Ghostwriter Is Back, Using a Ukrainian Learning Platform as Bait to Hit Government Targets
May 23, 2026 
Ghostwriter targeted Ukrainian government agencies with phishing emails delivering malware and Cobalt Strike payloads.
The Belarus-nexus APT group Ghostwriter (also tracked as UAC-0057 and UNC1151) has resurfaced with a new phishing campaign targeting Ukrainian government organizations. This time the lure is Prometheus, a legitimate Ukrainian online learning platform that many government employees actually use. Using something familiar and trusted as bait is a deliberate choice, and it works better than generic phishing for exactly that reason.
Ukraine’s Computer Emergency Response Team (CERT-UA) flagged the activity this week, noting it has been running since spring 2026. The delivery mechanism is straightforward: phishing emails sent from already-compromised accounts — making the sender look legitimate — carrying PDF attachments. Inside the PDF is a link that, when clicked, downloads a ZIP archive containing a JavaScript file. Nothing groundbreaking technically, but effective when the email appears to come from a known contact.
“Typically, the email contains a PDF attachment with a link that, when clicked, leads to the download of a ZIP archive containing a JavaScript file.” reads the advisory by CERT-UA.”The mentioned JS file is classified as OYSTERFRESH , which provides display of a decoy document, entry into the operating system registry in an obfuscated and encoded form of the OYSTERBLUES software tool , as well as loading and launching the OYSTERSHUCK component , which acts as a decoder for the mentioned OYSTERBLUES. For decoding, string reversal, ROT13 transformation and URL decoding are sequentially used, in particular.”
That JavaScript file, named OYSTERFRESH, handles two things simultaneously: it shows the victim a decoy document, something plausible enough to avoid suspicion, while in the background it drops an obfuscated and encrypted payload called OYSTERBLUES into the Windows Registry, and downloads a separate component called OYSTERSHUCK whose job is to decode and launch OYSTERBLUES when the time comes.
OYSTERBLUES is the actual workhorse. Once running, it profiles the compromised system, grabbing computer name, username, OS version, last boot time, and a list of running processes, and ships everything to a command-and-control server via HTTP POST. It then waits for instructions, which arrive as JavaScript code executed on the fly using the eval() function. The final payload that follows this chain is assessed to be Cobalt Strike, the widely-abused post-exploitation framework that gives attackers persistent, flexible access to compromised systems.
CERT-UA offered a practical mitigation that is easy to overlook in the noise.
“Typically for UAC-0057 (UNC1151), the infrastructure is hidden behind Cloudflare, and a significant portion of the domain names used belong to the .icu TLD .” continues the report. “To reduce the likelihood of the described cyber threat being implemented, it is advisable to apply known basic approaches to reducing the attack surface, in particular, restricting the ability to run wscript.exe for regular user accounts.”
Blocking standard users from running wscript.exe cuts off one of the most common JavaScript execution paths these campaigns rely on, a small configuration change with meaningful defensive impact.
The threat actor Ghostwriter (aka UNC1151, UAC-0057) is linked to the government of Belarus. In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites. According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.
In February, SentinelLABS observed a new Ghostwriter campaign targeting Belarusian opposition activists and Ukrainian military and government entities with a new variant of PicassoLoader. The campaign has been active since late 2024, threat actors used weaponized Microsoft Excel documents as lures.
The researchers believe the campaign is still ongoing, SentinelLABS states that the attacks are an extension of the long-running Ghostwriter campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ghostwriter)
Stephan is the sports journalist for the Maple Grove Report.
