OYSTERSHUCK

OYSTERSHUCK is a malware component used in a multi-stage intrusion chain attributed by CERT-UA to the Belarus-linked Ghostwriter threat group, also tracked as UAC-0057 and UNC1151, in phishing campaigns targeting Ukrainian government organizations since spring 2026. The infection chain uses phishing emails sent from compromised accounts with Prometheus-themed lures; attached PDFs contain links to ZIP archives holding a JavaScript file identified as OYSTERFRESH. OYSTERFRESH displays a decoy document, writes an obfuscated and encrypted payload named OYSTERBLUES to the Windows Registry, and downloads and launches OYSTERSHUCK. OYSTERSHUCK functions as a decoder for OYSTERBLUES, with reported decoding steps including string reversal, ROT13 transformation, and URL decoding. The broader malware chain collects host information from infected Windows systems, including computer name, username, operating system version, last boot time, and running processes, and sends it to attacker-controlled command-and-control infrastructure via HTTP POST; the infrastructure is reported to be commonly hidden behind Cloudflare and to frequently use .icu domains. Follow-on JavaScript may be executed via eval(), and CERT-UA assessed that later stages can deliver Cobalt Strike. Reported indicators associated with this campaign include the filename amplifier.js for OYSTERSHUCK, related components certificate.js (OYSTERFRESH), Oyster.js (OYSTERBLUES), EdgeSystemConfig.dll (CSBEACON), EdgeTaskMachine.js, the registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Blue'Oyster', Run keys MicrosoftEdgeUpdate and WindowsEdgeStartup, the scheduled task MicrosoftEdgeUpdateTaskMachine, and network indicators including hXXps://a3ufz.xsjdsb[.]icu/wp-json/prometheus-plus/certs-at-home/downloads and domains such as mickeymousegamesdealer.alexavegas[.]icu, productionsamplesoftheyear.cgdirector[.]icu, and advancedaisolutionsforeveryone.a1si[.]icu.