Ghostwriter APT Targets Ukraine Gov with Prometheus Phishing Malware

The Belarus-aligned threat actor Ghostwriter, also tracked as UAC-0057 and UNC1151, has been observed conducting sophisticated phishing campaigns against Ukrainian government entities since spring 2026. According to the Computer Emergency Response Team of Ukraine (CERT-UA), the group leverages compromised accounts to distribute phishing emails disguised as communications related to Prometheus, a Ukrainian online learning platform. These emails contain PDF attachments with embedded links that lead to the download of ZIP archives containing malicious JavaScript files. Organizations can verify if their email accounts have been compromised using an email breach checker to detect potential exposure.

The malware chain involves a JavaScript downloader designated OYSTERFRESH, which displays decoy documents to distract users while silently writing an obfuscated and encrypted payload called OYSTERBLUES to the Windows Registry. A secondary component, OYSTERSHUCK, handles the decoding of OYSTERBLUES and enables comprehensive system information harvesting. The collected data includes computer name, user account details, OS version, last boot time, and running processes—all transmitted to a command-and-control (C2) server via HTTP POST requests. The malware subsequently awaits next-stage JavaScript code for execution through the eval() function. Security teams can use a port scanner to identify unauthorized listening ports that may indicate C2 communication.

The final-stage payload is assessed to be Cobalt Strike, a widely abused adversary simulation framework used for post-exploitation activities. CERT-UA recommends restricting wscript.exe execution for standard user accounts to mitigate this threat. The disclosure coincides with Ukraine's National Security and Defense Council revealing that Russian-linked groups have begun utilizing AI tools including OpenAI ChatGPT and Google Gemini to scout targets and generate malicious commands at runtime. Attack vectors in 2025 included social engineering, vulnerability exploitation, compromised RDP and VPN accounts, supply chain attacks, and unlicensed software containing embedded backdoors. To assess infrastructure security, organizations should consider running an SSL/TLS checker to ensure proper encryption configurations.