HOMETHREATSBroomstick
MALWARE FAMILY💰 FINANCIALHIGH

Broomstick

Internal ID: win.broomstick
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Oyster is a backdoor malware written in C++ that first appeared in July 2023. It allows for remote sessions, supporting tasks such as file transfer and command-line processing. This malware has been used by numerous threat actors as a tool to facilitate ransomware intrusions. The distribution of Oyster has likely occurred through various methods, as suggested by the build identifiers found in examined samples. Additionally, Oyster is capable of collecting basic system data and communicates with a command-and-control (C2) server. It can execute commands via cmd.exe and run additional files.

In August 2024, a new version of Oyster was discovered that featured a new command-and-control (C2) communication protocol format. This 2024 version contained plaintext strings and lacked code obfuscation, suggesting it was still in development. In contrast to the 2024 version, the new 2025 Oyster version does not send C2 messages in plaintext, instead reintroducing the substitution cipher that was present in earlier versions of Oyster.

Threat Analysis

Broomstick is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

Financially motivated threat actors like Broomstick prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, Broomstick is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

External References

Quick Facts

TypeMalware Family
Motivation💰 financial
Sophisticationhigh
Aliases1

Also Known As

win.broomstick

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Broomstick — Malware Family | Threat Intelligence | CTIWATCH.COM