Broomstick (Malware Family)

Broomstick

aka: CLEANBOOST, CleanUp, CleanUpLoader, Oyster

VTCollection

Oyster is a backdoor malware written in C++ that first appeared in July 2023. It allows for remote sessions, supporting tasks such as file transfer and command-line processing. This malware has been used by numerous threat actors as a tool to facilitate ransomware intrusions. The distribution of Oyster has likely occurred through various methods, as suggested by the build identifiers found in examined samples. Additionally, Oyster is capable of collecting basic system data and communicates with a command-and-control (C2) server. It can execute commands via cmd.exe and run additional files.

In August 2024, a new version of Oyster was discovered that featured a new command-and-control (C2) communication protocol format. This 2024 version contained plaintext strings and lacked code obfuscation, suggesting it was still in development. In contrast to the 2024 version, the new 2025 Oyster version does not send C2 messages in plaintext, instead reintroducing the substitution cipher that was present in earlier versions of Oyster.

References

2026-02-12 ⋅ Sekoia ⋅ Pierre Le Bourhis
OysterLoader Unmasked: The Multi-Stage Evasion Loader
Broomstick

2026-01-06 ⋅ Reversing Labs ⋅ Robert Simmons
Unpacking the packer ‘pkr_mtsi’
Broomstick Supper

2025-10-31 ⋅ Expel ⋅ AARON WALTON
Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates
Broomstick

2025-09-28 ⋅ Malasada Tech ⋅ Aaron Samala
Oyster Malware Delivery via Teams Fake App
Broomstick

2025-09-26 ⋅ BlackPoint ⋅ Nevan Beal, Sam Decker
Malicious Teams Installers Drop Oyster Malware
Broomstick

2025-08-23 ⋅ LevelBlue ⋅ Jeff Kieschnick
Like PuTTY in Admin’s Hands
Broomstick

2025-07-24 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: July 2025
Broomstick

2025-01-30 ⋅ Recorded Future ⋅ Insikt Group
TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base
Rhysida KongTuke MintsLoader Broomstick Remcos Rhysida WarmCookie

2024-12-12 ⋅ Hunt.io ⋅ Hunt.io
Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Broomstick

2024-10-09 ⋅ Recorded Future ⋅ Insikt Group
Outmaneuvering Rhysida: How Advanced Threat Intelligence Shields Critical Infrastructure from Ransomware
Broomstick Rhysida

2024-07-25 ⋅ Symantec ⋅ Symantec
Growing Number of Threats Leveraging AI
Broomstick DBatLoader NetSupportManager RAT Rhadamanthys

2024-07-24 ⋅ ThreatDown ⋅ ThreatDown
Rhysida using Oyster Backdoor to deliver ransomware
Broomstick Rhysida

2024-07-23 ⋅ Hunt.io ⋅ Hunt.io
A Simple Approach to Discovering Oyster Backdoor Infrastructure
Broomstick

2024-06-17 ⋅ Rapid7 ⋅ Rapid7
Malvertising Campaign Leads to Execution of Oyster Backdoor
Broomstick ChrGetPdsi Stealer

2024-01-25 ⋅ IBM ⋅ IBM
Broomstick Analysis Report (IRIS-17079)
Broomstick

2024-01-05 ⋅ IBM ⋅ IBM X-Force Exchange
Tomb Crypter and ChrGetPdsi Stealer Analysis Report (INT00011701)
Broomstick ChrGetPdsi Stealer

Yara Rules

[TLP:WHITE] win_broomstick_auto (20260504 | Detects win.broomstick.)

rule win_broomstick_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.broomstick."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.broomstick"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 76f3 2bc2 83c002 99 83e203 03c2 c1f802 }
            // n = 7, score = 2200
            //   76f3                 | jbe                 0xfffffff5
            //   2bc2                 | sub                 eax, edx
            //   83c002               | add                 eax, 2
            //   99                   | cdq                 
            //   83e203               | and                 edx, 3
            //   03c2                 | add                 eax, edx
            //   c1f802               | sar                 eax, 2

        $sequence_1 = { 8b75d0 2bc6 894ddc 51 }
            // n = 4, score = 2100
            //   8b75d0               | mov                 esi, dword ptr [ebp - 0x30]
            //   2bc6                 | sub                 eax, esi
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx
            //   51                   | push                ecx

        $sequence_2 = { 0fb608 40 80b9????????3f 76f3 2bc2 }
            // n = 5, score = 2100
            //   0fb608               | movzx               ecx, byte ptr [eax]
            //   40                   | inc                 eax
            //   80b9????????3f       |                     
            //   76f3                 | jbe                 0xfffffff5
            //   2bc2                 | sub                 eax, edx

        $sequence_3 = { c6400100 8808 eb13 ff75e8 }
            // n = 4, score = 2100
            //   c6400100             | mov                 byte ptr [eax + 1], 0
            //   8808                 | mov                 byte ptr [eax], cl
            //   eb13                 | jmp                 0x15
            //   ff75e8               | push                dword ptr [ebp - 0x18]

        $sequence_4 = { 51 50 51 8bce e8???????? 8b4dec }
            // n = 6, score = 2100
            //   51                   | push                ecx
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]

        $sequence_5 = { 33c0 c7467000000000 c7467407000000 66894660 }
            // n = 4, score = 2100
            //   33c0                 | xor                 eax, eax
            //   c7467000000000       | mov                 dword ptr [esi + 0x70], 0
            //   c7467407000000       | mov                 dword ptr [esi + 0x74], 7
            //   66894660             | mov                 word ptr [esi + 0x60], ax

        $sequence_6 = { 56 e8???????? 8b45dc 83c40c c6040600 eb10 }
            // n = 6, score = 2100
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   83c40c               | add                 esp, 0xc
            //   c6040600             | mov                 byte ptr [esi + eax], 0
            //   eb10                 | jmp                 0x12

        $sequence_7 = { 51 50 e8???????? 83c408 33c0 c7467000000000 }
            // n = 6, score = 2100
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   33c0                 | xor                 eax, eax
            //   c7467000000000       | mov                 dword ptr [esi + 0x70], 0

        $sequence_8 = { ba01000000 488d8120630400 ffd0 488b05???????? }
            // n = 4, score = 100
            //   ba01000000           | inc                 ecx
            //   488d8120630400       | mov                 eax, 0x88
            //   ffd0                 | mov                 edx, 1
            //   488b05????????       |                     

        $sequence_9 = { 49898688150400 488d4c2428 ffd5 48b80b8b55f8b9616cd5 }
            // n = 4, score = 100
            //   49898688150400       | and                 edx, 3
            //   488d4c2428           | dec                 esp
            //   ffd5                 | sub                 eax, eax
            //   48b80b8b55f8b9616cd5     | mov    edx, 0x22

        $sequence_10 = { 49898688410300 b9f0712400 4c8b25???????? 41ffd4 }
            // n = 4, score = 100
            //   49898688410300       | sub                 eax, edx
            //   b9f0712400           | add                 eax, 2
            //   4c8b25????????       |                     
            //   41ffd4               | cdq                 

        $sequence_11 = { 49898688430300 4889f1 ba97000000 41b8cb000000 }
            // n = 4, score = 100
            //   49898688430300       | sar                 eax, 2
            //   4889f1               | sub                 eax, edx
            //   ba97000000           | add                 eax, 2
            //   41b8cb000000         | cdq                 

        $sequence_12 = { 49898688140400 4889f1 4889fa 4c8b3d???????? 41ffd7 4889f1 ba0a000000 }
            // n = 7, score = 100
            //   49898688140400       | add                 eax, 2
            //   4889f1               | cdq                 
            //   4889fa               | jbe                 0xfffffff5
            //   4c8b3d????????       |                     
            //   41ffd7               | sub                 eax, edx
            //   4889f1               | add                 eax, 2
            //   ba0a000000           | cdq                 

        $sequence_13 = { ba01000000 488bf8 ff15???????? 488d8d80050000 }
            // n = 4, score = 100
            //   ba01000000           | mov                 edx, 0x9630ed
            //   488bf8               | dec                 eax
            //   ff15????????         |                     
            //   488d8d80050000       | mov                 ecx, edi

        $sequence_14 = { 488d15e9640100 ff15???????? 4885c0 7412 49ba707b5a5e9b8701a2 }
            // n = 5, score = 100
            //   488d15e9640100       | mov                 eax, 0x99d7206a
            //   ff15????????         |                     
            //   4885c0               | iretd               
            //   7412                 | push                0x78
            //   49ba707b5a5e9b8701a2     | and    dword ptr [edx + 0x9b2a34], edi

        $sequence_15 = { 49898688360300 488d4c2420 41ffd7 4889f1 }
            // n = 4, score = 100
            //   49898688360300       | sub                 eax, edx
            //   488d4c2420           | add                 eax, 2
            //   41ffd7               | cdq                 
            //   4889f1               | and                 edx, 3

        $sequence_16 = { 49898688160400 b917d46400 41ffd4 4889c7 }
            // n = 4, score = 100
            //   49898688160400       | dec                 eax
            //   b917d46400           | lea                 edx, [0x215e5]
            //   41ffd4               | dec                 eax
            //   4889c7               | mov                 eax, dword ptr [esp + 0x20]

        $sequence_17 = { ba01000000 488bd8 ff15???????? 488bd6 }
            // n = 4, score = 100
            //   ba01000000           | dec                 eax
            //   488bd8               | mov                 ecx, edi
            //   ff15????????         |                     
            //   488bd6               | mov                 edx, 1

        $sequence_18 = { ba01000000 49898602940300 488bcf 48b81e53fbe65dc7397c }
            // n = 4, score = 100
            //   ba01000000           | mov                 edi, eax
            //   49898602940300       | inc                 ebp
            //   488bcf               | xor                 ecx, ecx
            //   48b81e53fbe65dc7397c     | mov    edx, 1

        $sequence_19 = { ba01000000 488bf0 ff15???????? 4533c9 }
            // n = 4, score = 100
            //   ba01000000           | dec                 eax
            //   488bf0               | mov                 ecx, edi
            //   ff15????????         |                     
            //   4533c9               | mov                 edx, 0x22ffa0

        $sequence_20 = { 488d1500520300 eb2a 418bc8 e8???????? 0f57c0 }
            // n = 5, score = 100
            //   488d1500520300       | dec                 eax
            //   eb2a                 | mov                 ecx, edi
            //   418bc8               | mov                 edx, 1
            //   e8????????           |                     
            //   0f57c0               | dec                 eax

        $sequence_21 = { ba01000000 488bcf ff15???????? ba32ac0600 488bcf }
            // n = 5, score = 100
            //   ba01000000           | mov                 edx, 1
            //   488bcf               | dec                 eax
            //   ff15????????         |                     
            //   ba32ac0600           | mov                 ecx, edi
            //   488bcf               | mov                 edx, 0x6ac32

        $sequence_22 = { ba01000000 49898612ff0300 488bcf 48b81f58d5789b9e337f }
            // n = 4, score = 100
            //   ba01000000           | inc                 ebp
            //   49898612ff0300       | xor                 ecx, ecx
            //   488bcf               | mov                 edx, 0xd2
            //   48b81f58d5789b9e337f     | inc    ecx

        $sequence_23 = { 48c1e203 490314de eb07 488d15e5150200 }
            // n = 4, score = 100
            //   48c1e203             | dec                 ecx
            //   490314de             | mov                 dword ptr [esi - 0xa56], eax
            //   eb07                 | dec                 eax
            //   488d15e5150200       | mov                 ecx, edi

        $sequence_24 = { e8???????? 488b442420 4c8b4818 4d85c9 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   488b442420           | mov                 edx, 1
            //   4c8b4818             | dec                 eax
            //   4d85c9               | mov                 edi, eax

        $sequence_25 = { 83f801 7516 488d05a2ab0100 488b4c2430 483bc8 }
            // n = 5, score = 100
            //   83f801               | mov                 edx, 8
            //   7516                 | mov                 edx, 1
            //   488d05a2ab0100       | dec                 eax
            //   488b4c2430           | mov                 edi, eax
            //   483bc8               | mov                 edx, 8

        $sequence_26 = { ba01000000 49898565230300 488bce 48b8234a9581780326f6 }
            // n = 4, score = 100
            //   ba01000000           | mov                 esi, eax
            //   49898565230300       | mov                 edx, 0xac6071
            //   488bce               | dec                 eax
            //   48b8234a9581780326f6     | mov    ecx, esi

        $sequence_27 = { 4c89bc2460100000 ff15???????? 4c8bf8 4885c0 }
            // n = 4, score = 100
            //   4c89bc2460100000     | mov                 edi, eax
            //   ff15????????         |                     
            //   4c8bf8               | mov                 edx, 8
            //   4885c0               | dec                 eax

        $sequence_28 = { 49898688320300 b9bc474300 41ffd4 4889c7 }
            // n = 4, score = 100
            //   49898688320300       | xorps               xmm0, xmm0
            //   b9bc474300           | dec                 esp
            //   41ffd4               | mov                 dword ptr [esp + 0x1060], edi
            //   4889c7               | dec                 esp

        $sequence_29 = { 49898688420300 48b8111ed81f4f83a99f 49898690420300 488d4c2420 }
            // n = 4, score = 100
            //   49898688420300       | sub                 eax, esi
            //   48b8111ed81f4f83a99f     | mov    dword ptr [ebp - 0x24], ecx
            //   49898690420300       | push                ecx
            //   488d4c2420           | jbe                 0xfffffff5

        $sequence_30 = { 4c2bc0 ba22000000 488bc8 e8???????? 4885c0 }
            // n = 5, score = 100
            //   4c2bc0               | mov                 edx, 1
            //   ba22000000           | dec                 eax
            //   488bc8               | mov                 edi, eax
            //   e8????????           |                     
            //   4885c0               | dec                 eax

    condition:
        7 of them and filesize < 1567744
}

Download all Yara Rules

Broomstick Propose Change

References

Yara Rules

Broomstick