We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win64/OysterLoader!rfn
Aliases: No associated aliases
Summary
Trojan:Win64/OysterLoader!rfn, which is a type of backdoor malware identified as connected to the threat actor group that has been observed since around September 2023. Distribution of this malware occurs in malvertising campaigns - a tactic in which the actor creates websites that typo-squats names of popular applications, such as Google Chrome and Microsoft Teams, that resemble legitimate free download pages for the application.
Users looking to download the application will land on a typo-squatted domain and download a malicious installer. The trojan’s primary function is to establish a backdoor on the targeted Windows device, perform host enumeration, and then load additional payloads, all under the veil of obfuscating command-and-control (C2) communications. The "!rfn" suffix means that the detection was based on monitoring the device for suspicious activities and behavioral heuristics rather than traditional virus signature matching.
- Check the Task Scheduler and delete the ClearMngs task. You can do this by opening Task Scheduler, navigating to the task library, and removing the offending task.
- Restart your computer in Safe Mode with Networking to prevent the malware from loading
- Navigate to the %temp% directory and delete any suspicious files, such as CleanUp30.dll or fake installer.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
