The Belarus-aligned cyber group known as Ghostwriter has been implicated in a new wave of phishing attacks targeting Ukraine’s government entities. Leveraging themes associated with Prometheus, an online educational platform, these attacks have been ongoing since spring 2026, according to Ukraine’s Computer Emergency Response Team (CERT-UA).
Phishing Tactics and Malware Deployment
Ghostwriter’s strategy involves using compromised accounts to send phishing emails to Ukrainian government organizations. These emails typically include a PDF attachment that links to a ZIP archive. Once accessed, the archive releases a JavaScript file, named OYSTERFRESH, which distracts users with a decoy document while secretly embedding encrypted malware, OYSTERBLUES, into the system’s registry.
The malware is designed to collect extensive system information, such as computer name, user account details, and operating system version. This data is transmitted back to a command-and-control server, enabling further exploitation. The ultimate goal of this operation is to deploy Cobalt Strike, a tool commonly misused for post-exploitation tasks.
Preventive Measures and Recommendations
To mitigate this threat, CERT-UA recommends reducing the attack surface by limiting the execution permissions of wscript.exe for standard users. This precaution is crucial in preventing unauthorized malware execution on affected systems.
Beyond technical measures, the Ukrainian National Security and Defense Council has highlighted the role of artificial intelligence tools, like OpenAI’s ChatGPT, in enhancing the sophistication of these attacks. These AI tools are reportedly used to automate the creation of malicious commands, presenting a new challenge in cybersecurity defense.
Broader Cyber Threat Landscape
Alongside these phishing campaigns, Ukraine’s National Security and Defense Council has disclosed ongoing cyber operations by Russian-backed groups. These operations focus on obtaining sensitive information and maintaining a foothold in compromised networks. The primary methods of infiltration in 2025 included social engineering, exploiting vulnerabilities, and using compromised accounts, among others.
In a related incident, a pro-Kremlin propaganda effort has been uncovered, involving the hijacking of Bluesky users’ accounts to disseminate false information. This campaign, linked to the Moscow-based Social Design Agency and known as Matryoshka, underscores the multifaceted nature of cyber threats facing Ukraine.
As these developments unfold, Ukraine remains vigilant in strengthening its cybersecurity measures, emphasizing the need for continuous adaptation to counter evolving threats.
