OYSTERBLUES
OYSTERBLUES is a JavaScript-based malware component used in a multi-stage intrusion chain attributed by CERT-UA to the Belarus-linked Ghostwriter threat group, also tracked as UAC-0057 and UNC1151, in phishing campaigns targeting Ukrainian government organizations since spring 2026. The infection vector described in the reporting involves phishing emails sent from compromised accounts, themed around the legitimate Prometheus Ukrainian online learning platform. Victims receive a PDF attachment containing a link to a ZIP archive with a JavaScript file identified as OYSTERFRESH. OYSTERFRESH displays a decoy document, writes an obfuscated and encoded OYSTERBLUES payload into the Windows Registry, and downloads and launches OYSTERSHUCK, which decodes OYSTERBLUES using string reversal, ROT13 transformation, and URL decoding.
Once executed, OYSTERBLUES profiles the compromised Windows host by collecting the computer name, username or user account, operating system version, last OS boot time, and a list of running processes. It sends this reconnaissance data to a command-and-control server via HTTP POST, then waits for follow-on instructions returned as JavaScript code, which it executes using eval(). Reporting states that the broader malware chain can ultimately deliver Cobalt Strike. Associated infrastructure was reported as commonly hidden behind Cloudflare and frequently using .icu domains.
High-confidence host and network indicators directly mentioned in the content include the file name Oyster.js for OYSTERBLUES; related files certificate.js (OYSTERFRESH), amplifier.js (OYSTERSHUCK), EdgeSystemConfig.dll (CSBEACON/Cobalt Strike Beacon), and EdgeTaskMachine.js; the registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Blue'Oyster'; Run keys MicrosoftEdgeUpdate and WindowsEdgeStartup; the scheduled task MicrosoftEdgeUpdateTaskMachine; and network indicators including hXXps://a3ufz.xsjdsb[.]icu/wp-json/prometheus-plus/certs-at-home/downloads, mickeymousegamesdealer.alexavegas[.]icu, productionsamplesoftheyear.cgdirector[.]icu, and advancedaisolutionsforeveryone.a1si[.]icu.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
OYSTERBLUES is the actual workhorse. Once running, it profiles the compromised system, grabbing computer name, username, OS version, last boot time, and a list of running processes, and ships everything to a command-and-control server via HTTP POST. It then waits for instructions, which arrive as JavaScript code executed on the fly using the eval() function.
The malware chain ultimately deployed components known as OysterBlues and OysterShuck, which collect system information from infected devices and send it to attacker-controlled infrastructure hidden behind Cloudflare.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThis activity, which began in the spring of 2026, involves sending phishing emails to government entities using compromised accounts.
Ghostwriter targeted Ukrainian government agencies with phishing emails delivering malware and Cobalt Strike payloads... phishing emails sent from already-compromised accounts — making the sender look legitimate — carrying PDF attachments.
Execution
2 techniquesIt then waits for instructions, which arrive as JavaScript code executed on the fly using the eval() function.
The mentioned JS file is classified as OYSTERFRESH... OYSTERBLUES... waits for instructions, which arrive as JavaScript code executed on the fly using the eval() function.
Persistence
2 techniquesThis file, dubbed OYSTERFRESH, displays a decoy document while stealthily writing an obfuscated payload, OYSTERBLUES, to the Windows Registry.
Privilege Escalation
1 techniqueStealth
1 technique...while stealthily writing an obfuscated and encrypted payload called OYSTERBLUES to the Windows Registry...
Defense Impairment
1 techniqueDiscovery
3 techniquesCERT-UA said the malware gathers details including the computer name, operating system version, user account information, and running processes.
Once running, it profiles the compromised system, grabbing computer name, username, OS version, last boot time, and a list of running processes.
Once running, it profiles the compromised system, grabbing computer name, username, OS version, last boot time, and a list of running processes.
Command and Control
3 techniquessend it to attacker-controlled infrastructure hidden behind Cloudflare
and ships everything to a command-and-control server via HTTP POST.
...а також завантаження і запуск компонента OYSTERSHUCK... Відомо, що на наступному етапі на комп’ютер може бути довантажено компонент фреймворку Cobalt Strike.
IOCs tracked for this family
23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Primary backdoor payload that performs host reconnaissance, exfiltrates system information to C2 over HTTP POST, and executes attacker-supplied JavaScript commands received from the server.
An intermediate payload that is stored in the Windows Registry, gathers host and process information, communicates with a command-and-control server, and downloads/launches OYSTERSHUCK.
An obfuscated and encrypted payload stored in the Windows Registry that collects host and process information, sends it to a C2 server, and executes next-stage JavaScript received from the server.
Backdoor that collects host information, including computer name, username, OS version, last boot time, and running processes, sends it to C2 via HTTP POST, and executes returned JavaScript code using eval.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.