Cybersecurity authorities in Ukraine have disclosed details of a phishing campaign linked to the Belarus aligned threat actor known as Ghostwriter, which has reportedly targeted Ukrainian government entities using lures associated with Prometheus, a popular online learning platform in Ukraine. Also tracked under names including UAC 0057 and UNC1151, the threat group is believed to have launched phishing operations against government organizations since the spring of 2026. According to Computer Emergency Response Team of Ukraine, commonly referred to as CERT UA, the activity involves the use of compromised accounts to distribute deceptive emails aimed at delivering malware and establishing unauthorized access within targeted systems.
Officials stated that phishing emails sent to government entities typically include a PDF attachment containing a malicious link. Once accessed, the link reportedly downloads a ZIP archive carrying a JavaScript file identified as OYSTERFRESH. According to CERT UA, the malware is designed to display a decoy document to distract victims while silently initiating additional malicious activity in the background. Security researchers explained that OYSTERFRESH writes an encrypted and obfuscated payload known as OYSTERBLUES into Windows Registry while also downloading and launching another component called OYSTERSHUCK. This secondary payload is responsible for decoding OYSTERBLUES and enabling further malicious operations on compromised systems. Authorities indicated that OYSTERBLUES has capabilities allowing it to collect a broad range of system information, including computer names, user account details, operating system versions, records of the most recent operating system boot, and lists of active running processes.
The collected information is reportedly transmitted to command and control servers through HTTP POST requests, allowing operators to gather intelligence from compromised environments. CERT UA further stated that the malware waits for follow up instructions containing additional JavaScript code, which is executed using the eval() function. Researchers assess that the final stage payload involved in the campaign is Cobalt Strike, a commercially available adversary simulation framework frequently abused by threat actors during post exploitation activity. Security analysts explained that once deployed, such frameworks can be used for persistence, reconnaissance, lateral movement, and broader intelligence gathering within compromised networks. To reduce exposure risks, CERT UA advised organizations to implement basic attack surface reduction measures, specifically recommending restrictions on wscript.exe execution for standard user accounts to help prevent malicious JavaScript files from launching.
The disclosure comes amid broader concerns raised by Ukraine’s National Security and Defense Council regarding cyber activity linked to Russian aligned operations. Officials stated that threat actors have increasingly relied on artificial intelligence tools including ChatGPT and Google Gemini to assist with target reconnaissance and integrate AI generated capabilities into malware used during cyber operations. According to the Council, common intrusion methods observed during 2025 included social engineering, exploitation of vulnerabilities, compromised Remote Desktop Protocol and VPN credentials, supply chain attacks, and the use of unlicensed software carrying pre installed backdoors. Separately, researchers also identified a pro Kremlin influence operation linked to a Moscow based organization known as Social Design Agency, which allegedly hijacked legitimate Bluesky accounts belonging to journalists and professors to distribute misleading content as part of a campaign tracked under the name Matryoshka.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
