← Threat Intelligence
Nation-State Activity

Ghostwriter Deploys Prometheus-Themed Phishing Campaign Against Ukrainian Government

Matt Lucas  |  May 23, 2026  |  5 min
GHOSTWRITER UAC-0057 Belarus-aligned Compromised Email PROMETHEUS Phishing PDF ZIP -> .JS OYSTERFRESH JS Dropper wscript.exe Registry Write OYSTERBLUES Encrypted Payload HKCU Registry OYSTERSHUCK Decoder eval() Exec COBALT STRIKE C2 Beacon Recon + Pivot UA Gov Network ACTOR LURE DROPPER PAYLOAD POST-EXPLOIT
Spring 2026
Campaign Active Since
3-Stage
Malware Deployment Chain
Gov Entities
Primary Targets
TL;DR
  • What: Belarus-aligned APT Ghostwriter (UAC-0057) is running an active phishing campaign against Ukrainian government entities using fake Prometheus platform emails that deliver a three-stage JS malware chain: OYSTERFRESH dropper, OYSTERBLUES (registry-encrypted payload), and OYSTERSHUCK decoder, culminating in Cobalt Strike.
  • Impact: Full post-exploitation access to Ukrainian government networks, enabling credential harvesting, lateral movement, and persistent intelligence collection via Cobalt Strike beacons.
  • Fix / mitigation: Restrict wscript.exe and cscript.exe via GPO for standard users, block JavaScript execution from email attachments at the gateway, and deploy EDR signatures for obfuscated JS and Cobalt Strike behavioral patterns.
  • Who's at risk: Ukrainian government organizations and allied-nation entities targeted by Russian-aligned cyber operations; any org receiving Prometheus-branded government emails.

Belarus-aligned threat actor Ghostwriter (UAC-0057, UNC1151) is conducting an active phishing campaign against Ukrainian government organizations using lures mimicking Prometheus, Ukraine's official online learning platform. Ukraine's Computer Emergency Response Team (CERT-UA) reports the operation has been running since spring 2026, exploiting compromised government email accounts to distribute multi-stage JavaScript malware that ultimately delivers Cobalt Strike.

Attack Chain Analysis

The attack begins with phishing emails sent from compromised government accounts, lending credibility to the malicious messages. Each email contains a PDF attachment with an embedded link. When clicked, victims download a ZIP archive containing a JavaScript file designated OYSTERFRESH by CERT-UA.

OYSTERFRESH initiates a sophisticated three-stage deployment process. Upon execution, it displays a decoy document to maintain the illusion of legitimacy while performing two critical background operations: writing an obfuscated, encrypted payload called OYSTERBLUES to the Windows Registry, and downloading OYSTERSHUCK, a decoder component responsible for extracting and executing OYSTERBLUES.

Technical Indicators

The malware chain relies on wscript.exe execution for JavaScript payloads and uses Windows Registry for payload persistence. Organizations should monitor for unexpected registry modifications and JavaScript execution patterns, particularly from email attachments.

Reconnaissance Capabilities

OYSTERBLUES functions as an information-gathering tool, harvesting extensive system telemetry including computer name, user account details, OS version, last boot time, and enumeration of running processes. This data is exfiltrated via HTTP POST requests to attacker-controlled command-and-control infrastructure.

The malware then waits for C2 responses containing next-stage JavaScript code, which is executed dynamically using the eval() function. This architecture allows operators to customize follow-on activities based on the compromised environment, providing operational flexibility and complicating detection efforts.

Final Payload: Cobalt Strike Deployment

CERT-UA assesses the final payload is Cobalt Strike, the widely-abused adversary simulation framework that has become standard toolkit for nation-state actors. Cobalt Strike provides comprehensive post-exploitation capabilities including credential harvesting, lateral movement, privilege escalation, and persistent access—essential components for intelligence collection and long-term network compromise.

Broader Russian Cyber Operations Context

This Ghostwriter campaign aligns with broader trends documented by Ukraine's National Security and Defense Council regarding Russian cyber operations. The Council revealed Russian actors are now integrating AI tools including OpenAI ChatGPT and Google Gemini for target reconnaissance and embedding AI into malware to generate malicious commands at runtime.

According to the Council, primary attack vectors in 2025 included social engineering, vulnerability exploitation, compromised RDP and VPN accounts, supply chain attacks, and unlicensed software containing pre-installed backdoors. These campaigns focus on stealing sensitive information, intercepting communications, and tracking target locations while maintaining long-term presence for follow-on exploitation and influence operations.

Parallel Information Operations

A related pro-Kremlin propaganda campaign has hijacked real Bluesky accounts—including journalists and professors—to post fake content since 2024. The operation is attributed to Moscow-based Social Design Agency, linked to the Matryoshka campaign, demonstrating coordinated technical and information warfare.

Mitigation Recommendations

CERT-UA recommends restricting wscript.exe execution for standard user accounts to reduce attack surface. Organizations should implement application whitelisting policies that prevent unauthorized script execution, particularly for JavaScript and VBScript files originating from email attachments or downloads.

Strategic Assessment

Ghostwriter's continued operations against Ukrainian government infrastructure demonstrate persistent targeting by Belarus-aligned actors supporting Russian strategic objectives. The use of legitimate platform lures like Prometheus shows operational sophistication in social engineering, exploiting trusted government systems to increase success rates.

The integration of AI tools by Russian actors, combined with multi-stage malware deployment techniques and long-term persistence objectives, indicates these operations are designed for sustained intelligence collection rather than disruptive attacks. Organizations in Ukraine and allied nations should assume active compromise attempts and prioritize detection of early-stage reconnaissance activities before full network compromise occurs.

The parallel execution of technical intrusion campaigns alongside information operations like the Bluesky account hijacking campaign reveals coordinated hybrid warfare tactics. Defenders must address both technical security controls and information integrity measures to counter these multi-domain threats effectively.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us

Related coverage

Nation StateLazarus Group Deploys Memory-Only RemotePE RAT Against Financial TargetsNation StateGREYVIBE: Russia-Linked Threat Group Uses AI to Target UkraineNation StateTurla Transforms Kazuar Backdoor Into Modular P2P Botnet for Long-Term Espionage

Defend against this

RedEye builds the detection. Caver runs it. The feed ships it to your SIEM.

Managed Detection & Response →ICS / OT Security →Caver SIEM →Live detection feed →