{
	"id": "4126c2ea-efc0-45ee-85cd-426d9b8cce1f",
	"created_at": "2026-04-06T00:10:18.099268Z",
	"updated_at": "2026-04-10T13:11:28.609138Z",
	"deleted_at": null,
	"sha1_hash": "5cc59fd24740e18b8870d551d80f1d976f35e59f",
	"title": "Rhysida using Oyster Backdoor to deliver ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 541170,
	"plain_text": "Rhysida using Oyster Backdoor to deliver ransomware\r\nBy Bill Cozens\r\nPublished: 2024-07-24 · Archived: 2026-04-05 13:34:09 UTC\r\nIn a recent attack, Rhysida used a new variant of the Oyster backdoor, also known as Broomstick.\r\nOn July 10, 2024, a prominent private school was struck by the Rhysida ransomware gang.\r\nAs part of the attack, Rhysida used a new variant of the Oyster backdoor, also known as Broomstick. This is an\r\nupdated version of a new Oyster campaign first discovered by Rapid7 in late June 2024 that uses SEO-poisoned\r\nsearch results to trick users into downloading malicious installers. These installers masquerade as legitimate software,\r\nsuch as Google Chrome and Microsoft Teams, but instead drop the Oyster backdoor.  \r\nLet’s dive more into the incident and how Rhysida used Oyster as part of its attack.\r\nTechnical details and tactics\r\nhttps://www.threatdown.com/blog/rhysida-using-oyster-backdoor-to-deliver-ransomware/\r\nPage 1 of 4\n\nRaw data contents of CleanUp.dll\r\nOn July 10, an Oyster backdoor was deployed on a customer endpoint, likely originating from a malicious IP scanner\r\ndistributed via malvertising. The malicious DLL associated with this attack communicates with\r\ncodeforprofessionalusers[.]com , which ThreatDown researchers identified as an Oyster command and control\r\n(C2) server.\r\nOne of the notable tactics, techniques, and procedures (TTPs) observed includes input capture (T1056), which enabled\r\nthe theft of administrative credentials to the clients’ hypervisors. The specific malware tasks and malicious directories\r\nidentified in this incident, which have since been added to ThreatDown detections, include:\r\nArticle continues below this ad.\r\nTask: {59B44DEF-E91D-491A-97D8-1F48D6A5F961} – System32\\Tasks\\OppCleanTp executing CleanUp.dll\r\nMalicious directories and files:\r\nC:\\Users\\[REDACTED]\\AppData\\Roaming\\IwJnK\r\nC:\\Users\\[REDACTED]\\AppData\\Roaming\\ZBrAO\r\nC:\\WINDOWS\\system32\\Tasks\\OppCleanTp\r\nC:\\Users\\[REDACTED]\\AppData\\Local\\Temp\\CleanUp.dll\r\nTTP board\r\nInput capture (T1056) is among the DLL’s TTPs\r\nUsing stolen SSH credentials, attackers accessed NAS devices and VMware hypervisors—thus bypassing\r\nThreatDown Endpoint Protections’ (EP) real-time protection layer—before deploying Rhysida ransomware. Because\r\nthe customer relied solely on EP instead of EDR or MDR, they could also not see any suspicious activity alerts\r\ngenerated from this event.\r\nhttps://www.threatdown.com/blog/rhysida-using-oyster-backdoor-to-deliver-ransomware/\r\nPage 2 of 4\n\nThis ransomware encrypted VMDK files on the hypervisor and potentially other critical data on the NAS devices. The\r\nattackers also encrypted local backups, necessitating the use of offsite backups for recovery.\r\nIndicators of Compromise (IoCs)\r\nVirusTotal link:\r\nhttps://www.virustotal.com/gui/file/0a7fd836d36ed8e8e9aa7bc41fdc9242333e8469059dec8886b7d935f3651679/behavior\r\nFile Hashes:\r\nSHA-256: 0a7fd836d36ed8e8e9aa7bc41fdc9242333e8469059dec8886b7d935f3651679\r\nDomains:\r\ncodeforprofessionalusers.com\r\nIP Addresses:\r\n173.46.80[.]206\r\nFiles and Directories:\r\nC:\\Users\\[REDACTED]\\AppData\\Roaming\\IwJnK\r\nC:\\Users\\[REDACTED]\\AppData\\Roaming\\ZBrAO\r\nC:\\WINDOWS\\system32\\Tasks\\OppCleanTp\r\nC:\\Users\\[REDACTED]\\AppData\\Local\\Temp\\CleanUp.dll\r\nThe infected endpoints exhibited numerous outbound web connections to known Rhysida C2 servers, including\r\n173.46.80[.]206 .\r\nHow to prevent Rhysida ransomware \r\nRhysida has made a big name for itself in a short amount of time, with over 107 confirmed attacks since it emerged on\r\nthe scene in June 2023.\r\nWhile it looks like Rhysida will attack anyone it thinks is an easy target, it has a disproportionate interest in the\r\neducation sector, which accounts for about 30% of its victims—about ten times the average for most ransomware\r\ngroups.\r\nhttps://www.threatdown.com/blog/rhysida-using-oyster-backdoor-to-deliver-ransomware/\r\nPage 3 of 4\n\nKnown Rhysida ransomware attacks by industry, June 2023 – June 2024\r\nWe recommend the organizations across all sectors follow a few best practices to prevent (and recover) from\r\nransomware attacks from every angle. That includes: \r\nDon’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove\r\nevery trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked\r\nagain.\r\nBlock common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly;\r\ndisable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits\r\nand malware used to deliver ransomware.\r\nDetect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks\r\nand assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.\r\nCreate offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them\r\nregularly to make sure you can restore essential business functions swiftly.\r\nPurpose-built for organizations with small (to non-existent) security teams that lack the resources to address all\r\nsecurity alerts, the ThreatDown Elite Bundle includes award-winning technologies and 24x7x365 expert-managed\r\nmonitoring and response from the ThreatDown MDR team.\r\nTalk to an MDR expert today.\r\nSource: https://www.threatdown.com/blog/rhysida-using-oyster-backdoor-to-deliver-ransomware/\r\nhttps://www.threatdown.com/blog/rhysida-using-oyster-backdoor-to-deliver-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatdown.com/blog/rhysida-using-oyster-backdoor-to-deliver-ransomware/"
	],
	"report_names": [
		"rhysida-using-oyster-backdoor-to-deliver-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434218,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5cc59fd24740e18b8870d551d80f1d976f35e59f.pdf",
		"text": "https://archive.orkl.eu/5cc59fd24740e18b8870d551d80f1d976f35e59f.txt",
		"img": "https://archive.orkl.eu/5cc59fd24740e18b8870d551d80f1d976f35e59f.jpg"
	}
}