The Belarus-aligned threat actor known as Ghostwriter has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in the country. This activity, which began in the spring of 2026, involves sending phishing emails to government entities using compromised accounts, with further coverage provided by The Hacker News.Ghostwriter, also known as UAC-0057 and UNC1151, employs a multi-stage attack. Phishing emails containing a PDF attachment with a link lead to the download of a ZIP archive with a JavaScript file. This file, dubbed OYSTERFRESH, displays a decoy document while stealthily writing an obfuscated payload, OYSTERBLUES, to the Windows Registry. OYSTERBLUES then downloads and launches OYSTERSHUCK, which decodes the payload. OYSTERBLUES collects system information like computer name, user account, OS version, and running processes, sending it to a command-and-control server. The final payload is identified as Cobalt Strike, a framework often abused for post-exploitation activities.CERT-UA advises restricting the ability to run wscript.exe for standard user accounts to mitigate this threat. This campaign occurs amidst broader concerns about state-sponsored cyber activities, including Russia's reported use of AI tools for target scouting and embedding technology into malware, as revealed by Ukraine's National Security and Defense Council.Source: The Hacker News
Government security
Belarus-linked Ghostwriter group targets Ukraine using Prometheus learning platform lures

(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



