In the relentless digital battleground that shadows the physical conflict, a Belarus-aligned threat actor, notoriously known as Ghostwriter (also identified as UAC-0057 and UNC1151), has escalated its cyber offensive against Ukrainian government entities. The latest campaign leverages a deceptive lure related to ‘Prometheus’, a legitimate Ukrainian online learning platform, to deploy sophisticated phishing malware.
Ghostwriter’s Deceptive Prometheus Campaign
Since the spring of 2026, this persistent threat actor has been observed by the Computer Emergency Response Team of Ukraine (CERT-UA) orchestrating a series of targeted phishing attacks. These operations involve compromising existing email accounts to dispatch malicious messages to government organizations, significantly enhancing the credibility of the attacks.
The Malicious Payload Delivery
The modus operandi is cunning: recipients receive emails typically containing a PDF attachment. This PDF, however, is merely a gateway. Clicking a link within it initiates the download of a ZIP archive, which harbors a JavaScript file. This file, dubbed OYSTERFRESH, is the initial stage of the compromise.
Upon execution, OYSTERFRESH employs a clever distraction technique: it displays a decoy document to the user, masking its true intent. Simultaneously, it stealthily writes an obfuscated and encrypted payload, named OYSTERBLUES, directly into the Windows Registry. To bring OYSTERBLUES to life, OYSTERFRESH also downloads and launches OYSTERSHUCK, a component specifically designed to decode the encrypted payload.
Unmasking OYSTERBLUES: The Data Harvester
Once decoded, OYSTERBLUES springs into action, acting as a potent information-gathering tool. It is engineered to meticulously collect a broad spectrum of system data, including the computer’s name, user account details, operating system version, the time of the last OS boot, and a comprehensive list of all running processes. This harvested intelligence is then exfiltrated to a command-and-control (C2) server via an HTTP POST request, awaiting further instructions.
The C2 server subsequently delivers next-stage JavaScript code, which is executed using the eval() function. CERT-UA assesses that the ultimate payload in this sophisticated chain is Cobalt Strike, a powerful adversary simulation framework frequently abused by malicious actors for extensive post-exploitation activities, allowing deep penetration and control within compromised networks.
Broader Cyber Warfare: AI and Propaganda
This revelation from CERT-UA arrives amidst a heightened state of cyber vigilance in Ukraine. The National Security and Defense Council of Ukraine recently highlighted Russia’s alarming integration of artificial intelligence (AI) tools, such as OpenAI’s ChatGPT and Google Gemini, into its cyber warfare arsenal. These AI capabilities are being used not only to scout targets but also to generate malicious commands at runtime within malware, indicating a significant evolution in state-sponsored hacking tactics.
Kremlin-backed hacking groups are reportedly intensifying their focus on intelligence gathering and establishing long-term footholds within compromised networks to facilitate future exploitation and influence operations. The Council noted that in 2025, primary vectors for initial penetration included social engineering, vulnerability exploitation, compromised RDP and VPN accounts, supply chain attacks, and the use of unlicensed software containing pre-installed backdoors. The attackers’ core objectives were consistently focused on stealing sensitive information, intercepting communications, and tracking targets’ locations.
The Shadow of Disinformation
Adding another layer to the complex cyber landscape, details have emerged regarding a pro-Kremlin propaganda campaign active since 2024. This campaign has been hijacking real Bluesky user accounts, including those of journalists and professors, to disseminate fake content. Attributed to the Moscow-based Social Design Agency, linked to the ‘Matryoshka’ campaign, this activity underscores the pervasive threat of disinformation. Bluesky has actively responded by suspending compromised accounts until owners can secure them.
Fortifying Digital Defenses
In light of these persistent and evolving threats, CERT-UA strongly advises organizations to bolster their cyber defenses. A key recommendation to mitigate the risk posed by such JavaScript-based malware is to restrict the ability of standard user accounts to run wscript.exe. This basic yet effective approach can significantly reduce the attack surface and prevent the execution of malicious scripts.
The ongoing cyber conflict against Ukraine serves as a stark reminder of the critical need for robust cybersecurity measures, continuous vigilance, and a proactive approach to defending digital infrastructure against increasingly sophisticated and state-sponsored threats.
For more details, visit our website.
Source: Link
Leave a comment