{ "id": "c4aa852a-9961-4763-b343-784e91f3b540", "created_at": "2026-04-06T00:21:02.199411Z", "updated_at": "2026-04-10T03:36:11.225868Z", "deleted_at": null, "sha1_hash": "6577f49d981ce6a7ed593933ceb6cecc3502a2c4", "title": "Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2125338, "plain_text": "Oyster’s Trail: Resurgence of Infrastructure Linked to\r\nRansomware and Cybercrime Actors\r\nPublished: 2024-12-12 · Archived: 2026-04-05 21:47:51 UTC\r\nTABLE OF CONTENTS\r\nOyster Backdoor OverviewRecent ObservationsPivot!ConclusionNetwork Observables\r\nAfter a period of dormancy, the Oyster backdoor--linked to threat actors such as Vanilla Tempest, Vice Society,\r\nand Rhysida-has recently resurfaced. Over the past week, our continuous monitoring efforts have uncovered a set\r\nof fresh domains and servers, suggesting renewed attacks may be in the works.\r\nFindings include:\r\nRegistration Patterns: Most domains are registered through NameCheap, and Let's Encrypt TLS\r\ncertificates are used to protect communications.\r\nShared Hosting: One of the IPs revealed connections to 20 additional servers sharing SSH keys, all\r\nbelonging to the Global-Data System IT Corporation ASN.\r\nIn this post, we detail the observed domains and infrastructure, highlighting the links and patterns that may assist\r\ndefenders in hunting for similar activity and strengthening their detection capabilities.\r\nOyster Backdoor Overview\r\nAlso known as Broomstick and CleanUpLoader, Oyster first appeared in July 2023. The backdoor collects host\r\ndetails and communicates with its command-and-control (C2) server via TLS, using encoded HTTP data to\r\ntransfer information securely. Contact is established with the C2 through an initial HTTP POST request to several\r\nendpoints, usually starting with /api.\r\nIn June 2024, Rapid7 identified a malvertising campaign leveraging trojanized installers for popular software like\r\nGoogle Chrome and Microsoft Teams to deliver the Oyster backdoor.\r\nIn July, we outlined a method to identify Oyster infrastructure based on web pages simply containing the word\r\n\"Soon.\" The post also lists several IOCs, including domains and a JARM fingerprint based on the Let's Encrypt\r\ncerts used, plus an HTTP response hash for defenders to do their own hunting.\r\nIn October, the Insikt Group linked CleanUpLoader, a variant of the Oyster backdoor, to ITG23, a Russian\r\ncybercriminal group tracked by Recorded Future. Their analysis further details the malware's operational tactics\r\nand supporting infrastructure.\r\nRecent Observations\r\nhttps://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime\r\nPage 1 of 9\n\nWithin the Hunt app, we are tracking three IP addresses detected as part of the Oyster backdoor infrastructure:\r\n185.196.10[.]179 (first observed 28 Nov)\r\n193.109.120[.]240 (first observed 05 Dec)\r\n91.236.230[.]11 (first observed 05 Dec)\r\nOn 06 December, researchers at TRAC posted on X about two IP addresses and three domains they linked to\r\nVanilla Tempest. According to our scans, we assess those domains resolve to 91.236.230[.]11 and\r\n185.196.10[.]179. This overlap reinforces our findings that the infrastructure identified by both our team and\r\nTRAC is likely tied to Oyster.\r\nFigure 1: Listing of current Oyster backdoor infrastructure in Hunt.\r\nWhile TRAC's post provides valuable context, we shift our focus to a third IP, 193.109.120[.]240, and its\r\nassociated domain. Hosted on the BlueVPS OU network, this server has ports 80 and 443 open for HTTP/S and\r\nport 56777 configured for SSH, as shown in Figure 2. The IP resolves to a single domain,\r\ncloudignitetech[.]com , registered via NameCheap.\r\nhttps://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime\r\nPage 2 of 9\n\nFigure 2: IP overview in Hunt.\r\nIn line with our previous blog post, the server's JARM fingerprint and web page displaying \"Soon\" have proven\r\nuseful in tracking associated infrastructure. Below is an example of the HTML source retrieved from port 443,\r\nwhich demonstrates these distinct characteristics:\r\nhttps://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime\r\nPage 3 of 9\n\nFigure 3: HTML details on port 443 showing the 'Soon' title linked to Oyster malware (Hunt).\r\nA Let's Encrypt certificate (SHA256:\r\n795AD205EA6D324FDC0E1E81BC3E89A813A45070F1D4B30214E4B79359EE5A3A) using the same\r\ndomain as the Common Name, was also found.\r\nhttps://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime\r\nPage 4 of 9\n\nFigure 4: Screenshot of the TLS certificate data for the IP in Hunt.\r\nPivot!\r\nStepping back to analyze 185.196.10[.]179 in Hunt, our scans identified 20 associations with other IPs through\r\nshared SSH keys (Fingerprint: 05cfec94a6d9ab710f6dc6c4287408f4e71a4770d5b5b8e81b0552e1e91b7a33).\r\nhttps://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime\r\nPage 5 of 9\n\nFigure 5: IP overview of 185.196.10[.]179, which shows the 'Associations' tab with the number 20 beside it\r\n(Hunt).\r\nThe IPs in question are clustered within the same ASN, with several resolving to domains similar to those\r\ndiscussed above. While these overlaps are compelling, they do not conclusively indicate malicious intent. The\r\nobserved connections could result from server misconfigurations, the deployment of shared images containing\r\nembedded SSH keys, or even different actors unknowingly reusing a leaked key.\r\nA full list of IPs and domains (based on our visibility) can be found at the end of this post.\r\nConclusion\r\nThis blog post has outlined key findings on new infrastructure associated with the Oyster backdoor, including\r\nthree IPs identified in Hunt, a unique domain, and connections revealed through shared SSH keys. To support\r\ndefenders in identifying similar threats, we continuously refine and update our detection rules, ensuring the latest\r\ninformation on command-and-control servers is readily available.\r\nNetwork Observables\r\nIP Address\r\nHosting\r\nCountry\r\nASN Domain(s) Notes\r\n91.236.230[.]11 US BlueVPS OU greensolutionshub[.]net Detected by Hunt\r\nhttps://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime\r\nPage 6 of 9\n\nIP Address\r\nHosting\r\nCountry\r\nASN Domain(s) Notes\r\n185.196.10[.]179 UK\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nfuturepathlabs[.]com\r\nkisppy[.]net\r\nDetected by Hunt\r\n193.109.120[.]240 EE BlueVPS OU cloudignitetech[.]com Detected by Hunt\r\n185.196.10[.]182 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nlido.fi-nft[.]app\r\nShared SSH keys w/\r\n185.196.10[.]179 +\r\nbelow\r\n185.196.11[.]195 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nN/A\r\n185.196.10[.]97 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\njfhgfh.duckdns[.]org\r\njohnwest-cars[.]co.uk\r\n185.196.11[.]197 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nrazer-boost[.]com\r\n185.208.159[.]112 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nN/A\r\n185.196.10[.]81 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nzojanink[.]pw\r\n185.196.11[.]60 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nN/A\r\n185.196.11[.]62 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nN/A\r\n185.196.10[.]174 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nN/A\r\n185.196.11[.]49 DE Global-Data\r\nSystem IT\r\nN/A\r\nhttps://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime\r\nPage 7 of 9\n\nIP Address\r\nHosting\r\nCountry\r\nASN Domain(s) Notes\r\nCorporation\r\n185.196.10[.]172 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nN/A\r\n185.196.10[.]173 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\ngemen[.]asia\r\n185.196.11[.]198 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\n1k+\r\n185.196.10[.]177 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nN/A\r\n185.196.11[.]194 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nanumalisa[.]com\r\nmenjamili[.]com\r\n185.196.11[.]105 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nN/A\r\n185.196.11[.]59 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nN/A\r\n185.196.10[.]221 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nN/A\r\n185.196.11[.]196 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\naramex.i-order[.]shop\r\naramex.o-blank[.]site\r\ngumtreever.i-order[.]shop\r\n185.196.11[.]57 DE\r\nGlobal-Data\r\nSystem IT\r\nCorporation\r\nN/A\r\nhttps://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime\r\nPage 8 of 9\n\nSource: https://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime\r\nhttps://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime" ], "report_names": [ "oysters-trail-resurgence-infrastructure-ransomware-cybercrime" ], "threat_actors": [ { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434862, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6577f49d981ce6a7ed593933ceb6cecc3502a2c4.pdf", "text": "https://archive.orkl.eu/6577f49d981ce6a7ed593933ceb6cecc3502a2c4.txt", "img": "https://archive.orkl.eu/6577f49d981ce6a7ed593933ceb6cecc3502a2c4.jpg" } }