Skip to content

Ghostwriter targets Ukrainian authorities with Prometheus phishing malware

The gist: Ghostwriter has conducted phishing campaigns against Ukrainian authorities since spring 2026, using malware components OYSTERFRESH, OYSTERBLUES, and OYSTERSHUCK to deploy Cobalt Strike. Russia is using AI tools for target reconnaissance, while pro-Kremlin groups are hijacking Bluesky accounts.

The Belarus-aligned threat group Ghostwriter has conducted phishing campaigns against Ukrainian government agencies since spring 2026. The attackers use fake lures impersonating the Prometheus learning platform and distribute phishing emails via compromised accounts containing malicious JavaScript files.

The Belarus-aligned threat group Ghostwriter (also known as UAC-0057 and UNC1151) is conducting targeted phishing campaigns against Ukrainian government organizations. Ukraine’s Computer Emergency Response Team (CERT-UA) reported on an ongoing campaign since spring 2026 in which phishing emails are sent from compromised accounts.

The attack method follows a characteristic pattern: emails contain PDF attachments with links that, when clicked, trigger the download of a ZIP archive containing a JavaScript file. This file, named OYSTERFRESH, displays a deceptive document while writing encrypted malware OYSTERBLUES to the Windows registry in the background.

OYSTERSHUCK then decodes OYSTERBLUES and collects extensive system information such as computer name, user accounts, OS version, and running processes. The data is transmitted to a command-and-control server. The final payload is identified as Cobalt Strike, an adversary simulation framework commonly abused for post-exploitation activities.

In parallel, Ukraine’s National Security and Defense Council revealed that Russia is using AI tools such as ChatGPT and Google Gemini for target reconnaissance and malware development. Primary attack vectors identified for 2025 include social engineering, exploitation of security vulnerabilities, compromised RDP and VPN accounts, supply chain attacks, and unlicensed software.

Additionally, a pro-Kremlin propaganda campaign was uncovered that has been hijacking legitimate Bluesky user accounts since 2024 and spreading disinformation. The activity is attributed to the Moscow-based Social Design Agency, which is linked to the Matryoshka campaign.

Share on: