it has also been observed distributing Vidar, a prevalent infostealer as of January 2026. Security researchers, including Sekoia analysts, have identified a two-tiered command-and-control (C2) infrastructure, with delivery servers handling initial connections and final C2 servers managing victim interactions. The malware employs anti-analysis techniques, such as API hammering, dynamic API resolution via custom hashing, and timing-based sandbox detection, to evade security measures. ### Advanced Evasion and Persistence Mechanisms OysterLoader’s infection process demonstrates high technical sophistication, including: - Environment checks to ensure the target system has at least 60 running processes before proceeding. - Steganography to conceal payloads within icon image files, using RC4 encryption with a hardcoded key. - Custom JSON encoding with a non-standard Base64 alphabet and random shift values, complicating network traffic analysis. - Persistence via scheduled tasks that execute a malicious DLL in the AppData directory every 13 minutes. The malware’s developers have continuously updated its code, refining communication protocols and obfuscation to maintain effectiveness against security solutions. Its connection to Rhysida ransomware and commodity malware underscores its role in high-impact cyberattacks, making it a critical concern for organizations.