Ghostwriter is targeting Ukrainian government organizations with phishing emails that use Prometheus-themed lures, leading to a multi-stage infection chain that deploys OYSTERFRESH, OYSTERBLUES, and OYSTERSHUCK before loading Cobalt Strike. The broader report also highlights Russia-linked use of AI tools for target scouting and malware generation, along with a pro-Kremlin propaganda campaign tied to Social Design Agency and Matryoshka. #Ghostwriter #UAC0057 #UNC1151 #Prometheus #CERTUA #OYSTERFRESH #OYSTERBLUES #OYSTERSHUCK #CobaltStrike #SocialDesignAgency #Matryoshka #Bluesky
Keypoints
- Ghostwriter is using Prometheus-related phishing lures against Ukrainian government organizations.
- The attack starts with emails from compromised accounts and PDF attachments that lead to a ZIP file.
- OYSTERFRESH drops OYSTERBLUES and launches OYSTERSHUCK to decode the payload.
- OYSTERBLUES collects system details and sends them to a C2 server before executing more JavaScript.
- The final payload is assessed to be Cobalt Strike, while CERT-UA advises restricting wscript.exe for standard users.
Read More: https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html