A highly sophisticated malware loader known as OysterLoader has emerged as a significant cybersecurity threat, employing advanced multi-layer obfuscation techniques to evade detection while delivering dangerous payloads including Rhysida ransomware and the widespread Vidar infostealer.
Sophisticated Distribution Through Fake Software
First identified by Rapid7 in June 2024, this C++ malware has evolved into a formidable threat. OysterLoader is distributed primarily through convincing fake websites that impersonate legitimate software applications such as:
- PuTTy
- WinSCP
- Google Authenticator
- Various AI tools
The malware masquerades as Microsoft Installer (MSI) files—often digitally signed to appear legitimate—making it particularly deceptive to unsuspecting users searching for trusted software.
Complex Four-Stage Infection Chain
OysterLoader operates through a sophisticated four-stage infection process:
- TextShell Packer — Initial payload packaging
- Custom Shellcode Execution — Second-stage deployment
- Steganography-Based Payload Delivery — Malicious code hidden in icon image files
- Core Payload Deployment — Final ransomware or infostealer delivery
According to Sekoia analysts, the malware maintains a two-tiered command and control infrastructure, with delivery servers handling initial connections and final C2 servers managing victim interactions.
Advanced Anti-Analysis Capabilities
OysterLoader demonstrates remarkable evasion techniques designed to frustrate security researchers:
- API Hammering — Overwhelming analysis tools with API calls
- Dynamic API Resolution — Custom hashing algorithms to hide function calls
- Timing-Based Sandbox Detection — Identifying virtualized analysis environments
- Process Count Verification — Requiring at least 60 running processes before execution
Steganography: Hiding Malware in Plain Sight
One of OysterLoader’s most innovative techniques involves hiding its next-stage payload within icon image files using steganography. The malware uses RC4 encryption with a hardcoded key to protect the embedded payload, which is concealed after a specific marker pattern labeled “endico.”
Once decrypted, the payload is written as a DLL file to the user’s AppData directory and executed through scheduled tasks that run every 13 minutes, ensuring persistent access to compromised systems.
Ransomware and Threat Actor Connections
The connection to the Rhysida ransomware group—which is closely linked to the WIZARD SPIDER threat actor nebula—highlights the severity of this threat. Security researchers have also observed OysterLoader distributing Vidar, one of the most widespread infostealers as of early 2026.
Detection Challenges
OysterLoader’s developers have continuously evolved the malware’s code, updating communication protocols and obfuscation techniques to maintain effectiveness against modern security solutions. The malware communicates using:
- Custom JSON encoding
- Non-standard Base64 alphabet
- Random shift values
This makes network traffic analysis particularly difficult for security teams monitoring infected environments.
Defensive Recommendations
Organizations should implement the following defenses:
- Verify software downloads through official vendor websites only
- Monitor for suspicious MSI file execution patterns
- Implement application whitelisting
- Review scheduled task creation activity
- Deploy endpoint detection and response (EDR) solutions with behavior-based detection
Source: Cyber Security News | Sekoia Research
