February 18th – This Week’s Top Cybersecurity and Dark Web Stories

New ransomware strain named “reynolds” identified

Ransomware campaign leverages ‘Bring-Your-Own-Vulnerable-Driver’ technique bundled directly into the main payload, a rare tactic.

A recent attack involving the emergent Reynolds ransomware family has drawn attention for a notable change in tactics: the defense evasion component was embedded within the ransomware payload itself, rather than being a separate tool deployed beforehand.

Key Findings:

• Embedded BYOVD: The ransomware contained a Bring-Your-Own-Vulnerable-Driver (BYOVD) component, which is typically a distinct executable. In this case, the vulnerable NsecSoft NSecKrnl driver was bundled with the ransomware.
• Speed and Stealth: This bundling makes the attack quieter, as no separate file is dropped, and faster, eliminating the time gap between disabling security defenses and launching the encryption process.
• Targeting Defenses: The embedded component exploits a known vulnerability (CVE-2025-68947) in the NSecKrnl driver to terminate security processes, including those from Sophos, Symantec, Microsoft, and others, before encrypting files and appending the “.locked” extension.
• Unusual Post-Attack Activity: The presence of the GotoHTTP remote access tool on the target network after the ransomware deployment suggests a potential attempt by the attackers to maintain persistent access.

While BYOVD remains the most popular technique for defense impairment among ransomware actors, embedding it directly into the payload is unusual. This tactic was previously seen in the 2020 Ryuk ransomware and a 2025 Obscura ransomware attack.

The move may serve as a unique selling point for ransomware developers, making the attacks easier and more attractive to affiliates by simplifying the attack chain.

OysterLoader Malware Evolves with Dynamic C2 and Advanced Stealth

New versions of the sophisticated C++ loader, also known as Broomstick and CleanUp, are actively distributing Rhysida ransomware and Vidar infostealer using highly-customized obfuscation and an overhaul of its command-and-control (C2) protocol.

The multi-stage loader, which is linked to the Rhysida ransomware group, continues to pose a significant threat. A detailed analysis highlights the malware’s commitment to persistent evasion and operational secrecy:

Advanced Stealth and Evasion:
Anti-Analysis: Stage 1 uses excessive, irrelevant legitimate Windows function calls (“API hammering”) and simple anti-debugging traps to slow down static and dynamic analysis.

Payload Delivery: Stage 2 utilizes a custom decompression routine with a non-standard header and modified bitstream. This prevents automated security tools from easily extracting the core payload.

Highly Customized C2 Communication:
Two-Tiered Infrastructure: The initial layer handles steganographic payload delivery (hidden in an image file), while the second layer acts as the final C2 server for victim interaction and command issuance.

Custom Encoding: Stage 4’s C2 traffic is encoded with a custom Base64 algorithm that uses a non-default alphabet and a unique, random shift value for each message, significantly complicating network traffic analysis and automated decoding.

Latest Protocol Update (January 2026):
Dynamic Alphabet: The custom Base64 alphabet now shifts dynamically. The C2 server provides an updated replacement alphabet in its response, which the bot uses for all subsequent communication.

New Endpoints: The C2 process now uses a three-step initiation, splitting the initial phase across two new communication resources before moving to a dynamically defined beaconing resource.

Enhanced Fingerprint: The system information exfiltrated to the C2 has been expanded to include arrays of running process names and their associated identifiers.

The continuous evolution of OysterLoader demonstrates a clear trend among sophisticated threat actors: moving beyond standard, easily-detected techniques in favor of complex, custom-built evasion methods. The shift to dynamic C2 alphabets and multi-step, resource-splitting communication initiation is specifically designed to defeat static network security rules and automated decoding tools. Defenders must prioritize deep packet inspection and behavioral analysis capabilities that can identify anomalies in traffic encoding and communication flow, rather than relying on signature-based detection for these advanced threats.