iim.chain.apt.2026.05.004

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

likely IIM v1.1 UAC-0057 needs review

source SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity

Raw JSON

entities7

relations7

techniques5

published2026-05-26 13:31:49

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path

entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions

entry

file

PDF lure with active link to ZIP archive

IIM-T019

staging

file

ZIP archive containing OYSTERFRESH JavaScript

IIM-T024

staging

file

OYSTERFRESH JavaScript

payload

file

OYSTERBLUES registry-staged payload

payload

file

OYSTERSHUCK decoder/loader

domain

Cloudflare-fronted .icu C2 domain cluster

IIM-T001IIM-T010IIM-T011

payload

file

Cobalt Strike follow-on component

Relations

directed infrastructure edges

e001downloade002 likely

e002dropse003 confirmed

e003dropse004 confirmed

e003downloade005 confirmed

e005executee004 confirmed

e004connecte006 likely

e006downloade007 likely

Techniques

5 annotations

IIM-T001CDN Abuse

Serving adversary content from a legitimate CDN to gain reputation, TLS, and geographic distribution at no cost.

IIM-T010Disposable Domain Registration

Registering newly-created domains with short lifetimes specifically for a single campaign.

IIM-T011Domain Rotation

Continuous cycling through multiple hostnames within an active campaign to defeat IOC-based blocking.

IIM-T019Geofenced Delivery

Payload served only to requests originating from specific geographic regions.

IIM-T024Archive Container Delivery

Payload delivered inside a compressed archive (RAR, ZIP, 7z, ISO, IMG) to bypass transport-layer content inspection.

Entities & evidence

observable inventory

ID	Type	Value	Source / evidence
`e001`	file	PDF lure with active link to ZIP archive	SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity Ukrainian state organization lure path; exact URL not published in open summary
`e002`	file	ZIP archive containing OYSTERFRESH JavaScript	SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity ZIP stage described by CERT-UA/SOC Prime
`e003`	file	OYSTERFRESH JavaScript	SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity JavaScript stage that stores OYSTERBLUES and downloads OYSTERSHUCK
`e004`	file	OYSTERBLUES registry-staged payload	SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity Encoded payload stored in Windows Registry
`e005`	file	OYSTERSHUCK decoder/loader	SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity Downloaded decoder that decodes and launches OYSTERBLUES
`e006`	domain	Cloudflare-fronted .icu C2 domain cluster	SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity Exact domains intentionally not invented; public sources describe .icu C2 domains behind Cloudflare
`e007`	file	Cobalt Strike follow-on component	SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity Cobalt Strike indicated as follow-on payload in reporting

ATT&CK annotations

optional complementary mapping

T1566.002Spearphishing Link

T1059.007JavaScript

T1112Modify Registry

T1071.001Web Protocols

Raw IIM JSON canonical body from MANTIS expand

{
  "iim_version": "1.1",
  "chain_id": "iim.chain.apt.2026.05.004",
  "title": "UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2",
  "description": "CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.",
  "actor_id": "UAC-0057",
  "observed_at": "2026-05-21T00:00:00Z",
  "confidence": "likely",
  "needs_review": true,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "file",
      "value": "PDF lure with active link to ZIP archive",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "Ukrainian state organization lure path; exact URL not published in open summary"
      ]
    },
    {
      "id": "e002",
      "type": "file",
      "value": "ZIP archive containing OYSTERFRESH JavaScript",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "ZIP stage described by CERT-UA/SOC Prime"
      ]
    },
    {
      "id": "e003",
      "type": "file",
      "value": "OYSTERFRESH JavaScript",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "JavaScript stage that stores OYSTERBLUES and downloads OYSTERSHUCK"
      ]
    },
    {
      "id": "e004",
      "type": "file",
      "value": "OYSTERBLUES registry-staged payload",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "Encoded payload stored in Windows Registry"
      ]
    },
    {
      "id": "e005",
      "type": "file",
      "value": "OYSTERSHUCK decoder/loader",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "Downloaded decoder that decodes and launches OYSTERBLUES"
      ]
    },
    {
      "id": "e006",
      "type": "domain",
      "value": "Cloudflare-fronted .icu C2 domain cluster",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "Exact domains intentionally not invented; public sources describe .icu C2 domains behind Cloudflare"
      ]
    },
    {
      "id": "e007",
      "type": "file",
      "value": "Cobalt Strike follow-on component",
      "source": "CERT-UA/SOC Prime summary",
      "evidence": [
        "Cobalt Strike indicated as follow-on payload in reporting"
      ]
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "needs_review": false,
      "techniques": [
        "IIM-T019"
      ]
    },
    {
      "entity_id": "e002",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "techniques": [
        "IIM-T024"
      ]
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e004",
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e005",
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e006",
      "role": "c2",
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "needs_review": true,
      "techniques": [
        "IIM-T001",
        "IIM-T010",
        "IIM-T011"
      ],
      "review_notes": "Open sources do not publish the exact C2 domains; model preserves the confirmed infrastructure class without inventing IoCs."
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "needs_review": false
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "download",
      "sequence_order": 1,
      "confidence": "likely"
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "drops",
      "sequence_order": 2,
      "confidence": "confirmed"
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "drops",
      "sequence_order": 3,
      "confidence": "confirmed"
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "download",
      "sequence_order": 4,
      "confidence": "confirmed"
    },
    {
      "from": "e005",
      "to": "e004",
      "type": "execute",
      "sequence_order": 5,
      "confidence": "confirmed"
    },
    {
      "from": "e004",
      "to": "e006",
      "type": "connect",
      "sequence_order": 6,
      "confidence": "likely"
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "download",
      "sequence_order": 7,
      "confidence": "likely"
    }
  ],
  "x_report_published_month": "2026-05",
  "x_source_reports": [
    "SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity"
  ],
  "x_source_urls": [
    "https://socprime.com/blog/cert-ua-warns-of-apt28-uac-0057-attacks/"
  ],
  "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
  "x_scope_note": "Published in May 2026 and focused on Ukrainian state organizations.",
  "x_limitations": "Exact domain names and sample hashes were not present in the open summary I used, so the C2 entity remains a non-atomic cluster descriptor and is flagged for review.",
  "attack_annotations": [
    {
      "technique_id": "T1566.002",
      "name": "Spearphishing Link"
    },
    {
      "technique_id": "T1059.007",
      "name": "JavaScript"
    },
    {
      "technique_id": "T1112",
      "name": "Modify Registry"
    },
    {
      "technique_id": "T1071.001",
      "name": "Web Protocols"
    }
  ]
}