Sekoia.ioFeb 12

#OysterLoader (aka #Broomstick or #Cleanup) is not just another downloader. Often serving as a precursor to #Rhysida #ransomware campaigns or distributing commodity malware such as #Vidar, this threat has evolved significantly as we enter 2026.

https://blog.sekoia.io/oysterloader-unmasked-the-multi-stage-evasion-loader/

#Reverse

Show threadSekoia.io

In this deep-dive analysis, our Threat Detection & Research (TDR) team uncovers a sophisticated, multi-stage infection designed to bypass security controls. Key findings:

📦 Deceptive Distribution: Spreads via fake sites impersonating IT tools like PuTTY or WinSCP.

Feb 12 at 9:34amWeb
Show threadSekoia.ioFeb 12
🎭 Advanced Evasion: Packed with TextShell for enhanced obfuscation (custom LZMA); utilizes API "hammering" and anti-debug traps to bypass detection and delay manual analysis.
Show threadSekoia.ioFeb 12
🔐 Custom Obfuscation: Leverages non-standard Base64 encoding with randomized shifts to evade automated detection.
🖼️ Steganography: Hides payloads within innocuous-looking icon images retrieved from the C2.