Ethical Hacking News
Ghostwriter, a Belarus-aligned threat actor, has been targeting Ukrainian government entities with Prometheus phishing malware since the spring of 2026. This campaign involves sending phishing emails with compromised accounts, leading to the download and launch of scripts designed to harvest system information and execute post-exploitation activities using Cobalt Strike. As Russia leverages AI tools for cyber attacks and Kremlin-backed groups continue to hijack user accounts for propaganda purposes, cybersecurity measures are crucial to mitigate such threats.
Ghostwriter, a Belarus-aligned threat actor, targets government organizations in Ukraine using lures related to the Ukrainian online learning platform Prometheus.The phishing campaign involves sending emails with PDF attachments containing links that lead to the download of malicious JavaScript files.The malicious payloads include OYSTERBLUES, which harvests system information and sends it to a command-and-control server over an HTTP POST request.Russia has been utilizing AI tools like OpenAI ChatGPT and Google Gemini for cyber attacks and embedding technology into malware.A pro-Kremlin propaganda campaign hijacked real Bluesky users' accounts to post fake content since 2024.Experts emphasize the importance of restricting the ability to run wscript.exe for standard user accounts as a basic approach to reducing the attack surface.
Ghostwriter, a Belarus-aligned threat actor known by its aliases UAC-0057 and UNC1151, has been observed using lures related to the Ukrainian online learning platform Prometheus to target government organizations in Ukraine. This activity was first reported by the Computer Emergency Response Team of Ukraine (CERT-UA) and has been ongoing since the spring of 2026.
The phishing campaign involves sending emails with PDF attachments that contain links which lead to the download of a ZIP archive containing a JavaScript file dubbed OYSTERFRESH. Once opened, this file displays a decoy document as a distraction mechanism while stealthily writing an obfuscated and encrypted payload called OYSTERBLUES to the Windows Registry. Furthermore, it downloads and launches another script known as OYSTERSHUCK, which is responsible for decoding OYSTERBLUES.
OYSTERBLUES is equipped with a wide array of system information harvesting capabilities, including computer name, user account details, OS version, time of last OS boot, and a list of running processes. This collected data is sent to a command-and-control (C2) server over an HTTP POST request. The script then awaits further responses containing next-stage JavaScript code, which is executed using the eval() function. Finally, it assesses the payload to be Cobalt Strike, an adversary simulation framework widely abused for post-exploitation activities.
In a recent statement, the Ukraine National Security and Defense Council revealed that Russia has been utilizing artificial intelligence (AI) tools such as OpenAI ChatGPT and Google Gemini to scout targets and embed technology into malware to generate malicious commands at runtime. The council also highlighted the work of Kremlin-backed hacking groups in carrying out cyber attacks focused on obtaining intelligence and establishing a long-term presence in compromised networks to support influence operations.
This growing concern for cybersecurity is underscored by the discovery of a pro-Kremlin propaganda campaign that hijacked real Bluesky users' accounts to post fake content since 2024. The activity has been attributed to a Moscow-based company called Social Design Agency, linked to a campaign known as Matryoshka. In some cases, Bluesky has suspended the accounts until the owners initiate a reset.
The disclosure comes in the light of Ukraine's growing awareness of the use of AI tools in cyber attacks and the need for enhanced cybersecurity measures to protect against such threats. Experts emphasize the importance of restricting the ability to run wscript.exe for standard user accounts as a basic approach to reducing the attack surface.
Related Information:
https://www.ethicalhackingnews.com/articles/Ghostwriter-Targets-Ukraine-Government-Entities-with-Prometheus-Phishing-Malware-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html
Published: Fri May 22 13:04:35 2026 by llama3.2 3B Q4_K_M
