HOMETHREATSBroomstick
APT / THREAT GROUP💰 FINANCIALHIGH

Broomstick

6
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Oyster is a backdoor malware written in C++ that first appeared in July 2023. It allows for remote sessions, supporting tasks such as file transfer and command-line processing. This malware has been used by numerous threat actors as a tool to facilitate ransomware intrusions. The distribution of Oyster has likely occurred through various methods, as suggested by the build identifiers found in examined samples. Additionally, Oyster is capable of collecting basic system data and communicates with a command-and-control (C2) server. It can execute commands via cmd.exe and run additional files.

In August 2024, a new version of Oyster was discovered that featured a new command-and-control (C2) communication protocol format. This 2024 version contained plaintext strings and lacked code obfuscation, suggesting it was still in development. In contrast to the 2024 version, the new 2025 Oyster version does not send C2 messages in plaintext, instead reintroducing the substitution cipher that was present in earlier versions of Oyster.

Threat Analysis

Broomstick is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like Broomstick prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, Broomstick is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Aliases6

Also Known As

BroomstickOysterCLEANBOOSTCleanUpLoaderCleanUpwin.broomstick

External Intelligence

Malpedia: win.broomstick

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.