We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win64/OyesterLoader!rfn
Aliases: No associated aliases
Summary
Trojan:Win64/OyesterLoader!rfn poses a significant initial stage threat within today's cyber kill chain. As a loader, it mainly functions to provide initial compromise and form a persistent foothold in an enterprise environment. Once a successful intrusion has taken place, the primary role of OyesterLoader is to surreptitiously establish connection to threat actor-controlled infrastructure and deploy follow-on secondary payloads designed for higher impact.
In most instances, these secondary payloads will consist of advanced threats such as ransomware; data exfiltration tools; or Command and Control (C2) back doors, which ultimately present the direct implications of operational disruption and data breaches; and can carry significant financial impact. The "!rfn" suffix means that the detection was based on monitoring the device for suspicious activities and behavioral heuristics rather than traditional virus signature matching.
- Disconnect the computer from the network (both wired and Wi-Fi) to prevent the malware from communicating with its C2 server and to stop the spread of any further infection.
- For a confirmed infection, especially in a business environment, the most secure course of action is to involve cybersecurity professionals. They can perform forensic analysis to ensure complete removal, identify the root cause of the infection.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
