OysterLoader Multi-Stage Loader Evades Detection, Links to Rhysida Ransomware
2 min. read 
Published on
OysterLoader deploys through fake software sites mimicking PuTTY, WinSCP, and AI tools. This C++ loader uses four stages of obfuscation to drop payloads like Rhysida ransomware or Vidar stealer. First spotted by Rapid7 in June 2024, it now hits users with signed MSI files.
Attackers hide the loader in TextShell packer first. Stage two runs custom shellcode after system checks like process count. It phones HTTPS C2 servers for orders. Steganography packs next payloads into icon images after “endico” markers.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
RC4 with hardcoded keys decrypts the hidden DLL. That DLL lands in AppData and schedules tasks every 13 minutes for persistence. Custom JSON over non-standard Base64 shifts traffic analysis. Anti-sandbox tricks include API hammering and timing delays.
Sekoia tied it to Rhysida, linked to WIZARD SPIDER. The group uses two-tier C2: delivery servers first, then final control. Evolving code beats security tools.
Sekoia reports: “OysterLoader maintains a two-tiered C2 infrastructure… Delivery servers handle initial connections while final C2 servers manage victim interactions.” On evasion: “Advanced anti-analysis including API hammering, dynamic API resolution through custom hashing, and timing-based sandbox detection.”
Rapid7 noted: “OysterLoader masquerades as legitimate MSI files, often digitally signed… distributed through fake websites impersonating PuTTY, WinSCP, Google Authenticator.”
Infection Stages Table
| Stage | Method | Evasion Tactic |
|---|---|---|
| 1 | TextShell packer | Initial disguise |
| 2 | Shellcode checks | Process count (60+), timing |
| 3 | Image steganography | RC4 in icons post-“endico” |
| 4 | DLL + scheduled task | AppData, 13-min runs ​ |
Linked Threats
- Primary: Rhysida ransomware campaigns.
- Alternate: Vidar infostealer (top in Jan 2026).
- Operators: WIZARD SPIDER nebula.
Key Capabilities
- Payload flexibility for ransomware or stealers.
- Dynamic API resolution via hashing.
- Persistence via tasks.
- Custom Base64/JSON C2 with shifts.
Defense Actions
Block fake software domains. Scan MSI from untrusted sources. Watch AppData DLLs and 13-minute tasks. Monitor HTTPS to new C2 IPs.
| Detection Focus | Indicators | Tools |
|---|---|---|
| Network | Custom Base64 traffic | Wireshark, Zeek |
| Persistence | AppData DLL, tasks | Autoruns |
| Images | “endico” markers | Strings, steg tools |
| Processes | RC4 decryptions | Sysmon EDR ​ |
FAQ
Multi-stage C++ loader with steganography and anti-analysis for ransomware delivery.
Steganography in icon images, RC4 encrypted after “endico” marker.
Rhysida, tied to WIZARD SPIDER; also Vidar stealer.
AppData DLLs, 13-min tasks, odd HTTPS C2 traffic.
Fake sites for PuTTY, WinSCP, AI tools with signed MSIs.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages