The Ghostwriter group (also tracked as UAC-0057 and UNC1151), which has been linked to Belarus, is running a phishing campaign against Ukrainian government organizations using lures themed around the Ukrainian educational platform Prometheus. According to CERT-UA, the attackers send phishing emails from compromised accounts, and the infection chain involves a new malware family with components OYSTERFRESH, OYSTERBLUES, and OYSTERSHUCK, whose ultimate goal is to deploy the Cobalt Strike framework. The campaign has reportedly been active since spring 2026, and Ukrainian public-sector organizations are advised to immediately restrict the execution of wscript.exe for standard users.

Infection chain: from PDF to Cobalt Strike

According to the CERT-UA report, a typical attack starts with a phishing email sent from a compromised account. The email contains a PDF attachment with a link that, when followed, downloads a ZIP archive containing a JavaScript file.

The malicious JavaScript file, dubbed OYSTERFRESH, performs several tasks in parallel:

• Displays a decoy document to distract the user
• Writes the obfuscated and encrypted OYSTERBLUES payload into the Windows Registry
• Downloads and launches the OYSTERSHUCK component, which is responsible for decrypting OYSTERBLUES

Once activated, OYSTERBLUES collects system information: computer name, user account, OS version, last system boot time, and a list of running processes. The collected data is sent to the command-and-control (C2) server via an HTTP POST request.

The malware then waits for a response from the C2 server containing the JavaScript code for the next stage, which is executed via the eval() function. CERT-UA assesses that the final payload is Cobalt Strike — a framework originally designed for penetration testing but widely abused by threat actors for post-exploitation activities.

Group profile and threat context

Ghostwriter is a group that researchers associate with Belarus. It systematically targets Ukrainian government entities, and the use of compromised email accounts to distribute phishing messages aligns with tactics previously observed for this group. The choice of the Prometheus educational platform as a lure reflects a targeted approach: online learning themes tend to inspire trust among government employees who may use such platforms for professional development.

The malware architecture is noteworthy: splitting functionality across three components (loader, encrypted payload in the Registry, decrypter) complicates detection. Storing OYSTERBLUES in the Windows Registry rather than the file system helps evade certain security tools focused on file-based analysis.

Broader context: AI in attackers’ toolkits

In parallel with the disclosure of the Ghostwriter campaign, Ukraine’s National Security and Defense Council published a report which, based on available data, states that Russian groups are using artificial intelligence tools — in particular OpenAI ChatGPT and Google Gemini — for target reconnaissance and embedding AI technologies into malware to generate commands at runtime. According to this document, the primary initial access vectors in 2025 were social engineering, vulnerability exploitation, use of compromised RDP and VPN accounts, supply-chain attacks, and pirated software with built-in backdoors.

The claims about the use of AI in cyberattacks are based on a government report and have not been corroborated by independent technical research.

Impact assessment

The main targets of this campaign are Ukrainian government organizations. Deployment of Cobalt Strike as the final payload suggests that the attackers seek long-term persistence in the network, with capabilities for lateral movement, data exfiltration, and further expansion of access. The use of compromised email accounts increases the effectiveness of the phishing emails, since they appear to come from trusted senders.

Recommendations for defense

CERT-UA recommends the following measures to reduce risk:

• Restrict execution of wscript.exe for standard user accounts — this is a direct CERT-UA recommendation that blocks a key element of the infection chain
• Configure script execution restriction policies (Software Restriction Policies or AppLocker) to block JavaScript files from executing out of temporary directories and user folders
• Enhance monitoring of Windows Registry entries — detecting large obfuscated data blobs in atypical registry keys may indicate OYSTERBLUES activity
• Check email systems for signs of account compromise, especially accounts with access to mailing lists for government organizations
• Block the download of ZIP archives via links in PDF attachments at the mail gateway or proxy level
• Monitor HTTP POST requests to unusual external servers that may indicate C2 communications

The Ghostwriter campaign leveraging the OYSTER family demonstrates a multi-stage infection approach in which each component performs a narrow function, making detection more difficult. The top-priority action for administrators of Ukrainian government networks is to immediately restrict the execution of wscript.exe via Group Policy for all standard users, as well as to audit email accounts for signs of unauthorized access.