{
	"id": "a1c21434-8dbe-4a7f-9b88-308df0c5f9e8",
	"created_at": "2026-04-06T00:16:29.76352Z",
	"updated_at": "2026-04-10T13:12:25.837186Z",
	"deleted_at": null,
	"sha1_hash": "f19646e037b556e72616e1fb9158de0834362709",
	"title": "A Simple Approach to Discovering Oyster Backdoor Infrastructure | Hunt.io",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7278928,
	"plain_text": "A Simple Approach to Discovering Oyster Backdoor Infrastructure\r\n| Hunt.io\r\nPublished: 2024-07-23 · Archived: 2026-04-05 19:05:30 UTC\r\nTABLE OF CONTENTS\r\nIntroductionDomains Identified by Rapid7Infrastructure AnalysisOur FindingsConclusionNetwork Observables\r\nIntroduction\r\nOyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to\r\nmalvertising campaigns mimicking popular software. On June 21st, Rapid7 described how attackers disguised the\r\nbackdoor as a Microsoft Teams installer, targeting unsuspecting users.\r\nThe malicious software collects victim information and sends it to a hard-coded C2 domain via an HTTP POST\r\nrequest. Malicious server administrators often leave identifiable clues in their infrastructure setup. As defenders\r\nand researchers, identifying these unique markers can help us uncover previously unreported IPs and domains.\r\nIn this post, we will examine the Oyster backdoor infrastructure, focusing on HTML titles, body hashes, and TLS\r\ncertificates.\r\nDomains Identified by Rapid7\r\nIn their blog post, Rapid7 identified three domains, the malicious DLLs, CleanUp30.dll and CleanUp.dll,\r\nattempted to communicate with:\r\nsupfoundrysettlers[.]us IP: 64.95.10[.]243\r\nwherehomebe[.]com IP: 149.248.79[.]62\r\nretdirectyourman[.]eu IP: 206.166.251[.]114\r\nUsing this information, we can analyze the above IPs and domains for any anomalies that would assist in\r\ndeveloping a query to find additional C2 servers. We will start with the first IP, 64.95.10[.]243, and see what can\r\nbe found in Hunt.\r\nInfrastructure Analysis\r\nHunt identified two open ports (22 and 443) on 64.95.10[.]243. Analyzing the HTML response for port 443,\r\ndepicted in Figure 1, reveals a webpage with the title and content of ‘Soon.’\r\nWhile the simplicity of this webpage does not overtly indicate malicious activity, we will note this finding and\r\nproceed to investigate the TLS history for further insights.\r\nhttps://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nPage 1 of 11\n\nFigure 1: Underlined HTML title for 64.95.10[.]243 (Try it here)\r\nAn additional screenshot of the above webpage from urlscanio can be found below.\r\nhttps://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nPage 2 of 11\n\nFigure 2: Screenshot of supfoundrysettlers[.]us (Source: urlscan)\r\nThe History tab in Hunt features a time graph that helps identify overlaps in port and certificate activity. Each\r\nbutton is clickable and displays additional information, such as JA4X, JARM hashes, and certificate details.\r\nAs shown in Figure 3, the cert's common name matches that of the malicious domain reported in the Rapid7\r\nreport, which is still active. Additionally, a JARM hash (the yellow bar at the bottom) will be helpful when\r\ncrafting our detection query.\r\nhttps://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nPage 3 of 11\n\nFigure 3: Screenshot of certificate information using the History tab\r\nWith no available pivots on port 22, SSH, or other TLS history, it’s time to focus on developing a method for\r\nidentifying the backdoor. Using Let’s Encrypt certificates is common practice and would likely result in hundreds\r\nof thousands of results alone, but how many web pages have the title ‘Soon’?\r\nTo understand the prevalence, we’ll combine the cert's JARM fingerprint hash with the HTML response body\r\nhash. This approach may yield fewer results than searching for specific TLDs using Let’s Encrypt.\r\nWith that, a pseudocode query to find additional Oyster servers is\r\njarm_fingerprint:”15d3fd16d29d29d00042d43d000000ed1cf37c9a169b41886e27ba8fad60b0” AND\r\nhttp_response_hash:”0c90ad9910cfb37c9969e14388707ef765ef5e73”\r\nOur Findings\r\nOur detection rule for locating Oyster infrastructure flagged seven IP addresses, including the three mentioned in\r\nthe Rapid7 post.\r\nThe limited number of results, combined with the already confirmed domain indicators, suggests our query is\r\neffective and likely on target until the threat actor decides to change up their C2 TTPs.\r\nLet’s Encrypt certificates and ports remained consistent across the returned results, with one exception\r\n(193.43.104[.]208), which had ports 80 and 443 open.\r\nA notable difference is the ASNs. The three known domains/IPs were hosted on BL Networks infrastructure, while\r\nour findings are hosted on OVH SAS.\r\nBelow are the domains we have uncovered, which have a similar naming theme to those mentioned above.\r\n*Detailed information, including the corresponding IP addresses, can be found at the end of this article.\r\nhttps://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nPage 4 of 11\n\n- codeforprofessionalusers[.]com\r\nFigure 4: Overview of suspected Oyster backdoor IP (Check it out here)\r\n- postmastersoriginals[.]com\r\nhttps://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nPage 5 of 11\n\nFigure 5: Screenshot showing suspicious domain and ports 22, 443 (Check it out here)\r\n- firstcountryours[.]eu\r\nhttps://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nPage 6 of 11\n\nFigure 6: Overview of 162.19.237[.]181 and firstcountryours[.]eu (Check it out here)\r\n- dotnetisforchildren[.]com\r\nhttps://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nPage 7 of 11\n\nFigure 7: Screenshot of 193.43.104[.]208. Note ports 80 \u0026 443 (link here)\r\nTo further corroborate our findings associated with the Oyster backdoor, we can analyze the domains using\r\nVirusTotal.\r\nIt's important to note that a VirusTotal score of 0 does not necessarily indicate that an IP or domain is benign;\r\nit simply suggests that additional data may be required for a definitive assessment.\r\nBelow are the results for codeforprofessionalusers[.]com and postmastersoriginals[.]com.\r\nNotably, CleanUp.dll has been linked to the Oyster backdoor. Furthermore, additional files appear to spoof\r\nMicrosoft's Defender, potentially indicating a campaign aimed at users seeking antivirus software.\r\nhttps://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nPage 8 of 11\n\nFigure 8: VirusTotal results for postmastersoriginals[.]com (Source: VT)\r\nFigure 9: Screenshot of VT results for codeforprofessionalusers[.]com (Source VirusTotal)\r\nDigging into any one of the CleanUp.dll files in Figure 10 below reveals a positive detection for the Oyster\r\nbackdoor and the /api/connectivity URL path where victim information is sent via a POST request.\r\nhttps://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nPage 9 of 11\n\nAdditionally, under ‘Contacted Domains,’ we see one of our other finds, firstcountryours[.]eu listed.\r\nFigure 10: VirusTotal results for contacted URLs and domains of CleanUp.dll (Source: VT)\r\nConclusion\r\nWe uncovered and validated suspected Oyster backdoor infrastructure with a relatively simple query. While\r\nidentifying malicious infrastructure can sometimes be straightforward, it’s not always this easy and requires\r\nthorough analysis and strategic pivots to uncover additional C2s.\r\nIf you’d like to see how Hunt can help you expose malicious infrastructure before it’s weaponized, contact us to\r\nbook a free demo today.\r\nNetwork Observables\r\nIP Address Domain ANS Notes\r\n64.95.10[.]243 supfoundrysettlers[.]us\r\nBL\r\nNetworks\r\nRapid7 Blog\r\n149.248.79[.]62 wherehomebe[.]com\r\nBL\r\nNetworks\r\nRapid7 Blog\r\n206.166.251[.]114 retdirectyourman[.]eu\r\nBL\r\nNetworks\r\nRapid7 Blog\r\nhttps://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nPage 10 of 11\n\nIP Address Domain ANS Notes\r\n51.195.232[.]46 codeforprofessionalusers[.]com OVH SAS\r\nJarm fingerprint + HTML response\r\nhash\r\n139.99.221[.]140 postmastersoriginals[.]com OVH SAS\r\nJarm fingerprint + HTML response\r\nhash\r\n162.19.237[.]181 firstcountryours[.]eu OVH SAS\r\nJarm fingerprint + HTML response\r\nhash\r\n193.43.104[.]208 dotnetisforchildren[.]com OVH SAS\r\nJarm fingerprint + HTML response\r\nhash\r\nSource: https://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nhttps://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/a-simple-approach-to-discovering-oyster-backdoor-infrastructure"
	],
	"report_names": [
		"a-simple-approach-to-discovering-oyster-backdoor-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434589,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f19646e037b556e72616e1fb9158de0834362709.pdf",
		"text": "https://archive.orkl.eu/f19646e037b556e72616e1fb9158de0834362709.txt",
		"img": "https://archive.orkl.eu/f19646e037b556e72616e1fb9158de0834362709.jpg"
	}
}