A Belarus-aligned actor known as Ghostwriter (also known as UAC-0057 and UNC1151 National Security and Defense Council of Ukraine) has been observed targeting government agencies in the country using decoys associated with Prometheus, a Ukrainian online learning platform.
According to the Computer Emergency Response Team of Ukraine (CERT-UA), this activity involves sending phishing emails to government agencies using compromised accounts. We have been active since spring 2026.
“Emails typically include a PDF attachment with a link that, when clicked, leads to the download of a ZIP archive containing a JavaScript file,” the agency said in a Thursday report.
The JavaScript file, called OYSTERFRESH, is designed to display a decoy document as a distraction mechanism while secretly writing an obfuscated and encrypted payload called OYSTERBLUES to the Windows registry, as well as downloading and launching OYSTERSHUCK, which is responsible for decoding OYSTERBLUES.
OYSTERBLUES has the ability to collect a wide range of system information, including computer name, user account, OS version, last OS boot time, and list of running processes. The collected data is sent to a command and control (C2) server through an HTTP POST request.
It then waits for further responses containing the next stage of JavaScript code. This code is executed using the eval() function. The final payload is assessed to be Cobalt Strike, an adversary simulation framework that is widely exploited for post-exploitation activities.
“To reduce the potential for this cyber threat to be exploited, it is prudent to reduce the attack surface by applying known basic approaches, including restricting the ability to run wscript.exe, especially for standard user accounts,” CERT-UA said.
The disclosures came after Ukraine’s National Security and Defense Council revealed that Russia is using artificial intelligence (AI) tools such as OpenAI ChatGPT and Google Gemini to spy on targets and embed the technology in malware to generate malicious commands when executed, calling for a Kremlin-backed hacker group to obtain the information and carry out cyberattacks aimed at maintaining a long-term presence on compromised networks and for subsequent exploits such as supporting influence operations.
“The main vectors of initial intrusion in 2025 were social engineering, vulnerability exploitation, use of compromised RDP and VPN accounts, supply chain attacks, and the use of unlicensed software that already had backdoors built in at the installation stage,” the council said. “The attackers focused on stealing sensitive information, intercepting communications, and tracking the location of their targets.”
In a related development, details have emerged of a pro-Kremlin propaganda campaign that has been hijacking the accounts of real Bluesky users and posting fake content since 2024. The compromised accounts also included journalists and university professors. The activity was carried out by a Moscow-based company called Social Design Agency and is said to be associated with a campaign known as Matryoshka. In some of these cases, Bluesky took steps to suspend the accounts until the owners initiated a reset.
Source link
