Ghostwriter / UAC-0057 / FrostyNeighbor (Belarus-aligned) — new OYSTER implant chain

CERT-UA documented a spring-2026 phishing campaign deploying a new OYSTERFRESH → OYSTERBLUES → OYSTERSHUCK implant chain via Prometheus learning-platform lures (daily 2026-05-23). The campaign continues the actor's focus on Ukrainian and allied government organisations; the staged implant chain is the new tradecraft. For EU/CH government estates that share the actor's target profile, the relevant control is attachment-detonation and learning-platform-lure awareness for staff.