DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/APT
DMZ INTEL DESK//FILED: 2026-05-24//16:47Z
HIGH#apt

Ghostwriter/UAC-0057 Resurfaces with OYSTERFRESH/OYSTERBLUES Malware Chain, Abusing Prometheus Learning Platform as Lure Against Ukrainian Government Targets

CERT-UA disclosed on May 22, 2026 that Belarus-aligned APT Ghostwriter (UAC-0057/UNC1151) has been running an active phishing campaign against Ukrainian government organizations since spring 2026, using lures themed around Prometheus — a legitimate Ukrainian e-learning platform actually used by government employees — to increase credibility. Phishing emails deliver PDF attachments linking to ZIP archives containing OYSTERFRESH, a JavaScript dropper that displays a decoy document while covertly writing the encrypted OYSTERBLUES backdoor to the Windows Registry and downloading the OYSTERSHUCK decoder; OYSTERBLUES collects system fingerprint data (hostname, user account, OS version, running processes) and beacons to C2 infrastructure hidden behind Cloudflare across .icu TLD domains. CERT-UA recommends restricting wscript.exe execution for standard user accounts as the most effective immediate mitigation against this JavaScript-based delivery chain.

CERT-UA recommends restricting wscript.exe execution for standard user accounts as the most effective immediate mitigation against this JavaScript-based delivery chain.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
ghostwriter · uac-0057 · unc1151 · belarus · ukraine · oysterfresh · oysterblues · oystershuck · government-targeting · apt
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

RELATED ACTORS

ACTOR
APT73 / Bashe
CRIMINAL
ACTOR
SILVER FOX
NATION STATE

MORE FROM ARCHIVE

# APT
2026-05-26
Lazarus Group Deploys RemotePE Memory-Only RAT Against Crypto and Financial Firms; $577M Stolen YTD
# APT
2026-05-25
Operation Saffron: First VPN Dismantled — 33 Servers Seized, Ukrainian Admin Arrested, User Database Captured Exposing 25+ Ransomware Groups Including Avaddon and Phobos
# APT
2026-05-25
Ghostwriter (UAC-0057 / UNC1151) Deploys Novel OYSTERBLUES Implant Against Ukrainian Government via Prometheus Learning Platform Lures — Active Since Spring 2026
# APT
2026-05-24
Salt Typhoon Expands to 80+ Countries with New TernDoor/PeerTime/BruteEntry Implants; South American Telecoms Now Targeted