A new malware campaign known as Oyster has been observed targeting IT professionals by disguising itself as popular software tools, including WinSCP and PuTTY. Researchers warn that the campaign could be linked to ransomware activity, raising concerns for enterprise security.
Malware hidden in trusted tools
Security firm BlueVoyant reported that its Security Operations Center (SOC) detected Oyster Backdoor within a healthcare client’s environment earlier this month. The attack was traced back to a malicious installer masquerading as WinSCP, a legitimate file transfer utility. Similar findings were made with installers posing as PuTTY, a commonly used administration tool.
Once installed, the malware enabled threat actors to create new administrator accounts and attempt lateral movement within the network. They also tried to deploy Havoc, a post-exploitation command and control framework, on a domain controller. BlueVoyant confirmed that its monitoring disrupted the attack before serious damage was done.
Evolving threat with advanced evasion
BlueVoyant researchers noted that the latest variant of Oyster shows several technical updates designed to avoid detection. The malware uses custom loaders that compress rather than encrypt payloads, relying on obfuscation techniques such as junk API calls and memory manipulation to complicate analysis.
The payload delivery component also performs anti-analysis checks, including sandbox detection and internet connectivity verification. If successful, it downloads and installs the Oyster Backdoor, setting up persistence through scheduled tasks. This enables the malware to maintain access and deploy additional malicious tools.
Connection to ransomware operators
According to BlueVoyant’s Threat Fusion Cell, Oyster is linked to activity attributed to the TAG-124 cluster and is believed to provide initial access for Rhysida ransomware. The Rhysida group has named at least ten victims on its leak site since June, underscoring the continued prevalence of ransomware attacks.
The campaign is also associated with SEO poisoning and typo-squatted domains designed to trick users into downloading trojanised software. Infrastructure linked to these operations has been found pushing malicious versions of widely used tools across IT environments.
Protecting against similar attacks
Experts recommend that IT teams only download software from trusted sources and avoid clicking on links or attachments in unsolicited emails. Organisations are advised to implement round-the-clock monitoring and subscribe to threat intelligence services to stay informed about the latest threats.
BlueVoyant highlighted that its global SOC, along with threat hunting and intelligence teams, continues to detect, investigate, and disrupt attacks like Oyster. The company stressed that campaigns of this nature remain active and represent a significant risk to enterprise systems.
