5 malware families

Storm-0257

Also known asstorm_0257

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

21 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics28 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

4 techniques

T1583

Acquire Infrastructure

T1586

Compromise Accounts

T1588

Obtain Capabilities

T1588.002

Tool

T1608

Stage Capabilities

TA0001

Initial Access

1 technique

T1566×2

Phishing

T1566.001×2

Spearphishing Attachment

T1566.002

Spearphishing Link

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059

Command and Scripting Interpreter

T1204

User Execution

T1204.002

Malicious File

TA0003

Persistence

1 technique

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

TA0004

Privilege Escalation

1 technique

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

TA0005

Stealth

2 techniques

T1027

Obfuscated Files or Information

T1027.009

Embedded Payloads

T1036

Masquerading

T1036.005

Match Legitimate Resource Name or Location

TA0006

Credential Access

1 technique

T1212

Exploitation for Credential Access

TA0007

Discovery

3 techniques

T1033

System Owner/User Discovery

T1057×2

Process Discovery

T1082×2

System Information Discovery

TA0011

Command and Control

1 technique

T1071

Application Layer Protocol

T1071.001

Web Protocols

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Cobalt StrikeCERT-UA said the malware gathers details including the computer name, operating system version, user account information, and running processes. The agency also warned that compromised systems could later receive a payload linked to the offensive hacking framework Cobalt Strike, a legitimate penetration-testing tool frequently abused by cybercriminals and state-backed groups.2May 22, 2026

OYSTERBLUESThe malware chain ultimately deployed components known as OysterBlues and OysterShuck, which collect system information from infected devices and send it to attacker-controlled infrastructure hidden behind Cloudflare.1May 22, 2026

OYSTERFRESHThe phishing email contained a PDF attachment with a malicious link that downloaded a ZIP archive carrying malware identified as OysterFresh.1May 22, 2026

OYSTERSHUCKThe malware chain ultimately deployed components known as OysterBlues and OysterShuck, which collect system information from infected devices and send it to attacker-controlled infrastructure hidden behind Cloudflare.1May 22, 2026

PicassoLoaderKey developments include the deployment of multiple variants of the group’s main payload downloader, named PicassoLoader by CERT-UA. Variants of this downloader are written in .NET, PowerShell, JavaScript, and C++.1May 15, 2026

IOCS

Observables

9 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

9 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

No public activity tracked yet. Mallory keeps watching.

0 SOURCESView more in app

No public activity observed for this threat actor.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping21

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables9

Domains, IPs, and hashes tied to this actor, refreshed continuously.