Oyster Backdoor

Oyster, also known as Broomstick or CleanUpLoader, is a stealthy Windows backdoor distributed via malvertising and SEO-poisoned fake websites. Cybercriminals disguise this malware as legitimate tools like PuTTY, WinSCP, Microsoft Teams, and Google Chrome to trick users into downloading Trojanized installers. Once executed, these installers deploy the Oyster payload, initiating a sophisticated backdoor campaign on the victim’s system.

Threat Overview

Oyster is a C++-based backdoor malware that enables remote code execution, file transfers, and command-and-control capabilities. It persists on infected machines through scheduled tasks and uses HTTPS for secure communications. Its advanced obfuscation and stealth mechanisms make detection particularly difficult.

---

Threat Summary

Attribute	Details
Threat type	Backdoor malware
Detection names	Oyster, Broomstick, CleanUpLoader
Symptoms of infection	Scheduled tasks running malicious DLLs, abnormal rundll32.exe activity, PowerShell execution at startup, outbound HTTPS to suspicious domains
Damage & distribution	Grants remote control, enables lateral movement, can be used to deliver ransomware or steal credentials, spreads through poisoned search results and fake downloads
Danger level	High
Removal tool	SpyHunter – download here

---

Detailed Evaluation

How the Infection Happens

Oyster infections often begin with users searching for popular software. Threat actors use SEO poisoning to rank fake websites highly in search results. These sites offer installers for legitimate software that also carry malicious payloads. Once executed, the installer drops a DLL file—often named CleanUp.dll or twain_96.dll—and loads it using rundll32.exe.

A scheduled task is created to ensure the malicious DLL is executed repeatedly, providing persistent access for threat actors. The malware uses HTTPS to communicate with command-and-control servers, masking its traffic as normal web activity.

What Oyster Does

• Establishes remote shell access to the infected machine
• Collects system data and user credentials, including SSH keys
• Transfers files to and from the device
• Executes further payloads, such as ransomware
• Moves laterally within networks, often acting as a precursor to more damaging attacks

Should You Be Worried?

Yes. Oyster is not just a standalone threat—it acts as a facilitator for larger attacks, including ransomware deployments. Its stealthy installation process and persistence mechanisms make it extremely dangerous, particularly for corporate environments or anyone handling sensitive information. Even vigilant users may find themselves infected after downloading what appears to be trusted software.

Manual Removal of Backdoor Malware (For Advanced Users Only)

Step 1: Boot Into Safe Mode with Networking

1. Restart your computer and enter Safe Mode:
   • Windows 10/11:
     1. Press Windows + R, type msconfig, and press Enter.
     2. Navigate to the Boot tab, check Safe boot, and select Network.
     3. Click Apply and OK, then restart your PC.
   • Alternative Method:
     1. Hold Shift while clicking Restart from the Start menu.
     2. Select Troubleshoot > Advanced options > Startup Settings.
     3. Click Restart, then select Enable Safe Mode with Networking.

Step 2: End Malicious Processes Using Task Manager

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Look for suspicious or unfamiliar processes consuming high CPU or RAM.
3. Right-click on the process and select Open file location.
4. If the file is in an unusual directory (e.g., C:\Users\Public or C:\Windows\System32), it might be malware.
5. End the process by right-clicking and selecting End Task.
6. Delete the related file from its folder.

Step 3: Delete Backdoor Files from System Folders

1. Open File Explorer and navigate to:makefileCopyEditC:\Users\YourUsername\AppData\Local C:\Users\YourUsername\AppData\Roaming C:\ProgramData C:\Windows\Temp
2. Delete any suspicious folders or files with random names (e.g., xhterou.exe, srvhosts.dll, temp0987.bat).
3. Clear the Temp folder:
   • Press Windows + R, type %temp%, and press Enter.
   • Select all files (Ctrl + A) and delete them.

Step 4: Remove Malicious Registry Entries

⚠️ Warning: Modifying the registry incorrectly can damage your system. Proceed with caution.

1. Press Windows + R, type regedit, and press Enter.
2. Navigate to the following keys and look for suspicious values:mathematicaCopyEditHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3. Delete unknown registry entries referencing suspicious .exe files.
4. Close Registry Editor and restart your PC.

Step 5: Remove Suspicious Startup Programs

1. Open Task Manager (Ctrl + Shift + Esc) and go to the Startup tab.
2. Look for unknown or suspicious programs and disable them.

Step 6: Reset Network Settings (Optional)

1. Open Command Prompt as Administrator:
   • Press Windows + S, type cmd, and select Run as administrator.
2. Run the following commands:perlCopyEditnetsh winsock reset netsh int ip reset ipconfig /flushdns
3. Restart your computer.

---

Automated Removal Using SpyHunter

If manually removing the backdoor malware is too complex or if you want a faster, more effective solution, use SpyHunter, a powerful anti-malware tool that specializes in detecting and removing backdoors and other threats.

Step 1: Download and Install SpyHunter

1. Visit the official SpyHunter download page: 👉 Download SpyHunter
2. Click Download and follow the on-screen installation instructions.

Step 2: Run a Full System Scan

1. Launch SpyHunter.
2. Click on Start Scan Now to initiate a full system scan.
3. Wait for the scan to complete. SpyHunter will detect and list all malware threats, including backdoor infections.

Step 3: Remove Detected Threats

1. Review the scan results.
2. Click Fix Threats to remove all detected malware.
3. Follow on-screen prompts to restart your computer if necessary.

Step 4: Enable SpyHunter’s Real-Time Protection

1. Open SpyHunter and go to Settings > Malware Protection.
2. Enable Real-Time Malware Protection to prevent future infections.

---

How to Prevent Future Backdoor Infections

• Use a reputable anti-malware tool like SpyHunter for real-time protection.
• Keep your software and operating system updated to patch vulnerabilities.
• Avoid downloading cracked software or opening suspicious email attachments.
• Enable firewall and network security settings to prevent unauthorized access.
• Use strong passwords and enable two-factor authentication (2FA) where possible.

---

Conclusion

Oyster represents a significant leap in malware distribution, using SEO manipulation and trusted software impersonation to slip past user defenses. Its ability to remain hidden while offering full remote access to attackers makes it an urgent threat. If you suspect your system may be infected, scan immediately with SpyHunter to ensure safe and complete removal.