[Op Report] Oyster → Vidar → Supper socks shell Campaign Leads to Hands-on-Keyboard Activity
Executive Summary
A recent Deception.Pro operation involving a replica victim in the travel and tourism sector revealed a multi-stage infection beginning with an Oyster malware dropper masquerading as a Microsoft Teams installer. The infection progressed into Vidar InfoStealer execution, Supper socks shell deployment, and subsequent hands-on-keyboard (HoK) reconnaissance activity. Multiple high-fidelity detections were triggered throughout the event, offering full visibility into attacker behavior.
Attack Flow & Timeline
1. Initial Access & Execution
At 2025‐11‐26 15:46:37, the replica user executed a malicious binary disguised as MSTeamsSetup.exe. The sample was identified as Oyster malware.
2. Persistence Establishment
At 2025-11-26 15:46:52 the malware created a Scheduled Task named 'AlphaSecurity' running every 18 minutes under SYSTEM privileges, ensuring recurring execution of the malicious AlphaSecurity.dll payload.
3. Payload Execution & C2 Communication
At 2025-11-26 15:46:41 the installer launched rundll32.exe to load AlphaSecurity.dll, which initiated TLS communication with multiple C2 domains, including nucleusgate[.]com, coretether[.]com, and registrywave[.]com.
4. Vidar InfoStealer Activity
At 2025-11-26 15:49:55 Vidar (white.exe) spawned as a child process. Its configuration was retrieved from a Telegram dead drop (hXXps://telegram[.]me/bul33bt), and the affiliate identifier hardcoded in this sample: 30aa25e6f81696a663ef814f75e1e76d.
5. Active Reconnaissance (Hands‐On‐Keyboard)
On or between 2025-11-26 15:52:51 and 2025-12-01 03:20:05: a Supper socks shell (ore.dll) executed and spawned a command shell followed by PowerShell-driven reconnaissance. Commands observed included domain enumeration, trusted-domain lookups, user/admin enumeration, system info gathering, and LDAP-based DirectorySearcher queries.
Indicators of Compromise
Filename: MSTeamsSetup.exe
Context: Initial Vector
Path: C:\Users\REDACTED\Downloads\
SHA256: c48d1803b84e1da6cb53f0bd279376247fbb0ae1d32115c44ad29bdbccbb1b71
FIlename: AlphaSecurity.dll
Context: Persistence Payload
Path: C:\Users\REDACTED\AppData\Roaming\Km6Gja2l4cM5awv\
SHA256: f34cfdc950124d26b4f2f99b192a4ab7a4163af3143c3b18bc2271ca08d6c899
Filename: white.exe
Context: Vidar InfoStealer
Path: C:\Users\REDACTED\AppData\Local\Temp\
SHA256: 55a02d14de13134e77eb9cc787ac622791b38b74931d1588bb5750b06951c8c0
FIlename: ore.dll
Context: Supper socks shell
Path: C:\Users\REDACTED\AppData\Local\Temp\
SHA256: f62ec8d78fcfb236e4bf1f0f92d44ae53a187af46e0554646f2726ea6bb17a28
C2 Infrastructure
nucleusgate[.]com (45.86.230[.]184)
coretether[.]com (185.28.119[.]217)
registrywave[.]com (62.204.35[.]79)
ttr[.]tokiejegedeinitiative[.]org (91.99.209[.]253)
jui[.]theoptimizedbody[.]com (49.12.117[.]167)
myfirstfist[.]com (46.183.25[.]6)
Detections Triggered
Suspicious Scheduled Task creation
PowerShell ExecutionPolicy bypass
nltest.exe trusted-domain reconnaissance
User/account enumeration via net.exe
AdFind-like behavior through DirectorySearcher queries
Commands
net user USER_REDACTED /domain (User account enumeration)
net localgroup administrators (Local Admin account enumeration)
nltest /trusted_domains (Domain trust discovery)
nltest /dclist:$domain (Domain Controller discovery)
net group "domain computers" /domain (Network scanning)
hostname
systeminfo
Get-WmiObject Win32_ComputerSystem (System info)
DirectoryServices.DirectorySearcher (LDAP querying via PowerShell)
Conclusion
This multi-stage attack chain demonstrates how quickly Oyster-derived loaders escalate into credential harvesting, socks shells, and adversary reconnaissance when left to operate in lifelike environments. Deception.Pro continues to surface authentic adversary behavior that traditional sandboxes fail to capture.