{ "type": "URL", "indicator": "https://registrywave.com/api/v2/facade", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://registrywave.com/api/v2/facade", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4182688674, "indicator": "https://registrywave.com/api/v2/facade", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69932d857fc6d3d569240dc6", "name": "OysterLoader Unmasked: The Multi-Stage Evasion Loader", "description": "OysterLoader, also referred to as Broomstick or CleanUp, is a C++-developed malware identified as a multi-stage loader, first reported in June 2024. It primarily propagates through counterfeit websites mimicking legitimate IT software, notably applications like PuTTY and WinSCP. The malware's core function is to serve as a downloader, facilitating the deployment of further threats, particularly the Rhysida ransomware.", "modified": "2026-03-18T14:34:51.093000", "created": "2026-02-16T14:45:25.645000", "tags": [ "oysterloader", "json", "base64 alphabet", "textshell", "stage", "dlls", "python script", "gist", "broomstick", "cleanup", "vidar", "code", "example", "june", "winscp", "gootloader", "packer", "obfuscator", "write", "dword", "shellcode", "python", "downloader", "beep", "first", "core", "aspire", "rhydida", "linux", "rhysida" ], "references": [ "https://blog.sekoia.io/oysterloader-unmasked-the-multi-stage-evasion-loader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rhydida", "display_name": "Rhydida", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "OysterLoader", "display_name": "OysterLoader", "target": null } ], "attack_ids": [ { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553.006", "name": "Code Signing Policy Modification", "display_name": "T1553.006 - Code Signing Policy Modification" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-02-26T03:38:57.799000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "URL": 249, "FileHash-MD5": 242, "FileHash-SHA1": 337, "FileHash-SHA256": 322, "domain": 811, "hostname": 124 }, "indicator_count": 2107, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "52 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696edce75ebb0078295802f5", "name": "grandideapay", "description": "", "modified": "2026-02-19T01:02:49.197000", "created": "2026-01-20T01:39:51.797000", "tags": [], "references": [ "https://x.com/skocherhan/status/2013393698864656544" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 38, "URL": 13, "domain": 11, "hostname": 17 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/skocherhan/status/2013393698864656544", "https://blog.sekoia.io/oysterloader-unmasked-the-multi-stage-evasion-loader/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Rhydida", "Oysterloader", "Vidar", "Linux", "Rhysida" ], "industries": [], "unique_indicators": 2205 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/registrywave.com", "whois": "http://whois.domaintools.com/registrywave.com", "domain": "registrywave.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69932d857fc6d3d569240dc6", "name": "OysterLoader Unmasked: The Multi-Stage Evasion Loader", "description": "OysterLoader, also referred to as Broomstick or CleanUp, is a C++-developed malware identified as a multi-stage loader, first reported in June 2024. It primarily propagates through counterfeit websites mimicking legitimate IT software, notably applications like PuTTY and WinSCP. The malware's core function is to serve as a downloader, facilitating the deployment of further threats, particularly the Rhysida ransomware.", "modified": "2026-03-18T14:34:51.093000", "created": "2026-02-16T14:45:25.645000", "tags": [ "oysterloader", "json", "base64 alphabet", "textshell", "stage", "dlls", "python script", "gist", "broomstick", "cleanup", "vidar", "code", "example", "june", "winscp", "gootloader", "packer", "obfuscator", "write", "dword", "shellcode", "python", "downloader", "beep", "first", "core", "aspire", "rhydida", "linux", "rhysida" ], "references": [ "https://blog.sekoia.io/oysterloader-unmasked-the-multi-stage-evasion-loader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rhydida", "display_name": "Rhydida", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "OysterLoader", "display_name": "OysterLoader", "target": null } ], "attack_ids": [ { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553.006", "name": "Code Signing Policy Modification", "display_name": "T1553.006 - Code Signing Policy Modification" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-02-26T03:38:57.799000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "URL": 249, "FileHash-MD5": 242, "FileHash-SHA1": 337, "FileHash-SHA256": 322, "domain": 811, "hostname": 124 }, "indicator_count": 2107, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "52 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696edce75ebb0078295802f5", "name": "grandideapay", "description": "", "modified": "2026-02-19T01:02:49.197000", "created": "2026-01-20T01:39:51.797000", "tags": [], "references": [ "https://x.com/skocherhan/status/2013393698864656544" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 38, "URL": 13, "domain": 11, "hostname": 17 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://registrywave.com/api/v2/facade", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://registrywave.com/api/v2/facade", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776613027.0266337 }