Follow 
Phishing remains one of the most effective tools in the cybercriminal arsenal, especially when threat actors abuse trusted identities, compromised legitimate accounts, and familiar online services to increase victim interaction. Europol notes that phishing techniques remain a main distribution vector for data-stealing malware, while CERT-UA’s latest advisory shows that the same social engineering logic continues to drive targeted campaigns against Ukrainian public-sector organizations.
In its May 21, 2026 advisory, CERT-UA warned that UAC-0057 had updated its malware toolkit and was using OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES in a phishing campaign targeting Ukrainian state organizations. The lure theme centered on obtaining certificates through the Prometheus educational platform, while the broader tradecraft overlaps with the long-running Ghostwriter / FrostyNeighbor / UNC1151 activity cluster that security researchers continue to associate with Belarus-aligned espionage operations against Ukrainian government entities.
Recent reporting shows that Ghostwriter’s 2026 activity against Ukraine is not isolated to a single infection chain. ESET documented fresh March 2026 campaigns targeting Ukrainian government organizations with geofenced PDF lures that ultimately delivered Cobalt Strike, underscoring how the actor continues to refresh both its delivery mechanisms and its malware stack. CERT-UA’s latest UAC-0057 advisory fits that same pattern of ongoing adaptation, this time with a newly documented OYSTER-branded toolset distributed through phishing emails sent from compromised real-world accounts.
Sign up for the SOC Prime Platform to proactively defend your organization against UAC-0057 attacks. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with a wide range of SIEM, EDR, and Data Lake technologies.
Security teams can search the Threat Detection Marketplace library using the “UAC-0057” tag to identify relevant detections and track related content updates. Cyber defenders can also rely on Uncoder AI to turn fresh threat reports into performance-optimized queries, document and improve detection logic, and generate Attack Flows based on the latest CERT-UA reporting.
Analyzing UAC-0057 Attacks Using OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES
According to reporting that summarizes CERT-UA’s advisory, the campaign has been active since spring 2026 and relies on large-scale phishing emails sent to Ukrainian state organizations from compromised accounts belonging to real employees. The lure theme is framed around obtaining certificates via the Prometheus educational platform, which helps the emails appear plausible to recipients and increases the odds of interaction.
The infection chain begins with a PDF document that contains an active link leading to a ZIP archive. That archive contains a JavaScript file classified as OYSTERFRESH. When launched, the script displays benign decoy text to the victim while quietly starting the malicious workflow in the background. From there, OYSTERFRESH performs two main tasks: it stores an encoded and obfuscated OYSTERBLUES payload in the Windows Registry and downloads OYSTERSHUCK, which acts as the decoder component for the next stage.
For deobfuscation, OYSTERSHUCK reportedly applies a sequence of string reversal, ROT13, and URL decoding before restoring the OYSTERBLUES payload. Once decoded, OYSTERBLUES fingerprints the compromised machine by collecting the device name, current username, operating system version, last boot time, and the list of running processes. The harvested data is sent to a command-and-control server via HTTP POST, and the server responds with arbitrary JavaScript that is executed through eval, effectively giving the operators remote control over the host.
CERT-UA-linked reporting further indicates that the next stage commonly involves the delivery of Cobalt Strike components. This aligns with the broader UAC-0057 / Ghostwriter tradecraft documented by ESET, which shows the group continuing to use phishing-delivered JavaScript downloaders and staged payload validation before deploying higher-value implants. In other words, the newly documented OYSTER toolset appears to extend an already familiar post-compromise pattern rather than replace it.
Infrastructure choices also support the attribution. Reporting on the advisory says the actor’s command-and-control layer remains masked behind Cloudflare, while many of the associated domains are registered in the .icu zone. Together with the campaign’s tooling style and targeting, these characteristics are consistent with activity tracked by CERT-UA as UAC-0057, also known publicly as Ghostwriter, UNC1151, and FrostyNeighbor.
MITRE ATT&CK Context
Leveraging MITRE ATT&CK helps contextualize the latest UAC-0057 phishing activity targeting Ukrainian state organizations. Based on the TTPs described in CERT-UA-linked reporting, the most relevant ATT&CK techniques likely include Spearphishing Link (T1566.002), User Execution (T1204), Command and Scripting Interpreter: JavaScript (T1059.007), Registry-based storage or abuse for payload staging, System Information Discovery (T1082), Process Discovery (T1057), Ingress Tool Transfer (T1105), and Command and Control over Web Protocols (T1071.001). The likely use of Cobalt Strike in follow-on stages also points to broader post-exploitation, persistence, and lateral movement opportunities once initial foothold is established.
