Ghostwriter Targets Ukrainian Government Companies with Prometheus Phishing Malware
A threat actor associated with Belarus known as A ghost (also known as UAC-0057 and the National Security and Defense Council of Ukraine UNC151) has been observed using threads related to Prometheus, a Ukrainian online learning platform, to target government agencies in the country.
The operation, according to the Computer Emergency Response Team of Ukraine (CERT-UA), involves sending phishing emails to government agencies using compromised accounts. It came into force from the spring of 2026.
“Typically, the email contains a PDF attachment with a link that, when clicked, leads to the download of a ZIP archive containing a JavaScript file,” the agency said in a Thursday report.
The JavaScript file, called OYSTERFRESH, is designed to display a decoy document as a form of distraction, while secretly writing a hidden and encrypted payload called OYSTERBLUES to the Windows Registry, as well as downloading and running OYSTERSHUCK, which is responsible for recording OYSTERBLUES.
OYSTERBLUES is equipped to harvest extensive system information, including computer name, user account, OS version, last OS boot time, and list of running processes. The collected data is sent to the command and control server (C2) via an HTTP POST request.
It then waits for other responses containing the JavaScript code for the next section, which is executed using the eval() function. The final salary is tested as Cobalt Strike, an enemy simulation framework that is widely used in post-exploit operations.
“In order to reduce the chances of this cyber threat being exploited, it would be good to use the basic known methods to reduce the attack surface, especially by limiting the ability to run wscript.exe to normal user accounts,” said CERT-UA.
The disclosure comes as Ukraine’s National Security and Defense Council exposed Russia’s use of artificial intelligence (AI) tools such as OpenAI ChatGPT and Google Gemini to probe targets and embed technology in malware to generate malicious commands at runtime, while calling on Kremlin-backed hacking groups to conduct cyber attacks focused on long-term intelligence acquisition and network exploitation. exploitation, including supporting influence activities.
“The leading factors for the first penetration in 2025 were social engineering, exploitation of weaknesses, use of vulnerable RDP and VPN accounts, chain attacks, and the use of unlicensed software that already contains built-in doors at the installation stage,” said the Council. “The attackers are focused on stealing sensitive information, intercepting communications, and tracking the target’s location.”
On a related note, details have emerged about a pro-Kremlin propaganda campaign that has hijacked real Bluesky user accounts to post fake content since 2024. Hacked accounts include journalists and professors. The project is said to be carried out by a Moscow-based company called Social Design Agency, which is linked to a campaign known as Matryoshka. In some of these cases, Bluesky has taken the step of suspending the accounts until the owners initiate a reset.
