{
	"id": "5883e3e8-0691-4ff5-a3f7-56f97451af1b",
	"created_at": "2026-04-06T00:15:44.801092Z",
	"updated_at": "2026-04-10T13:12:14.142274Z",
	"deleted_at": null,
	"sha1_hash": "b199ba6e117c0120b19307e8cf521ed8c9099a5a",
	"title": "Malvertising Campaign Leads to Execution of Oyster Backdoor | Rapid7 Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2444781,
	"plain_text": "Malvertising Campaign Leads to Execution of Oyster Backdoor | Rapid7\r\nBlog\r\nBy Rapid7\r\nPublished: 2024-06-17 · Archived: 2026-04-05 16:32:26 UTC\r\nThe following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha\r\nKovalev.\r\nExecutive Summary\r\nRapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular\r\nsoftware such as Google Chrome and Microsoft Teams. The installers were being used to drop a backdoor identified as\r\nOyster, aka Broomstick. Following execution of the backdoor, we have observed enumeration commands indicative of\r\nhands-on-keyboard activity as well as the deployment of additional payloads.\r\nIn this blog post, we will examine the delivery methods of the Oyster backdoor, provide an in-depth analysis of its\r\ncomponents, and offer a Python script to help extract its obfuscated configuration.\r\nOverview\r\nInitial Access\r\nIn three separate incidents, Rapid7 observed users downloading supposed Microsoft Teams installers from typo-squatted\r\nwebsites. Users were directed to these websites after using search engines such as Google and Bing for Microsoft Teams\r\nsoftware downloads. Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into\r\nbelieving they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious\r\nsoftware.\r\nFigure 1 - Fake Microsoft Teams Website\r\nhttps://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/\r\nPage 1 of 10\n\nIn one case, a user was observed navigating to the URL hxxps://micrsoft-teams-download[.]com/, which led to the download\r\nof the binary MSTeamsSetup_c_l_.exe. Initial analysis of the binary MSTeamsSetup_c_l_.exe showed that the binary was\r\nassigned by an Authenticode certificate issued to “Shanxi Yanghua HOME Furnishings Ltd”.\r\nFigure 2 - MSTeamsSetup_c_l_.exe File Information\r\nSearching VirusTotal for other files signed by “Shanxi Yanghua HOME Furnishings Ltd” showed the following:\r\nFigure 3 - VirusTotal Signature Search Results\r\nThe results indicated other versions of the installer, each impersonating as a legitimate software installer. We observed that\r\nthe first installer was submitted to VirusTotal around mid-May 2024.\r\nIn a related incident that occurred on May 29, 2024, we observed another binary posing as a Microsoft Teams setup file,\r\nTMSSetup.exe, which was assigned a valid certificate issued to “Shanghai Ruikang Decoration Co., Ltd”. As of May 30,\r\n2024, that certificate has been revoked.\r\nVirusTotal analysis of the binary MSTeamsSetup_c_l_.exe indicates it is associated with a malware family known as Oyster,\r\ndubbed Broomstick by IBM.\r\nWhat is Oyster/Broomstick?\r\nOyster aka Broomstick aka CleanUpLoader is a family of malware first spotted in September of 2023 by researchers at IBM.\r\nWhile not much is known about the malware, it was delivered via a loader called Oyster Installer, which masqueraded as a\r\nbrowser installer. The installer was responsible for dropping the backdoor component, Oyster Main. Oyster Main was\r\nhttps://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/\r\nPage 2 of 10\n\nresponsible for gathering information about the compromised host, handling communication with the hard-coded command-and-control (C2) addresses, and providing the capability for remote code execution.\r\nIn February, researchers on Twitter observed the same backdoor component and started to name the Oyster Main backdoor,\r\nCleanUpLoader.\r\nIn recent incidents, Rapid7 has observed Oyster Main being delivered without the Oyster Installer.\r\nTechnical Analysis\r\nInitial analysis of the binary MSTeamsSetup_c_l_.exe revealed that two binaries were stored within the resource section.\r\nDuring execution, a function was observed using FindResourceA to locate the binaries, followed by LoadResource to access\r\nthem. These binaries were then subsequently dropped into the Temp folder. We observed that the intended names of the two\r\nbinaries dropped by MSTeamsSetup_c_l_.exe were CleanUp30.dll and MSTeamsSetup_c_l_.exe (the legitimate Microsoft\r\nTeams installer).\r\nAfter dropping the binary CleanUp30.dll into the Temp directory, the program executes the DLL, passing the string\r\nrundll32.exe %s,Test to the function CreateProcessA, where %s stores the value CleanUp30.dll.\r\nFigure 4 - Execution of CleanUp30.dll\r\nAfter the execution of CleanUp30.dll, the program proceeds to initiate the legitimate Microsoft Teams installer,\r\nMSTeamsSetup_c_l_.exe, also located within the Temp directory. This tactic is employed to avoid raising suspicion from the\r\nuser.\r\nCleanUp30.dll Analysis\r\nDuring the execution of CleanUp30.dll, Rapid7 observed that the binary starts by attempting to create the hard coded mutual\r\nexclusion (mutex) ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1. Mutex creation is often used by programs in order to\r\ndetermine if the program is already running another instance. If the program is already running, the program will terminate\r\nthe new instance.\r\nAfter creating the mutex, the binary determines its execution path by calling the function GetModuleFilenameA. The value\r\nis stored as a string and used as a parameter for the creation of a scheduled task, ClearMngs. The scheduled task is created\r\nhttps://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/\r\nPage 3 of 10\n\nusing the function ShellExecuteExW, passing the following as the command line:\r\nschtasks.exe /create /tn ClearMngs /tr \"rundll32 '\u003clocation of binary\u003e\\CleanUp30.dll',Test\" /sc hourly /mo 3 /f\r\nThe purpose of the scheduled task ClearMngs is to execute the binary \u003clocation of binary\u003e\\CleanUp30.dll with the exported\r\nfunction of Test using rundll32.exe every three hours.\r\nAfter the creation of the scheduled task, the binary then proceeds to decode its C2 servers using a unique decoding function.\r\nThe decoding function begins by taking in a string of encoded characters, and its length is in bytes. The decoding function\r\nthen proceeds to read in each byte, starting from the end of the encoded string.\r\nFigure 5 - The DLL’s Decoding Loop\r\nEach byte of the encoded string is used as an index location to retrieve the decoded byte from a hard-coded byte map. A byte\r\nmap is a byte array containing 256 bytes in a randomized order, one for each possible byte value from 1 to 256. Malware\r\nauthors sometimes use this technique to obfuscate strings and other data. The iteration counter (i) used within the condition\r\nfor the decoding loop is compared to half of the encoded string’s length as the decoding loop swaps two bytes at a time. The\r\nbytes of the encoded string are decoded and swapped beginning at the start and end bytes of the string and the decoding loop\r\nthen progresses towards the center of the string from each end.\r\nThe loop swaps the bytes to reverse the decoded string, as the original plaintext strings stored in the malware were reversed\r\nprior to encoding. When the center of the string is reached, the decoding process is complete. Due to this algorithm, all the\r\nencoded strings that are passed must be of even length to avoid further processing. Immediately after the decoded string is\r\nloaded onto the stack, the malware then re-encodes the string using a similar loop. The final result for the first decoded\r\nstring is a carriage return line feed (CRLF) delimited list of C2 domains.\r\nWe constructed a Python script that can decode all the encoded strings contained within the CleanUp.dll binaries, including\r\nprevious versions. The Python script can be found in our GitHub repository.\r\nhttps://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/\r\nPage 4 of 10\n\nFigure 6 - Sample Output from Python Script\r\nUsing our Python script, it revealed some of the C2 functionality, along with several JSON fields that are used to build a\r\nfingerprint of the infected system:\r\nHex Encoded String Decoded String\r\n2ec6a676766fc6f4960e86 api/connect\r\n50b0aea6747686b64eaef69e2ec6a64e96262ea64e supfoundrysettlers.us\r\n50b0b6f6c674a646a6b6f6164ea66ea64ea616ee whereverhomebe.com\r\n50b0ceae74ce4ea6362e2ea6ce9e4e2676aef6660eaece retdirectyourman.eu\r\n76f6ce56f476f6962e86c696360e0e86045ca60e9e2ab42e76a62e76f6c2 Content-Type: application/json\r\n76f696cece65cef4960e86 api/session\r\na61ea67426b6c63a346ceaf2eace9eca3a \\SysWOW64\\cmd.exe\r\na61ea6744ccc36362676ae4e3a2c6ceaf2eace9eca3a \\SysWOW64\\rundll32.exe\r\nd2f2 OK\r\n3a0eb6a62a3a \\Temp\\\r\n445c442696fa267686b6b6f6c6443444 \",\"command_id\":\"\r\nbe44 \"}\r\n445c44649644de {\"id\":\"\r\n445c442e36aecea64e443444 \",\"result\":\"\r\n445c442696fa76f696cecea6ce443444 \",\"session_id\":\"\r\nhttps://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/\r\nPage 5 of 10\n\nHex Encoded String Decoded String\r\n445c44ceae2e862ece443444 \",\"status\":\"\r\n2e1e2e740eae7686a636c63a \\cleanup.txt\r\n445c44a6b68676fa4e652eae0eb6f6c6443444 \",\"computer_name\":\"\r\n0ccc445c4476f696ce72a66efa363626443444 \",\"dll_version\":\"30\r\n445c44769686b6f626443444 \",\"domain\":\"\r\nbe44 \"}\r\n445c44649644de {\"id\":\"\r\n445c443686c6f636fa0e96443444 \",\"ip_local\":\"\r\n445c44cef6443444 \",\"os\":\"\r\n445c44263696ae46facef6443444 \",\"os_build\":\"\r\n445c44a6e6a636656e964e0e443444 \",\"privilege\":\"\r\nAfter the binary decodes the C2 addresses, the program proceeds to fingerprint the infected machine, using the following\r\nfunctions:\r\nFunction Description\r\nDsRoleGetPrimaryDomainInformation\r\nUsed to gather information about the domain the compromised machine\r\nresides in. In particular, the function returns the domain name.\r\nGetUserNameW Provides the name of the user in which the program is running under.\r\nNetUserGetInfo\r\nProvides details of the user under which the program is running. In this case,\r\nthe program is querying if the user is admin or user.\r\nGetComputerNameW\r\nProvides the name of the compromised machine in which the binary is\r\nrunning on.\r\nRtlGetVersion\r\nReturns version information about the currently running operating system\r\nincluding name and version number.\r\nFigure 7 - A Selection of Contents of the CleanUp30.dll Code that Outline the Collection of System Information\r\nWhile enumerating information about the host, the information is stored in the JSON fields uncovered from the encoded\r\nstrings identified above.\r\nhttps://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/\r\nPage 6 of 10\n\nFigure 8 - Example of the Data Collected and Sent via HTTP POST to the Malicious Domains\r\nThe fingerprint information is encoded using the same loop previously discussed, where the data string is reversed and\r\nencoded using a byte map before being sent.\r\nAfter the information is encoded, it is sent to the domains whereverhomebe[.]com/, supfoundrysettlers[.]us/, and\r\nretdirectyourman[.]eu/ via HTTP POST method. Rapid7 determined that CleanUp30.dll uses the open-source C++ library\r\nBoost.Beast to communicate with the observed C2 domains via HTTP and web sockets.\r\nFigure 9 - Captured Network Traffic Attempting to Send POST Requests to whereverhomebe[.]com/ and\r\nsupfoundrysettlers[.]us/ Following the Execution of CleanUp30.dll\r\nFollow-on Activity\r\nIn one of the incidents Rapid7 observed, a PowerShell script was spawned following the execution of another version of\r\nCleanUp30.dll, CleanUp.dll. CleanUp.dll, similar to CleanUp30.dll, was originally dropped by the other fake Microsoft\r\nTeams installer, TMSSetup.exe, which dropped the binary into the AppData/Local/Temp directory as well.\r\nFigure 10 - PowerShell Command Creating .lnk File DiskCleanUp.lnk\r\nThe purpose of the PowerShell script was to create a shortcut LNK file named DiskCleanUp.lnk within C:\\Users\\\r\n\u003cUser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\. By doing so, this ensured that the LNK file\r\nDiskCleanUp.lnk would be run each time the user logged in. The shortcut LNK file was responsible for executing the binary\r\nCleanUp.dll using rundll32.exe, passing the export Test.\r\nFollowing the execution of the PowerShell script, Rapid7 observed execution of additional payloads:\r\nk1.ps1\r\nmain.dll\r\ngetresult.exe\r\nUnfortunately, during the incident, we were unable to acquire the additional payloads. During the incidents, Rapid7 also\r\nobserved execution of the following enumeration commands:\r\nEnumeration Description\r\nsysteminfo\r\nProvides information about the system's\r\nsoftware and hardware configuration\r\nhttps://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/\r\nPage 7 of 10\n\nEnumeration Description\r\narp -a\r\nShows a list of all IP addresses that the local\r\ncomputer has recently interacted with, along\r\nwith their corresponding MAC addresses\r\nnet group 'domain computers' /domain\r\nLists the \"Domain Computers\" group within an\r\nActive Directory domain\r\n\"C:\\Windows\\system32\\nslookup.exe\" myip.opendns.com\r\nresolver1.opendns.com\r\nDetermines the external IP address\r\nwhoami /all\r\nProvides detailed information about the current\r\nuser including user's privileges, group\r\nmemberships, and security identifiers (SIDs)\r\nnltest /dclist:\u003cdomain_name\u003e\r\nLists all the domain controllers (DCs) for a\r\nspecific domain\r\nnet user admin\r\nProvides detailed information about the user\r\n'admin' including profile information, group\r\nmemberships, local group memberships, etc\r\nreg query\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall /s\r\nQueries the registry to find information about\r\ninstalled software\r\nfindstr \"DisplayName\"\r\nUsed to filter information, showing only items\r\ncontained under \"DisplayName\"\r\nRapid7 Customers\r\nInsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive\r\nlibrary of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into\r\nsuspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will\r\nalert on behavior related to this malware campaign:\r\nPersistence - SchTasks Creating A Task Pointed At Users Temp Or Roaming Directory\r\nSuspicious Process: RunDLL32 launching CMD or PowerShell\r\nPersistence - Schtasks.exe Creating Task That Executes RunDLL32\r\nNetwork Discovery - Nltest Enumerate Domain Controllers\r\nAttacker Technique - Determining External IP Via Command Line\r\nSuspicious Process - .lnk in PowerShell Command Line\r\nMITRE ATT\u0026CK Techniques\r\nTactic Technique Description\r\nResource\r\nDevelopment\r\nAcquire Infrastructure: Domains\r\n(T1583.001)\r\nThreat Actor set up typo-squatted domain micrsoft-teams-download[.]com in order to aid in the delivery of the\r\nexecutable MSTeamsSetup_c_l_.exe\r\nExecution\r\nCommand and Scripting\r\nInterpreter: Powershell\r\n(T1059.001)\r\nUsed to create .lnk file DiskCleanUp.lnk and execute the\r\nPowerShell payload k1.ps1\r\nExecution\r\nUser Execution: Malicious File\r\n(T1204.002)\r\nUser executes the binary MSTeamsSetup_c_l_.exe\r\nPersistence Scheduled Task (T1053.005)\r\nCleanUp30.DLL and CleanUp.DLL create scheduled task\r\nClearMngs\r\nhttps://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/\r\nPage 8 of 10\n\nTactic Technique Description\r\nDefense\r\nEvasion\r\nMasquerading: Match Legitimate\r\nName or Location (T1036.005)\r\nMSTeamsSetup_c_l_.exe masquerades as legitimate\r\nMicrosoft Teams installer\r\nDefense\r\nEvasion\r\nVirtualization/Sandbox Evasion:\r\nTime Based Evasion (T1497.003)\r\nExecution delays are performed by several stages throughout\r\nthe attack flow\r\nCollection Data from Local System (T1005)\r\nThreat Actors enumerated information about compromised\r\nhosts using the backdoor CleanUp DLL's\r\nCommand and\r\nControl\r\nData Encoding - Non Standard\r\nEncoding (T1132.002)\r\nCleanUp DLL's send encoded data to C2's using unique\r\nencoding function\r\nIOCs\r\nIOC Hash Description\r\nTMSSetup.exe 9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43\r\nThe malicious\r\nexecutable dow\r\nfrom\r\nprodfindfeature\r\nMSTeamsSetup_c_l_.exe 574C70E84ECDAD901385A1EBF38F2EE74C446034E97C33949B52F3A2FDDCD822\r\nThe malicious\r\nexecutable dow\r\nfrom\r\nprodfindfeature\r\nCleanUp30.dll CFC2FE7236DA1609B0DB1B2981CA318BFD5FBBB65C945B5F26DF26D9F948CBB4\r\nThe .dll file tha\r\nby run32dll.exe\r\nfollowing the e\r\nof\r\nMSTeamsSetup\r\nCleanUp.dll 82B246D8E6FFBA1ABAFFBD386470C45CEF8383AD19394C7C0622C9E62128CB94\r\nThe .dll file tha\r\nby run32dll.exe\r\nfollowing the e\r\nof TMSSetup.e\r\nDiskCleanUp.lnk\r\nAn .lnk file tha\r\ncreated followi\r\nexecution of\r\nCleanUp30.dll\r\nprodfindfeatures[.]com/ -\r\nThe domain ho\r\nmalicious files\r\nTMSSetup (1).\r\nMSTeamsSetup\r\nmicrsoft-teams-download[.]com/\r\n-\r\nThe typo-squat\r\ndomain that us\r\nimpresoralaser[.]pro/ -\r\nPart of the dom\r\nredirect chain f\r\ndownloads of T\r\n(1).exe and\r\nMSTeamsSetup\r\nwhereverhomebe[.]com/ - Domain that\r\nCleanUp30.dll\r\nhttps://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/\r\nPage 9 of 10\n\nIOC Hash Description\r\nCleanUp.dll att\r\ncommunicate w\r\nsupfoundrysettlers[.]us/ -\r\nDomain that\r\nCleanUp30.dll\r\nCleanUp.dll att\r\ncommunicate w\r\nretdirectyourman[.]eu/ -\r\nDomain that\r\nCleanUp30.dll\r\nCleanUp.dll att\r\ncommunicate w\r\n149.248.79[.]62 -\r\nResolving IP fo\r\nwhereverhome\r\n64.95.10[.]243 -\r\nResolving IP fo\r\nsupfoundrysett\r\n206.166.251[.]114 -\r\nResolving IP fo\r\nretdirectyourm\r\nReferences\r\nArticle URL\r\nBroomstick Malware Profile\r\nhttps://exchange.xforce.ibmcloud.com/malware-analysis/guid:08822f57c12416bc3e74997c473d1889\r\nTwitter Mention of\r\nCleanUpLoader\r\nhttps://x.com/RussianPanda9xx/status/1757932257765945478\r\nNEVER MISS AN EMERGING THREAT\r\nBe the first to learn about the latest vulnerabilities and cybersecurity news.\r\nSubscribe Now\r\nSource: https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/\r\nhttps://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/"
	],
	"report_names": [
		"malvertising-campaign-leads-to-execution-of-oyster-backdoor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434544,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b199ba6e117c0120b19307e8cf521ed8c9099a5a.pdf",
		"text": "https://archive.orkl.eu/b199ba6e117c0120b19307e8cf521ed8c9099a5a.txt",
		"img": "https://archive.orkl.eu/b199ba6e117c0120b19307e8cf521ed8c9099a5a.jpg"
	}
}