CTI Daily Brief — 2026-05-23

Netherlands FIOD arrests two over EU sanctions evasion for Stark Industries front; 800 servers seized; NoName057(16) DDoS plumbing dismantled

On 2026-05-18 the Dutch Fiscal Information and Investigation Service (FIOD) arrested two suspects — a 57-year-old man from Amsterdam and a 39-year-old man from The Hague, both connected to bulletproof-hosting operators (WorkTitans B.V. and MIRhosting) named in the related corroborating coverage — raiding four locations including data centres in Dronten and Schiphol-Rijk plus the suspects' residences in Enschede and Almere, and seizing 800 servers, laptops, phones and administrative records (FIOD, 2026-05-22 · BleepingComputer, 2026-05-22 · DutchNews.nl, 2026-05-22). The charges are filed under the Dutch Sanctions Act: the two firms are accused of sustaining bulletproof hosting infrastructure for Stark Industries Solutions Ltd, designated by the EU in May 2025 for facilitating Russian and Belarusian destabilisation operations. Recorded Future's Insikt Group had already documented the sanctions-evasion playbook last year — Stark Industries migrated its ASN (AS44477) to AS209847 (WorkTitans) and rebranded the operating brand to THE.Hosting while retaining the same RIPE maintainer objects under Dmitrii Miasnikov, a transparent shell concealing ownership continuity (Recorded Future Insikt Group, 2025-06).

This is one of the first publicly reported criminal enforcement actions in the EU directed at a bulletproof hoster acting as a proxy for a designated Russian entity, and the operational nexus to Switzerland is direct: per De Volkskrant reporting carried by BleepingComputer, Danish authorities have alleged that WorkTitans infrastructure supported NoName057(16) DDoS campaigns against EU and NATO member-state websites — Swiss federal and cantonal public-sector sites included. Defender vantage: the seized intelligence will generate lead packages on the criminal-customer book, but the immediate hunt value is at network level. AS44477 (legacy Stark) and AS209847 (THE.Hosting / WorkTitans) IP space has appeared in blocklist feeds since mid-2024; review ingress rate-limiting and scrubbing SLAs for any remaining traffic from this AS pair and from BGP-adjacent peers, and re-check application-layer rate limits on the citizen-facing portals NoName057(16) historically targeted.

Why it matters to us: Swiss public-sector portals have been a recurring NoName057(16) target; the takedown is a chance to re-baseline scrubbing capacity and re-check AS-level blocklists, not a sign that the threat is over (DDoS-for-hire reorganises quickly).

Kimwolf / "Dort" DDoS-for-hire operator arrested — 30+ Tbps IoT botnet, U.S. DoD-range targeting, AISURU variant

Canadian authorities (Ontario Provincial Police) arrested Jacob Butler, 23, of Ottawa — alias Dort — earlier this week on a U.S. extradition warrant; the U.S. Department of Justice unsealed the criminal complaint in the District of Alaska on Thursday 2026-05-21 (U.S. Department of Justice, 2026-05-21 · KrebsOnSecurity, 2026-05-22 · The Record, 2026-05-22). Butler is alleged to have developed and operated Kimwolf, a DDoS-for-hire botnet assessed as a variant of AISURU. Kimwolf infected primarily consumer IoT — digital photo frames, webcams and other internet-exposed devices — via default credentials and known public CVEs, issued more than 25,000 DDoS attack commands, and peaked at nearly 30 Tbps per the DOJ and KrebsOnSecurity (The Hacker News reports the peak as 31.4 Tbps — the discrepancy is between the DOJ-cited figure used in the unsealed complaint and a secondary number cited by THN; treat the DOJ number as the reference for capacity-planning purposes). Targets included U.S. Department of Defense IP ranges and at least one victim with confirmed losses exceeding $1 million per incident. Kimwolf C2 infrastructure was seized 2026-03-19 in a coordinated multi-jurisdiction action alongside three sibling botnets — AISURU, JackSkid and Mossad — collectively infecting >3 million devices.

The complaint also documents that Butler conducted DDoS, doxing and swatting attacks against researchers who investigated him, including Synthient's Ben Brundage who had helped identify a Kimwolf-exploited vulnerability. Defender takeaway for Swiss and EU operators: the 30 Tbps capability is now demonstrably in range of a single operator's commercial service, and DDoS-for-hire infrastructure reorganises within weeks of takedowns. Re-baseline ISP scrubbing SLAs against a 10–30 Tbps reference, audit citizen-facing portals' application-layer rate limits, and segment consumer-grade IoT (frames, cameras, NVRs) off any path that touches critical infrastructure or admin networks.

Why it matters to us: Kimwolf belongs to the IoT-amplification class of botnets that target Swiss/EU public-sector portals; the arrest is an opportunity to re-test scrubbing capacity and IoT segmentation, not to assume the supply has shrunk.

Megalodon mass-poisons 5,561 GitHub repos in a 6-hour window; SysDiag + Optimize-Build workflows exfiltrate cloud credentials and OIDC tokens

SafeDep and OX Security disclosed an automated mass-backdooring campaign tracked as Megalodon that pushed thousands of malicious commits to 5,561 distinct GitHub repositories in a roughly six-hour window on 2026-05-18, using throwaway accounts with forged committer identities such as build-bot, auto-ci, ci-bot and pipeline-bot (SafeDep, 2026-05-21 · OX Security, 2026-05-21 · The Hacker News, 2026-05-22). Two GitHub Actions YAML variants were injected: SysDiag, triggered on every push and pull_request event (T1059.004 Unix Shell via CI Runner) to maximise execution frequency in active repos, and Optimize-Build, which replaces existing workflows with workflow_dispatch triggers — a dormant backdoor that the attacker can activate on demand via the GitHub REST API (T1546 Event Triggered Execution). Both variants carry a base64-encoded bash payload that the SafeDep and OX Security write-ups disassemble in detail.

On execution the payload harvests CI environment variables, /proc/*/environ entries, AWS credentials across configured profiles and IMDSv2 metadata, GCP access tokens via gcloud auth print-access-token, Azure IMDS tokens, SSH private keys from ~/.ssh/, Docker config files, .npmrc, .netrc, Kubernetes configs, Vault tokens, Terraform credentials and — critically for CI/CD trust chains — GitHub Actions OIDC tokens (T1552.004 Private Keys; T1078.004 Cloud Accounts). The npm package @tiledesk/tiledesk-server versions 2.18.6–2.18.12 carries the Optimize-Build variant after the maintainer's GitHub repo was compromised; SafeDep's Malysis engine flagged the package. Detection vantage: audit every .github/workflows/*.yml for the SafeDep-published payload markers and unfamiliar committer identities on recent commits; review CI runner process trees for aws configure list-profiles, gcloud auth print-access-token and curl http://169.254.169.254 calls outside expected infra tests. Hardening: require approval for workflow_dispatch on untrusted branches, gate .github/workflows/ changes behind CODEOWNERS review, adopt OIDC-based trusted publishing to eliminate long-lived cloud credentials, and pin third-party actions to commit SHAs not branch tags.

Why it matters to us: any EU/CH agency, university or contractor with CI/CD reaching cloud infrastructure is exposed if a maintainer they depend on was caught in the 6-hour sweep — re-audit GitHub Actions workflows on internal forks today, and rotate any cloud credentials previously surfaced via CI runners on the affected window.

FBI PSA260521 — Kali365 OAuth device-code PhaaS bypasses M365 MFA without credential capture

The FBI's Internet Crime Complaint Center issued PSA260521 on 2026-05-21 on Kali365, a Telegram-distributed Phishing-as-a-Service platform observed since April 2026 that abuses Microsoft's OAuth 2.0 device-code authorization flow (RFC 8628) to capture persistent access and refresh tokens for M365 accounts while completely bypassing multi-factor authentication (The Register, 2026-05-22 · Help Net Security, 2026-05-22 · The Record, 2026-05-22 · CyberScoop, 2026-05-22). The technique falls under MITRE ATT&CK T1111 (MFA Interception) and T1528 (Steal Application Access Token) but differs structurally from credential phishing: the victim receives a lure impersonating Adobe Acrobat Sign, DocuSign or SharePoint, opens the embedded device code, and enters it on the legitimate login.microsoftonline.com/common/oauth2/deviceauth page; the attacker's registered device then receives both an access and a refresh token bound to that device, granting persistent access to Exchange Online, Teams, OneDrive and SharePoint without any further user interaction or MFA challenge.

A secondary AiTM mode proxies the victim's browser through attacker infrastructure to capture session cookies during a real Microsoft authentication flow when device-code is blocked. Subscriptions cost $250/month or $2,000/year per tenant; AI-generated lures are available in 14 languages with automated campaign templates and real-time tracking dashboards, lowering the technical bar for less capable actors. Observed outcomes since April 2026 — per the four outlets corroborating the FBI PSA — include mailbox exfiltration, lateral phishing, business email compromise and ransomware pre-staging. Detection vantage: Entra ID sign-in logs surface authenticationProtocol = deviceCode events — alert on those from unfamiliar device names or geographies inconsistent with the user's home location, and look for sign-in activity immediately after a device-code event from a different IP. Hardening: block user-interactive device-code flow via Conditional Access's Authentication flows condition (block / require compliant device), enforce FIDO2 phishing-resistant MFA for high-value accounts, and review existing OAuth app consents — public-sector tenants often leave device-code open for legacy device enrolment, and once an attacker holds a refresh token, only Revoke-MgUserSignInSession clears it.

Why it matters to us: the device-code attack path is the single fastest M365 compromise vector that classic phishing-aware users still walk into; Swiss federal, cantonal and public-administration Entra tenants often leave the flow open for kiosk / shared-device enrolment, and the Kali365 commoditisation means small actors can now run it without M365 expertise.

Rhysida claims Stuttgart municipal-data theft for 5 BTC; city denies a confirmed incident

The Rhysida ransomware-as-a-service group listed Landeshauptstadt Stuttgart — the Baden-Württemberg state capital (~600,000 residents) — on its dark-web leak site in mid-May 2026 (DeXpose dates the listing to 2026-05-19; Heise (2026-05-21) covers the leak-site listing and Stuttgart's response without anchoring the original posting date), demanding 5 Bitcoin (~€333,000) for exclusive access to allegedly stolen documents and publishing heavily downscaled previews of scanned invoices and faxes attributed to Stuttgart's administrative systems (Heise Online (EN), 2026-05-21 · DeXpose, 2026-05-20). The city's response is measured: published material is "currently being examined together with the responsible authorities" and Stuttgart has "no indications of a cyber incident at this time", with further comment declined while investigation continues. No vulnerability or initial access vector has been disclosed; the claim appears to be data-exfiltration-only with city portals and operational systems unaffected, consistent with Rhysida's pattern since the British Library (2023) and the German charity Welthungerhilfe (2025).

Defender vantage with the city's denial in mind: confidence in the claim is MEDIUM — the only corroboration is press coverage of the leak-site listing itself. Hunt rather than respond: Rhysida tends to gain initial access through phishing (T1566) or external VPN exploitation (T1133), executes living-off-the-land via cmd.exe / PowerShell with scheduled-task persistence, and stages data in unusual directories before exfiltration (T1074.001). DACH municipal SOCs should treat the listing as a forcing function to re-check VPN patch levels, password-spray detection on the on-prem identity edge, and any unexplained outbound bursts from file servers and DFS shares since 2026-05-10. South Korean researchers' 2024 free Rhysida decryptor exploited an encryption flaw that the group has since reworked; no current decryptor is publicly known for 2026 variants if encryption does follow.

Why it matters to us: German municipal targeting bleeds into Swiss DACH context (shared partner networks, fediplomatic exchanges); the Stuttgart pattern — data theft only, leak-site posting, city denies — is increasingly common and the right response is hunt-without-confirming, not wait-for-a-victim-statement.

ANSSI / CERT-FR publishes CERTFR-2026-AVI-0635 on SPIP < 4.4.15 — security-policy bypass in the dominant French public-administration CMS

ANSSI / CERT-FR issued CERTFR-2026-AVI-0635 on 2026-05-22 covering a security-policy bypass vulnerability in SPIP (Système de Publication pour l'Internet) versions prior to 4.4.15; SPIP 4.4.15 was released the same day (SPIP blog, 2026-05-22). The advisory quotes the issue in CERT-FR's standard French: "Une vulnérabilité a été découverte dans SPIP. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité. SPIP versions antérieures à 4.4.15 sont affectées." (in English: a vulnerability allows an attacker to bypass the security policy; versions prior to 4.4.15 are affected). No CVE identifier or CVSS score is attached to the CERT-FR notice yet; no exploitation in the wild has been reported.

The SPIP project blog characterises the underlying issue specifically as an open-redirect vulnerability in the cookie action — the "policy bypass" framing in the CERT-FR advisory is the standard generic catch-all used by ANSSI, not a separate finding. SPIP is the predominant CMS across French public administration — préfectures, ministries, research institutions — and the Francophone government sphere in Belgium, Switzerland (Romandie cantonal and communal sites) and Canada. Open-redirect issues in authenticated cookie paths are typically chained into account-impersonation or token-laundering against OAuth/OpenID-Connect identity providers, so the EU/CH public-sector risk is concrete even without a CVE in the loop yet. SPIP 4.4.15 is the immediate follow-on to the earlier-May 4.4.14 security release. Detection vantage: review SPIP access logs for unexpected redirect-parameter values on the cookie-action endpoint and any outbound 30x responses to attacker-controlled hosts; defenders should also note that Swiss cantonal and communal administrations using SPIP for public portals fall under the 24-hour NCSC.ch reporting obligation for critical-infrastructure operators if a SPIP intrusion is later confirmed.

Why it matters to us: every Romandie cantonal/communal SOC with a SPIP-built portal needs to patch in this cycle; the absence of a CVE makes it easy to overlook on automated patch-track reports.

Unit 42 — Iran's Screening Serpens (UNC1549 / Smoke Sandstorm / Nimbus Manticore): AppDomainManager hijacking silently disables ETW + strong-name checks in six new RATs

Unit 42 published a comprehensive write-up on Screening Serpens (a.k.a. UNC1549, Smoke Sandstorm, Nimbus Manticore) on 2026-05-22 covering operations from February through April 2026 timed to the onset of the U.S.–Israeli Middle East conflict that began 2026-02-28 (Unit 42, 2026-05-22 · Cybersecurity Dive, 2026-05-22). The group deployed new RAT variants across two malware families: MiniUpdate in four variants used between 2026-03-26 and 2026-04-17 with lures impersonating aviation, healthcare and financial-services firms, and MiniJunk V2 in two variants used between 2026-02-17 and 2026-03-27 against Middle Eastern and U.S. targets.

The technically significant evolution is AppDomainManager hijacking (T1574.014) paired with classic DLL sideloading (T1574.001): the infection chain drops a legitimate Microsoft .NET executable alongside a weaponised UpdateChecker.dll / InitInstall.dll / Updater.dll and — critically — a malicious .runtimeconfig.json that redirects the CLR's AppDomainManager loading at process startup, silently disabling ETW tracing and strong-name validation before the RAT executes. That leaves the host's EDR operating in a reduced-telemetry mode on every infected workstation. Delivery is high-touch — fake recruitment PDFs, spoofed video-conference meeting invitations, and ZIP archives containing a legitimate executable as the trigger; persistence uses scheduled tasks; C2 routes through Azure-hosted domains. Confirmed targets: U.S., Israel, UAE, plus at least two further Middle Eastern entities consistent with prior UNC1549 focus on aerospace, defence and telecommunications. The CH/EU nexus is indirect but real — Swiss aerospace and defence suppliers (RUAG, Pilatus and defence export channels) sit squarely in the sector profile, as do EU R&D firms historically swept up in Iranian collection campaigns.

Detection vantage: alert on .runtimeconfig.json writes by non-installer processes; watch the Microsoft-Windows-DotNETRuntime ETW provider for StrongNameVerification=0 startup events and CLR debug-mode initialisation; watch scheduled-task creation from processes with .dll parent images loading via rundll32.exe / svchost.exe. Hardening: enforce a code-integrity policy (UMCI + trusted-signers allowlist) so unsigned DLLs cannot load into the .NET CLR; restrict .runtimeconfig.json writes outside install paths via FIM.

Unit 42 — ROADtools operationalised by Midnight Blizzard, Curious Serpens and UTA0355 for Entra ID device registration, token theft and tenant enumeration

Unit 42 documents (2026-05-22) systematic nation-state operationalisation of ROADtools — the open-source Python Entra ID attack/defence framework hosted at github.com/dirkjanm/ROADtools — by three named clusters: Cloaked Ursa / Midnight Blizzard / APT29 / NOBELIUM (Russia), Curious Serpens / Peach Sandstorm / APT33 (Iran) and UTA0355 (Russian state-affiliated) (Unit 42, 2026-05-22). The chain begins with credential compromise (password spray or OAuth device-code phishing — see § 1 Kali365), then uses roadtx to register attacker-controlled devices in the victim's Entra ID tenant, establishing persistence via a Primary Refresh Token bound to a registered device. The roadrecon module performs systematic directory enumeration via legacy Azure AD Graph API calls — now also ported to the msgraph branch — targeting users, groups, service principals, application permissions and OAuth token grants.

MITRE ATT&CK techniques mapped explicitly by Unit 42: T1098.005 (Account Manipulation: Device Registration), T1550 (Use Alternate Authentication Material), and T1087 (Account Discovery via Microsoft Graph API). The device-PRT-binding step functionally bypasses tenant MFA — the brief leaves the explicit T1556.006 framing off since Unit 42 does not map it that way; defenders running custom ATT&CK overlays may want to add it themselves. Volexity's April 2025 OAuth device-code paper is the historical background for the device-code half of the chain. Detection vantage: monitor Entra ID audit logs for Add device events from unfamiliar device names or from IPs not in expected employee geographies; alert on sign-in logs carrying the roadtx user-agent string or unexpected https://login.microsoftonline.com/common/oauth2/token device-code grant flows; review Microsoft Graph Activity Logs for bulk GET /users, GET /groups and GET /servicePrincipals calls clustered by time. Hardening: enforce Conditional Access token-protection (token binding renders stolen tokens non-transferable across devices); restrict device registration to compliant or hybrid-joined devices only; enforce Privileged Access Workstation policy for admin token issuance; block Azure AD Graph via blockLegacyAuthentication. Midnight Blizzard has a documented pattern of targeting EU diplomatic corps and government Microsoft 365 tenants, so the relevance to Swiss federal and EU institution Entra estates is direct.

ANNUAL REPORT — Rapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days

Rapid7 Labs published its Q1 2026 Threat Landscape Report on 2026-05-21 covering January–March 2026 IR data; the GlobeNewswire release accompanied the post the same day. The findings that change what a Swiss/EU public-sector SOC should prioritise:

• Vulnerability exploitation accounted for 38 % of confirmed initial-access vectors, overtaking social engineering (24 %) in Rapid7's Q1 2026 dataset. The implication: edge / perimeter patch SLAs and exposure management now drive blast-radius more than awareness training does.
• More than 50 % of actively exploited vulnerabilities in Q1 2026 were zero-click, network-facing flaws requiring no authentication or user interaction. The defensive prioritisation gradient sharpens: pre-auth network-facing CVEs > authenticated CVEs > anything user-interaction-dependent.
• Median time from public disclosure to CISA KEV listing fell from 8.5 days to 5.0 days. Operators of EU/CH public-sector estates running on monthly patch windows lose ground every cycle; the report frames this as faster AI-assisted N-day weaponisation. PD-13 still applies — the KEV addition is the exploitation-confirmation signal, not a US-only compliance deadline — but the window between "vendor publishes" and "expect attempts" has narrowed materially.
• Exploited vulnerabilities averaged 1.8 million mentions across forums, blogs and social media before operational targeting, making chatter spikes a leading indicator of imminent exploitation waves.
• SQL injection became the most-exploited vulnerability class in Q1 2026, validating the Drupal CVE-2026-9082 story above as part of a broader shift.
• RMM tool abuse accounted for 22.9 % of observed threat activity, ClickFix-style social engineering 18.8 % — both worth re-checking on EDR detection coverage in EU/CH environments where ClickFix browser drive-by is less culturally familiar than in U.S. consumer markets.

The report also covers a geopolitical layer (Iranian, Russian and Chinese campaigns synchronised with Middle East military escalation; tools mentioned include BPFDoor and ModeloRAT) and ransomware fragmentation (Qilin leads at 357 leak-site posts, The Gentlemen 206, Akira 174; pure-extortion without encryption continues to grow). Per PD-9 this is the dedicated treatment of the report; specific findings will be cited as context in future briefs rather than re-summarised.

ANNUAL REPORT — Check Point Research March-April 2026 AI Threat Landscape Digest: a single operator runs two AI platforms in parallel to breach nine Mexican government agencies [SINGLE-SOURCE]

Check Point Research's March-April 2026 AI Threat Landscape Digest (published 2026-05-22) is the operationally most striking annual / periodic AI report of the past month. The centrepiece — researched by Gambit Security and summarised in the Check Point post — documents a single unidentified operator compromising nine Mexican government agencies between December 2025 and February 2026, covering tax records, civil registry, patient files and electoral infrastructure. The structural innovation: the attacker ran two commercial AI platforms in parallel — one managing live exploitation and issuing >5,000 AI-executed commands, a second processing harvested data and feeding instructions back into the first. Persistence for the AI itself was simple: modifying the AI client's startup configuration file to embed persistent instructions inherited by every subsequent session.

Two further findings have direct EU/CH public-sector implications. First, the EvilTokens platform — a commercial jailbreak-as-a-service tool packaging AI-driven phishing generation, financial-data extraction and similar capabilities as a subscription — represents the same commoditisation curve as Kali365 (§ 1) but for AI-assisted intrusion. Second, CPR explicitly calls out that stolen API keys for Anthropic, OpenAI, Groq and Mistral are now high-value criminal targets, since they grant access to powerful AI services without an account; Swiss federal and cantonal agencies using commercial AI APIs should treat key rotation cadence and source-IP scoping (Conditional Access on the API layer) on par with classic privileged-credential hygiene. Detection vantage: bulk exfiltration events temporally co-located with anomalous API call patterns to commercial AI services from non-standard processes; process trees in which AI client libraries spawn data-collection subprocesses; cloud audit logs showing API key issuance followed immediately by large-volume inference calls from unusual source IPs.

UPDATE: Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"

UPDATE (originally covered 2026-05-21): On 2026-05-22 Drupal updated SA-CORE-2026-004 to confirm that exploit attempts targeting CVE-2026-9082 — the anonymous pre-authentication SQL injection in the Entity Query API's PostgreSQL path — are now being detected in the wild. NCSC.ch updated Security Hub post 12584 to "Actively exploited" status the same day at 13:52Z, also recording the addition of CVE-2026-9082 to the CISA Known Exploited Vulnerabilities catalog on 2026-05-22 (the NCSC-CH post is the brief's source of record on the KEV add; the CISA news-events alert URL constructed earlier in the day returned a 404 at composition time).

Imperva reports observing 15,000+ exploitation attempts against approximately 6,000 Drupal sites across 65 countries within days of disclosure (Imperva, 2026-05-21). The technical mechanism (now public via the Searchlight Cyber write-up): on the case-insensitive IN operator path through core/lib/Drupal/Core/Entity/Query/Sql/Condition::compile() / ConditionAggregate::compile(), a JSON-encoded array value survives into the SQL placeholder name without sanitisation, allowing injection when the backend is PostgreSQL. Fixed versions: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 and 11.3.10; best-effort patches for EOL Drupal 8.9 and 9 are also available. MySQL/MariaDB/SQLite-backed Drupal sites remain unaffected, which is the temporary control to fall back on if the patch window slips past today.

Defender vantage update from yesterday's brief: the operational frame is no longer "patch when convenient" but patch today — the § 0 Immediate Action carries the operational framing; this UPDATE captures the source-of-record links and the technical mechanism for anyone composing internal advisories or hunt queries. CH/EU specifics: NCSC.ch Security Hub is the authoritative jurisdictional source for Swiss federal and cantonal operators; Drupal-on-PostgreSQL is widespread across FITKO and SWITCH-hosted university sites, French gouvernement.fr instances and EU institution portals. Detection: WAF telemetry for nested JSON arrays in user-supplied fields hitting Drupal endpoints; PostgreSQL log_min_duration_statement to surface anomalous query shapes; web-server logs for unexpected POST payloads to anonymous routes.

UPDATE: Ghostwriter / UAC-0057 / FrostyNeighbor — CERT-UA documents new OYSTERFRESH → OYSTERBLUES → OYSTERSHUCK implant chain via Prometheus learning-platform lures

UPDATE (originally covered weekly 2026-W21): CERT-UA published a bulletin (surfaced 2026-05-22) on a spring-2026 phishing campaign by Ghostwriter (a.k.a. UAC-0057, UNC1151, FrostyNeighbor) targeting Ukrainian government entities through lures themed on the Prometheus online-learning platform (The Hacker News, 2026-05-22 · SC World, 2026-05-22). The material delta from this week's weekly long-running coverage of FrostyNeighbor / Ghostwriter activity is a new three-stage implant trio distinct from the prior PicassoLoader toolset.

Chain: phishing email from a compromised account → PDF attachment with a link to a ZIP archive → ZIP carrying a JavaScript file (OYSTERFRESH). OYSTERFRESH renders a decoy document as cover while writing an obfuscated, RC4-encrypted OYSTERBLUES payload to the Windows Registry and launching OYSTERSHUCK. OYSTERSHUCK decodes OYSTERBLUES (executed via JavaScript) which then collects computer name, user account, OS version, last boot time and running process list, exfiltrates via HTTP POST to C2, and executes dynamically received JavaScript via eval(). The final payload is assessed as Cobalt Strike. (MITRE ATT&CK overlay added by this brief, not by the CERT-UA narrative as carried by The Hacker News: T1027 Obfuscated Files/Information on the OYSTERFRESH stage, T1547.001 Registry Run Keys on the OYSTERBLUES persistence, T1059.007 JavaScript on OYSTERSHUCK execution, T1219 Remote Access Software on the Cobalt Strike final.)

Defender vantage: CERT-UA's own recommendation is to block wscript.exe execution for standard user accounts — a high-yield control because the OYSTER trio relies on script-host execution from user context. EDR signal: wscript.exe spawning powershell.exe or a base64-encoded command; registry monitoring for new HKCU\Software Run-key values containing binary blobs or script paths; hunt for Cobalt Strike beacon signatures in HTTP POST egress to non-corporate domains. The EU/CH relevance is direct: Ghostwriter historically targets Belgium, Germany, Poland, Lithuania, Latvia and other NATO members alongside Ukraine, and the OYSTER implant chain is a toolset upgrade defenders should expect to see surfaced in EU government tenants and Eastern-Europe-focused think tanks.