Full Report
The Belarus-aligned threat actor known as Ghostwriter (aka UAC-0057 and UNC1151Ukraine's National Security and Defense Council) has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in the country. The activity, per the Computer Emergency Response Team of Ukraine (CERT-UA), involves sending phishing emails to government
Analysis Summary
# Threat Actor: Ghostwriter
## Attribution & Identity
* **Name:** Ghostwriter
* **Aliases:** UAC-0057, UNC1151
* **Associated Groups:** Social Design Agency (Moscow-based, linked to Matryoshka campaigns)
* **Affiliation:** Belarus-aligned; linked to Russian interests/Kremlin-backed hacking groups.
## Activity Summary
Since the spring of 2026, Ghostwriter has been observed conducting a multi-stage phishing campaign targeting Ukrainian government entities. The specific campaign detailed by CERT-UA leverages lures related to **Prometheus**, a prominent Ukrainian online learning platform. The operation utilizes compromised email accounts to distribute malicious attachments, leading to the deployment of reconnaissance tools and an eventual Cobalt Strike backdoor.
## Tactics, Techniques & Procedures
* **Phishing (T1566):** Sending emails via compromised accounts to increase legitimacy.
* **Malicious Attachments:** Use of PDF files containing links to ZIP archives.
* **Scripting:** Multi-stage execution using JavaScript and `wscript.exe`.
* **Registry Resident Malware (T1112):** Steals and stores encrypted payloads (OYSTERBLUES) within the Windows Registry to avoid disk-based detection.
* **Decoy Documents:** Displaying PDFs to distract the user while background execution occurs.
* **Dynamic Execution:** Execution of next-stage JavaScript code using the `eval()` function.
* **Information Gathering:** Automated harvesting of OS version, computer name, user accounts, boot times, and active process lists.
## Targeting
* **Sectors:** Government organizations, Education (lure context), Media/Journalism (influence operations).
* **Geography:** Ukraine.
* **Victims:** Ukrainian government entities and individuals associated with the Prometheus learning platform.
## Tools & Infrastructure
* **OYSTERFRESH:** A JavaScript-based loader used to trigger the initial infection chain.
* **OYSTERSHUCK:** A downloader responsible for decoding the primary payload.
* **OYSTERBLUES:** An encrypted reconnaissance tool stored in the Windows Registry.
* **Cobalt Strike:** The final payload used for post-exploitation and command-and-control.
* **AI Integration:** Mention of Russia-backed actors using OpenAI ChatGPT and Google Gemini for target scouting and command generation.
* **Infrastructure:**
* Command-and-Control (C2) communicated via HTTP POST requests.
* URLs/Domains: [None specifically listed in text, but lures impersonate `prometheus[.]org[.]ua` themes].
## Implications
Ghostwriter’s operations are increasingly focused on long-term persistence and intelligence gathering to support broader influence operations. The integration of AI tools for scouting and malware generation indicates an evolution in their capabilities, aimed at reducing the manual effort required for high-volume, targeted social engineering. The use of registry-based persistence shows a continued commitment to stealth.
## Mitigations
* **Execution Prevention:** Restrict the ability to run `wscript.exe` for standard user accounts to break the JavaScript execution chain.
* **Endpoint Monitoring:** Monitor the Windows Registry for unusual keys or large encrypted blobs, characteristic of the OYSTERBLUES payload.
* **Email Security:** Implement advanced phishing protection to identify links to ZIP archives within PDF attachments.
* **User Training:** Educate staff on the risks of downloading files from "learning platform" lures, even if they arrive via internal or recognized government email addresses.