CleanUpLoader
Delivered in SEO poisoning and malvertising campaigns, CleanUpLoader masquerades as legitimate software utilities such as PuTTY and WinSCP.
CleanUpLoader, also known as Oyster Loader or Broomstick, is a backdoor and malware loader designed to maintain persistence and deliver additional payloads. The loader is typically signed, with researchers having linked the use of the certificate and the malware to adversaries deploying Rhysida ransomware.
CleanUpLoader campaigns in 2025 favored masquerading using the brands of PuTTY, WinSCP, and MSTeams, using SEO poisoning and typosquatting to lure unsuspecting users to download the malware masquerading as the legitimate utility.
CleanUpLoader execution chain
CleanUpLoader has been linked to campaigns delivering Rhysida ransomware.
Execution of the loader starts with an executable that drops a malicious dynamic link library (DLL), typically to a randomly named folder in the user’s AppData\Roaming directory. Observed folders have 12-15 random alphanumeric characters, sometimes with a special character as the last character. Examples include:
dmqxuvy4d1sc¶zm7vaanqh05jiyy3sjikzdzrn0o{
The executable also establishes persistence of the DLL by creating a scheduled task to execute the DLL using rundll32.exe with DLLRegisterServer as the entry point for execution. CleanUpLoader uses the schtasks.exe utility to accomplish this:
C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 18 /TN "WindowsCodecs" /TR "C:\Windows\System32\rundll32.exe C:\users\<user>\AppData\Roaming\Zm7VAanQH05JiYy\WindowsCodecs.dll DllRegisterServer"
Observed scheduled task names include:
WindowsCodecsBluetoothDesktopHandlersSecurity UpdaterWMSysPr9FireFox Agent INC
The backdoor includes functionality to allow operators to execute arbitrary commands on the host. Malware operators have issued domain and network discovery commands to further enumerate the victim environment. These commands include the use of net, nltest, systeminfo, and ipconfig, among others.
Users of common administrative utilities should take care to download their tools from a legitimate and authorized source. One way to do this is to check the domain of the landing page. Victims of CleanUpLoader campaigns often visited websites that contained the name of the tool, but with suspicious domains. Examples of malicious domains for the campaign related to fake PuTTY include:
putty-ssh[.]computty[.]runputty-download[.]fmwyd[.]computtylime[.]shopputty-app.naymin[.]computty-download[.]gblec[.]computtyonline[.]orgputtyy[.]computtya[.]computty-download.yapof[.]computty-download.macpav[.]computty-pc[.]computty-go[.]computty-cn[.]com
In addition, controls to block advertisements on enterprise systems can help prevent users from seeing ads serving this content. These controls may include browser extensions such as uBlock or DNS sinkhole technologies.
While scheduling tasks is a fairly common way to maintain persistence, it is still a highly effective technique that is used. Additionally, it is unconventional for a DLL to be executed directly using Rundll32 within a scheduled task. This presents a detection opportunity for scheduled tasks being created that contain the rundll32 utility to execute a DLL. The following pseudo-logic detects this behavior:
process == (schtasks)
&&
command_includes ('/create' || 'rundll32')
Start testing your defenses against CleanupLoader using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
The following atomic is a great starting point for testing your ability to detect CleanupLoader’s abuse of Scheduled Tasks, although you’ll need to modify the test by specifying a rundll32.exe command within the task:
T1053.005 atomic test number 2: Scheduled task local
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.