OysterLoader Unmasked: The Multi-Stage Evasion Loader

**OysterLoader (Broomstick/CleanUp)** is a sophisticated multi-stage C++ malware loader used since 2024 to deliver Rhysida ransomware and commodity payloads like Vidar; the report details its four-stage infection chain (TextShell packer, custom shellcode with LZMA decompression, downloader, and core DLL), extensive evasion (API flooding, dynamic API hashing, custom LZMA format, RC4+steganography), HTTP-based C2 with custom Base64 alphabets and hardcoded IPs/domains, persistence via scheduled tasks and signed MSI delivery, and provides IOCs and decoding scripts for detection and hunting.