The Belarus-aligned threat actor called Ghostwriter has now been tied to some sort of phishing effort aimed at Ukrainian government bodies, using deceptive messages themed around Prometheus, which is a popular Ukrainian online learning platform.
As cybersecurity researchers say, this campaign has been running since spring 2026, and it leans on email accounts that are already compromised in order to send phishing notes to government organizations. In general, the messages include a PDF attachment along with a malicious link meant to persuade recipients into downloading a ZIP archive.
Inside the archive, there is a JavaScript file named OYSTERFRESH. As soon as it’s executed, the script sort of puts up a decoy document, just to look normal, while it quietly handles the extra malware bits in the background. Researchers report that the malicious code tucks an encrypted payload, referred to as OYSTERBLUES, right into the Windows Registry. After that, it kicks off another component called OYSTERSHUCK, which helps it decode everything and then bring the payload to life.
Also, the malware has this knack for pulling together detailed system details, like the computer name, the active user account, operating system version, the last time the system booted, and even the list of running processes. Then it sends this data out toward a remote command and control server.
Researchers also found that this malware can pull extra JavaScript snippets from attacker-controlled infrastructure, and then it can run that stuff on the fly by using the eval() function. The last stage of the incident is believed to involve Cobalt Strike, which is a penetration testing framework that’s often misused by threat actors for persistence, moving laterally, and doing post-exploitation work.
Security experts note that the campaign seems to fit a wider trend where state-aligned cyber operations are combining phishing, social engineering, and modular malware more and more, so they can keep durable access inside government networks.
Ukrainian authorities have also drawn attention to the growing use of artificial intelligence tools by Russia-linked groups for recon work, malware creation, and attack automation. In recent cases, the activities apparently lean toward intelligence gathering, communication interception, credential theft, plus keeping a backdoor style presence hidden inside already compromised systems, you know.
To reduce exposure, organizations are urged to limit execution of scripts like wscript.exe, watch for weird email attachments, enforce stronger endpoint controls, and coach users on phishing dangers, especially those tied to trusted services, and documents that look official even when they are not.
Cybersecurity firms, for example, IntelligenceX, are said to help organizations trim these risks with threat intelligence, phishing analysis, malware monitoring, and incident response preparedness.
For government bodies and enterprises, the main takeaway feels pretty straightforward: phishing campaigns keep getting more focused, harder to notice, and more modular, so catching them early and improving user awareness matters more than ever.
Top comments (0)