Cato CTRL™ Threat Research: Oyster Malware Loader Targets Tech-Savvy Users with Smarter Techniques During Summer Malvertising Campaign

Oyster returned in July 2025 with a stealthier, modular loader delivered via malvertising that spoofed PuTTY and used a compromised real estate site to host a trojanized installer, fetching a second-stage DLL from a cloud CDN and maintaining persistence via a scheduled task. The campaign features AV evasion through GDI noise, cloud-based C2 traffic, hardcoded IP 45[.]86[.]230[.]77, and indicators including putty[.]us[.]com and skyviberealty[.]com. #Oyster #Rhysida

Keypoints

Oyster malvertising campaign in July 2025 spoofed PuTTY and delivered a trojanized installer from a compromised WordPress real estate site (skyviberealty[.]com).
The 2025 loader is modular: EXE fetches twain_96.dll at runtime via InternetOpenW from a hardcoded IP (45[.]86[.]230[.]77) and stores it under %APPDATA%.
AV/EDR evasion uses GDI no-op calls, junk/dead functions, and inflated imports to confuse static analysis.
Persistence is achieved by executing the DLL with rundll32.exe and creating a scheduled task “Security Updater” to run every three minutes.
C2 communications are cloud CDN–masked with spoofed user agents (WordPressAgent, FingerPrintpersistent) and modified HTTP headers to blend with legitimate traffic.
Campaign targets technical users/admins by impersonating trusted admin tools (PuTTY) rather than broad consumer tools.
IOCs include trojanized PuTTY.exe installer, twain_96.dll, two SHA-256 hashes, domains putty[.]us[.]com and skyviberealty[.]com, and IP 45[.]86[.]230[.]77.

MITRE Techniques

[T1190] Exploit Public-Facing Application – Compromised real estate WordPress site hosted the trojanized installer used in the malvertising delivery.
[T1204] User Execution – Victims downloaded and executed a trojanized PuTTY installer from a spoofed site after clicking malvertising links.
[T1105] Ingress Tool Transfer – EXE fetched the second-stage DLL (twain_96.dll) at runtime via InternetOpenW from hardcoded IP 45[.]86[.]230[.]77 (“…InternetOpenW API call to a hardcoded IP address: 45[.]86[.]230[.]77…”).
[T1566] Phishing – Malvertising campaign used sponsored links and a spoofed PuTTY domain (putty[.]us[.]com) to lure technical users.
[T1218] Signed Binary Proxy Execution – Used rundll32.exe to execute the malicious DLL (rundll32.exe %APPDATA%Roamingtwain_96.dll DllRegisterServer).
[T1053] Scheduled Task/Job – Created a scheduled task “Security Updater” to re-launch the loader every three minutes for persistence (“…schtasks /Create /SC MINUTE /MO 3 /TN “Security Updater”…”).
[T1071] Application Layer Protocol – C2 traffic disguised over cloud CDN with HTTP requests and spoofed User-Agent headers (WordPressAgent, FingerPrintpersistent) to blend with legitimate traffic.
[T1027] Obfuscated Files or Information – GDI no-ops, junk functions, and dead code used to evade static analysis and inflate import tables (“…GDI noise and junk code…”).
[T1573] Encrypted Channel – Use of cloud CDN and modified headers to mask C2 communications and blend with normal encrypted/legitimate traffic patterns.

Indicators of Compromise

[Domain] Malvertising landing and download host – putty[.]us[.]com, skyviberealty[.]com
[IP Address] C2 and DLL host – 45[.]86[.]230[.]77
[File Name] Trojans and payloads – PuTTY.exe (trojanized installer), twain_96.dll (downloaded second-stage payload)
[Hash (SHA-256)] Sample hashes – e25db8020f7fcadaec5dd54dd7364d8eaa9efd8755fb91a357f3d29bf2d9fbad (installer), 0bb664420f910961b579f5b9f9047d5d9de52f0bb06cd49e08747ecf9056f5d6 (DLL)
[Persistence Artifact] Scheduled task – “Security Updater” set to run every 3 minutes
[User-Agent] Suspicious headers observed – WordPressAgent (stage 1), FingerPrintpersistent (stage 2)