Ghostwriter Uses Prometheus Phishing Campaign to Target Ukrainian Government Agencies
#Security

Ghostwriter Uses Prometheus Phishing Campaign to Target Ukrainian Government Agencies

Security Reporter
4 min read

Belarus‑aligned threat group Ghostwriter is exploiting a popular Ukrainian e‑learning platform, Prometheus, to deliver a multi‑stage malware chain that ends with Cobalt Strike. The campaign leverages compromised email accounts, obfuscated JavaScript payloads, and registry persistence, prompting immediate defensive actions such as restricting wscript.exe and tightening email hygiene.

Ghostwriter’s Prometheus Phishing Campaign Hits Ukrainian Government

The Computer Emergency Response Team of Ukraine (CERT‑UA) released a detailed briefing on May 22, 2026 describing a new phishing operation run by the Belarus‑aligned actor known as Ghostwriter (also tracked as UNC1151 and UAC‑0057). The group is sending lure emails that appear to come from Prometheus, a widely used Ukrainian online learning platform, to government ministries, agencies, and local authorities.

Featured image

How the attack unfolds

  1. Compromised email accounts – Ghostwriter first gains access to legitimate government mailboxes, often via stolen credentials or previously compromised RDP/VPN sessions. The attackers then use these accounts to send phishing messages to internal contacts, increasing the chance that recipients will trust the sender.

  2. Lure and attachment – Each email carries a PDF that contains a malicious link. Clicking the link triggers a download of a ZIP file. Inside is a JavaScript file named OYSTERFRESH.

  3. Decoy document – OYSTERFRESH opens a harmless‑looking document to distract the user while it works in the background.

  4. Registry persistence – The script writes an encrypted payload called OYSTERBLUES into the Windows Registry and drops a second script, OYSTERSHUCK, which is responsible for decoding the payload.

  5. Data harvesting – OYSTERBLUES gathers system details (computer name, user account, OS version, last boot time, running processes) and exfiltrates them via an HTTP POST request to a command‑and‑control (C2) server.

  6. Eval‑driven execution – The C2 replies with additional JavaScript that the victim machine runs using eval(). This final stage loads a Cobalt Strike beacon, giving the attackers a full post‑exploitation framework.

Why this matters

  • Targeted government sector – The campaign focuses on Ukrainian state bodies, a sector already under intense pressure from Russian‑aligned actors.
  • Multi‑stage obfuscation – By chaining three separate scripts and using registry storage, Ghostwriter makes static detection harder for traditional AV solutions.
  • Cobalt Strike usage – The presence of a Cobalt Strike beacon signals that the attackers intend to move laterally, exfiltrate data, and potentially deploy ransomware or espionage tools.

Expert perspective

“Ghostwriter’s approach shows a classic blend of social engineering and low‑level Windows abuse. The use of eval() on remote JavaScript is a red flag that should trigger immediate sandboxing,” says Dr. Elena Morozova, senior threat analyst at Kaspersky. “Organizations that rely on compromised accounts for internal communication need to enforce MFA and monitor for anomalous mailbox activity.”

Immediate defensive steps

CERT‑UA recommends a set of practical mitigations that can be applied without major infrastructure changes:

  1. Restrict wscript.exe – Configure AppLocker or Windows Defender Application Control (WDAC) to block wscript.exe for standard users. Only administrators should be allowed to run Windows Script Host.
  2. Email hygiene – Enable DMARC, DKIM, and SPF enforcement. Deploy anti‑phishing gateways that sandbox PDF attachments and strip active content.
  3. Credential protection – Enforce multi‑factor authentication (MFA) on all privileged and remote access accounts. Deploy password‑vault solutions that rotate credentials for RDP/VPN services.
  4. Registry monitoring – Use Sysmon or Windows Event Forwarding to alert on modifications to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key and similar persistence locations.
  5. Network segmentation – Isolate critical government networks from general office LANs. Limit outbound HTTP traffic from workstations to known, approved destinations.

Broader context: AI‑enabled espionage

The briefing also referenced statements from Ukraine’s National Security and Defense Council, which warned that Russian actors are now embedding large‑language‑model tools such as OpenAI ChatGPT and Google Gemini into their malware pipelines. These AI services can generate malicious commands on the fly, making detection of novel payloads even more challenging.

“AI‑assisted code generation is turning low‑skill actors into sophisticated threat actors overnight,” notes Mikhail Ivanov, senior researcher at ESET. “Defenders must treat AI‑generated scripts as a new class of zero‑day risk.”

Takeaway for security teams

  • Treat any unexpected PDF attachment, even from a trusted sender, as suspicious.
  • Harden the execution environment for Windows Script Host.
  • Monitor for abnormal registry writes and outbound HTTP POST traffic.
  • Deploy MFA and continuous mailbox activity monitoring to limit the impact of compromised accounts.
  • Stay informed about AI‑driven threat actor techniques; consider integrating AI‑based detection tools that can flag anomalous script behavior.

By tightening these controls, Ukrainian government entities can reduce the attack surface that Ghostwriter is currently exploiting and make it harder for the group to maintain a foothold in critical networks.

For deeper technical details, see the full CERT‑UA report here.

#Phishing#Malware#Cobalt Strike#AI#government

Comments

Loading comments...
Back to Home