UAC-0057 Attack Detection: OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES Fuel Phishing Campaigns Against Ukrainian State Organizations

CERT-UA-linked reporting describes a spring 2026 phishing campaign by UAC-0057 (Ghostwriter/UNC1151) that uses Prometheus-themed lures and compromised real accounts to distribute a staged JavaScript toolset (OYSTERFRESH, OYSTERSHUCK, OYSTERBLUES). The chain begins with a PDF link to a ZIP containing a JavaScript downloader that stores an obfuscated payload in the Windows Registry, decodes it, fingerprints hosts, and communicates with Cloudflare-masked C2 infrastructure—with follow-on delivery of Cobalt Strike—while the report maps observed TTPs to MITRE ATT&CK for detection and response.