OYSTERFRESH
OYSTERFRESH is a JavaScript malware loader used in a phishing campaign attributed by CERT-UA to the Belarus-linked Ghostwriter threat actor, also tracked as UAC-0057 and UNC1151, targeting Ukrainian government organizations since spring 2026. Delivery observed in the reporting chain involved phishing emails sent from compromised accounts, themed around the legitimate Prometheus Ukrainian online learning platform, with PDF attachments containing links that downloaded a ZIP archive carrying the OYSTERFRESH JavaScript file. OYSTERFRESH displays a decoy document to distract the victim, writes an obfuscated and encoded payload named OYSTERBLUES into the Windows Registry, and downloads and launches the OYSTERSHUCK component, which decodes OYSTERBLUES. Reported decoding methods used by OYSTERSHUCK include string reversal, ROT13 transformation, and URL decoding. The follow-on OYSTERBLUES payload profiles the infected host by collecting the computer name, username, operating system version, last boot time, and running processes, then sends that information to command-and-control infrastructure via HTTP POST. It can receive additional JavaScript from the C2 and execute it via eval(), and CERT-UA assessed that the infection chain ultimately delivers Cobalt Strike. High-confidence host and network indicators mentioned in the reporting include file names certificate.js (OYSTERFRESH), amplifier.js (OYSTERSHUCK), Oyster.js (OYSTERBLUES), EdgeSystemConfig.dll (CSBEACON/Cobalt Strike Beacon), and EdgeTaskMachine.js; the registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Blue'Oyster'; Run keys MicrosoftEdgeUpdate and WindowsEdgeStartup; the scheduled task MicrosoftEdgeUpdateTaskMachine; the URL hXXps://a3ufz.xsjdsb[.]icu/wp-json/prometheus-plus/certs-at-home/downloads; and domains mickeymousegamesdealer.alexavegas[.]icu, productionsamplesoftheyear.cgdirector[.]icu, and advancedaisolutionsforeveryone.a1si[.]icu. CERT-UA also noted Ghostwriter infrastructure is commonly hidden behind Cloudflare and frequently uses .icu domains.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The mentioned JS file is classified as OYSTERFRESH, which provides display of a decoy document, entry into the operating system registry in an obfuscated and encoded form of the OYSTERBLUES software tool, as well as loading and launching the OYSTERSHUCK component.
The phishing email contained a PDF attachment with a malicious link that downloaded a ZIP archive carrying malware identified as OysterFresh.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesThis activity, which began in the spring of 2026, involves sending phishing emails to government entities using compromised accounts.
Ghostwriter targeted Ukrainian government agencies with phishing emails delivering malware and Cobalt Strike payloads... phishing emails sent from already-compromised accounts — making the sender look legitimate — carrying PDF attachments.
Inside the PDF is a link that, when clicked, downloads a ZIP archive containing a JavaScript file.
Execution
3 techniquesThe mentioned JS file is classified as OYSTERFRESH... OYSTERBLUES... waits for instructions, which arrive as JavaScript code executed on the fly using the eval() function.
Typically, the email contains a PDF attachment with a link that, when clicked, leads to the download of a ZIP archive containing a JavaScript file.
Inside the PDF is a link that, when clicked, downloads a ZIP archive containing a JavaScript file.
Persistence
2 techniquesThis file, dubbed OYSTERFRESH, displays a decoy document while stealthily writing an obfuscated payload, OYSTERBLUES, to the Windows Registry.
Privilege Escalation
1 techniqueStealth
1 techniqueThe JavaScript file, dubbed OYSTERFRESH, is designed to display a decoy document as a distraction mechanism...
Defense Impairment
1 techniqueCommand and Control
1 technique...as well as downloading and launching OYSTERSHUCK, which is responsible for decoding OYSTERBLUES.
IOCs tracked for this family
67 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
JavaScript-based first-stage malware that displays a decoy document, stores an obfuscated OYSTERBLUES payload in the Windows Registry, and downloads/launches OYSTERSHUCK to decode and execute the next stage.
A JavaScript-stage payload delivered via ZIP archive that shows a decoy document and writes the next-stage payload OYSTERBLUES into the Windows Registry.
A JavaScript-based first-stage loader that displays a decoy document, writes the OYSTERBLUES payload to the Windows Registry, and downloads and launches OYSTERSHUCK.
JavaScript loader that displays a decoy document, writes an obfuscated and encoded OYSTERBLUES payload into the Windows registry, and downloads/executes OYSTERSHUCK to decode and launch OYSTERBLUES.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.