[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6sID0XePq_OugCQ19YMfaFmoo5KQJM7N8ax8Y96yETw":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"116c3358-29ab-49cb-8b73-59f13ef6f91f","Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware","ghostwriter-targets-ukraine-government-entities-with-prometheus-phishing-malware-35ca5d","The Belarus-aligned threat actor known as Ghostwriter (aka UAC-0057 and UNC1151Ukraine's National Security and Defense Council) has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in the country. The activity, per the Computer Emergency Response Team of Ukraine (CERT-UA), involves sending phishing emails to government","The Belarus-aligned Ghostwriter group is targeting Ukrainian government entities using phishing emails with lures related to the Prometheus online learning platform. The attack involves a JavaScript file (OYSTERFRESH) that deploys OYSTERBLUES and OYSTERSHUCK to harvest system information and ultimately deliver Cobalt Strike.","Ghostwriter targets Ukraine with Prometheus lures, deploying OYSTERFRESH JavaScript to deliver Cobalt Strike.","Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware Ravie LakshmananMay 22, 2026Malware \u002F Artificial Intelligence The Belarus-aligned threat actor known as Ghostwriter (aka UAC-0057 and UNC1151) has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in the country. The activity, per the Computer Emergency Response Team of Ukraine (CERT-UA), involves sending phishing emails to government entities using compromised accounts. It's been active since the spring of 2026. \"Typically, the email contains a PDF attachment with a link that, when clicked, leads to the download of a ZIP archive containing a JavaScript file,\" the agency said in a Thursday report. The JavaScript file, dubbed OYSTERFRESH, is designed to display a decoy document as a distraction mechanism, while stealthily writing an obfuscated and encrypted payload called OYSTERBLUES to the Windows Registry, as well as downloading and launching OYSTERSHUCK, which is responsible for decoding OYSTERBLUES. OYSTERBLUES is equipped to harvest a wide range of system information, including computer name, user account, OS version, time of the last OS boot, and a list of running processes. The collected data is sent to a command-and-control (C2) server over an HTTP POST request. It then awaits further responses containing next-stage JavaScript code, which is executed using the eval() function. The final payload is assessed to be Cobalt Strike, an adversary simulation framework that's widely abused for post-exploitation activities. \"To reduce the likelihood of this cyber threat being exploited, it is advisable to apply known basic approaches to reducing the attack surface, specifically by restricting the ability to run wscript.exe for standard user accounts,\" CERT-UA said. The disclosure comes as Ukraine's National Security and Defense Council revealed Russia's use of artificial intelligence (AI) tools like OpenAI ChatGPT and Google Gemini to scout targets and embed the technology into malware to generate malicious commands at runtime, while calling out Kremlin-backed hacking groups for carry out cyber attacks focused on obtaining intelligence and ensuring a long-term presence in compromised networks for follow-on exploitation, including to support influence operations. \"The main vectors of initial penetration in 2025 were social engineering, exploitation of vulnerabilities, use of compromised RDP and VPN accounts, attacks on supply chains, and the use of unlicensed software that already contains built-in backdoors at the installation stage,\" the Council said. \"Attackers focused on stealing sensitive information, intercepting communications, and tracking the location of targets.\" In a related development, details have emerged about a pro-Kremlin propaganda campaign that hijacked real Bluesky users' accounts to post fake content since 2024. Hijacked accounts included journalists and professors. The activity has been attributed to a Moscow-based company called Social Design Agency, which is linked to a campaign known as Matryoshka. In some of these cases, Bluesky has taken the step of suspending the accounts until the owners initiate a reset. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  artificial intelligence, CERT-UA, Cobalt Strike, cybersecurity, Malware, Phishing, Social Engineering, Ukraine ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI\u002FCD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fghostwriter-targets-ukraine-government.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhNDmjcnVzVIqFFB-CQU7L6G8XVTifkZGmIMcPrui1EoffwwvtPXCrjKhRtIfxYsfPb5OUON4KQ1MVRosbP1BgCeFpqIIWRbgv34naUxEUTzyGRsPB6fY2gJJa5AXgT085SLFuc8ykNinXhnnpQzGAT2Kw1YwNe05vxSxlb6EVTu8_CoDws3QwR_SCk7dXm\u002Fs1600\u002Fukuk.jpg","2026-05-22T16:20:32+00:00","2026-05-22T18:00:10.877587+00:00",9,[18,21,23,25,28,30],{"name":19,"type":20},"Ghostwriter","threat_actor",{"name":22,"type":20},"UAC-0057",{"name":24,"type":20},"UNC1151",{"name":26,"type":27},"Prometheus","product",{"name":29,"type":27},"Cobalt Strike",{"name":31,"type":32},"OpenAI ChatGPT","technology","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":33,"icon":35,"name":36,"slug":37},null,"Nation-state","nation-state",[39,44],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[50,53,56],{"type":43,"value":51,"context":52},"OYSTERFRESH","JavaScript file used in phishing attack",{"type":43,"value":54,"context":55},"OYSTERBLUES","Obfuscated payload written to Windows Registry",{"type":43,"value":57,"context":58},"OYSTERSHUCK","Responsible for decoding OYSTERBLUES"]