OysterLoader malware evolution with new C2 infrastructure

Malware Activity

First reported

16.02.2026 18:15

Last updated

16.02.2026 18:15

Happening score

H score 26

1 unique sources, 1 articles

Summary

Hide ▲

OysterLoader continued evolving into early 2026, strengthening its C2 infrastructure and obfuscation. The multi-stage loader is linked to Rhysida-associated campaigns and has also been used to deliver Vidar. Its updated delivery chain and custom traffic encoding make detection and analysis harder.

Timeline

16.02.2026 18:15 2 articles · 3mo ago

OysterLoader C2 and obfuscation update

Technical Analysis Update
OysterLoader, also called Broomstick and CleanUp, is a C++-based loader linked to Rhysida ransomware campaigns and also used to distribute Vidar. It was first reported in June 2024, commonly arrived through fraudulent websites impersonating PuTTY and WinSCP, and by early 2026 used updated HTTP and HTTPS C2 behavior, spoofed headers, non-standard Base64 JSON encoding, and a four-stage infection chain built around TextShell and modified LZMA decompression.
Show sources

OysterLoader Evolves With New C2 Infrastructure and Obfuscation — www.infosecurity-magazine.com — 16.02.2026 18:15

OysterLoader Evolves With New C2 Infrastructure and Obfuscation — www.infosecurity-magazine.com — 16.02.2026 18:15
Open in new tab

Summary

Timeline

OysterLoader C2 and obfuscation update