DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/APT
DMZ INTEL DESK//FILED: 2026-05-25//00:46Z
HIGH#apt

Ghostwriter (UAC-0057 / UNC1151) Deploys Novel OYSTERBLUES Implant Against Ukrainian Government via Prometheus Learning Platform Lures — Active Since Spring 2026

CERT-UA disclosed this week that the Belarus-aligned APT Ghostwriter (UAC-0057 / UNC1151) has been running a sustained phishing campaign since spring 2026 against Ukrainian government entities, using lures impersonating the Prometheus online learning platform — a tool Ukrainian government employees routinely use — sent via previously compromised email accounts. The multi-stage kill chain delivers OYSTERFRESH (a JavaScript dropper displaying decoy documents), which stealthily encodes and writes OYSTERBLUES to the Windows Registry; OYSTERBLUES is then decoded by OYSTERSHUCK and beacons host profiling data (computer name, user, OS version, running processes) back to C2 infrastructure hidden behind Cloudflare using .icu TLD domains. Defenders should restrict wscript.exe execution for standard user accounts as an immediate mitigating control; the use of geofencing and trusted-platform social engineering signals deliberate operational refinement by this group.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
ghostwriter · uac-0057 · unc1151 · belarus-apt · ukraine-government · oysterblues · oysterfresh · oystershuck · cert-ua · spear-phishing
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

MORE FROM ARCHIVE

# APT
2026-05-26
Lazarus Group Deploys RemotePE Memory-Only RAT Against Crypto and Financial Firms; $577M Stolen YTD
# APT
2026-05-25
Operation Saffron: First VPN Dismantled — 33 Servers Seized, Ukrainian Admin Arrested, User Database Captured Exposing 25+ Ransomware Groups Including Avaddon and Phobos
# APT
2026-05-24
Salt Typhoon Expands to 80+ Countries with New TernDoor/PeerTime/BruteEntry Implants; South American Telecoms Now Targeted
# APT
2026-05-24
Ghostwriter/UAC-0057 Resurfaces with OYSTERFRESH/OYSTERBLUES Malware Chain, Abusing Prometheus Learning Platform as Lure Against Ukrainian Government Targets