Campaign Overview
A threat actor linked to Belarus, known as Ghostwriter, has been targeting government organizations in Ukraine with a phishing campaign. The attacks, active since spring 2026, use compromised email accounts to send messages that reference Prometheus, a legitimate Ukrainian online learning platform. The Computer Emergency Response Team of Ukraine (CERT-UA) disclosed the activity in a report.
The phishing emails contain a PDF attachment with a link. When clicked, the link downloads a ZIP archive that includes a JavaScript file. This file, named OYSTERFRESH, shows a decoy document to distract the victim while it writes an obfuscated payload to the Windows Registry.
Malware Execution and Impact
A second script, OYSTERSHUCK, decodes and runs the payload called OYSTERBLUES. This payload collects system information such as the computer name, user account, operating system version, last boot time, and a list of running processes. It sends this data to a command and control server via an HTTP POST request. The server can then respond with additional JavaScript code that executes on the victim’s machine.
The final stage of the attack deploys Cobalt Strike, a legitimate adversary simulation tool often misused for post exploitation activities. CERT-UA recommends restricting the ability to run wscript.exe for standard user accounts to reduce the attack surface.
Source: The Hacker News
