{
  "iim_version": "1.1",
  "chain_id": "iim.chain.apt.2026.05.004",
  "title": "UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2",
  "description": "CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.",
  "actor_id": "UAC-0057",
  "observed_at": "2026-05-21T00:00:00Z",
  "confidence": "likely",
  "needs_review": true,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "file",
      "value": "PDF lure with active link to ZIP archive",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "Ukrainian state organization lure path; exact URL not published in open summary"
      ]
    },
    {
      "id": "e002",
      "type": "file",
      "value": "ZIP archive containing OYSTERFRESH JavaScript",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "ZIP stage described by CERT-UA/SOC Prime"
      ]
    },
    {
      "id": "e003",
      "type": "file",
      "value": "OYSTERFRESH JavaScript",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "JavaScript stage that stores OYSTERBLUES and downloads OYSTERSHUCK"
      ]
    },
    {
      "id": "e004",
      "type": "file",
      "value": "OYSTERBLUES registry-staged payload",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "Encoded payload stored in Windows Registry"
      ]
    },
    {
      "id": "e005",
      "type": "file",
      "value": "OYSTERSHUCK decoder/loader",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "Downloaded decoder that decodes and launches OYSTERBLUES"
      ]
    },
    {
      "id": "e006",
      "type": "domain",
      "value": "Cloudflare-fronted .icu C2 domain cluster",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "Exact domains intentionally not invented; public sources describe .icu C2 domains behind Cloudflare"
      ]
    },
    {
      "id": "e007",
      "type": "file",
      "value": "Cobalt Strike follow-on component",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "Cobalt Strike indicated as follow-on payload in reporting"
      ]
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "needs_review": false,
      "techniques": [
        "IIM-T019"
      ]
    },
    {
      "entity_id": "e002",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "techniques": [
        "IIM-T024"
      ]
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e004",
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e005",
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e006",
      "role": "c2",
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "needs_review": true,
      "techniques": [
        "IIM-T001",
        "IIM-T010",
        "IIM-T011"
      ],
      "review_notes": "Open sources do not publish the exact C2 domains; model preserves the confirmed infrastructure class without inventing IoCs."
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "needs_review": false
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "download",
      "sequence_order": 1,
      "confidence": "likely"
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "drops",
      "sequence_order": 2,
      "confidence": "confirmed"
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "drops",
      "sequence_order": 3,
      "confidence": "confirmed"
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "download",
      "sequence_order": 4,
      "confidence": "confirmed"
    },
    {
      "from": "e005",
      "to": "e004",
      "type": "execute",
      "sequence_order": 5,
      "confidence": "confirmed"
    },
    {
      "from": "e004",
      "to": "e006",
      "type": "connect",
      "sequence_order": 6,
      "confidence": "likely"
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "download",
      "sequence_order": 7,
      "confidence": "likely"
    }
  ],
  "x_report_published_month": "2026-05",
  "x_source_reports": [
    "SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity"
  ],
  "x_source_urls": [
    "https://socprime.com/blog/cert-ua-warns-of-apt28-uac-0057-attacks/"
  ],
  "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
  "x_scope_note": "Published in May 2026 and focused on Ukrainian state organizations.",
  "x_limitations": "Exact domain names and sample hashes were not present in the open summary I used, so the C2 entity remains a non-atomic cluster descriptor and is flagged for review.",
  "attack_annotations": [
    {
      "technique_id": "T1566.002",
      "name": "Spearphishing Link"
    },
    {
      "technique_id": "T1059.007",
      "name": "JavaScript"
    },
    {
      "technique_id": "T1112",
      "name": "Modify Registry"
    },
    {
      "technique_id": "T1071.001",
      "name": "Web Protocols"
    }
  ]
}