"Typically, the email contains a PDF attachment with a link that, when clicked, leads to the download of a ZIP archive containing a JavaScript file," CERT‑UA said in a Thursday report.
Ghostwriter uses Prometheus learning-platform lures and compromised accounts
The Belarus‑aligned threat actor known as Ghostwriter (aka UAC‑0057 and UNC1151Ukraine's National Security and Defense Council) has been observed targeting Ukrainian government organizations using lures tied to Prometheus, a Ukrainian online learning platform. According to the Computer Emergency Response Team of Ukraine (CERT‑UA), the campaign has been active since the spring of 2026 and relies on phishing emails sent from compromised accounts inside government entities.
OYSTERFRESH, OYSTERBLUES and OYSTERSHUCK: a three-part JavaScript chain
CERT‑UA describes a specific payload chain beginning with a JavaScript file dubbed OYSTERFRESH. OYSTERFRESH displays a decoy document to distract a user while it writes an obfuscated, encrypted payload called OYSTERBLUES into the Windows Registry. It also downloads and launches a component named OYSTERSHUCK, which is responsible for decoding OYSTERBLUES.
OYSTERBLUES collects a range of system data — computer name, user account, operating system version, time of the last OS boot and a list of running processes — and exfiltrates it to a command‑and‑control server using an HTTP POST request. The infected host then waits for further responses containing next‑stage JavaScript, which is executed via the eval() function. CERT‑UA assessed the final payload as Cobalt Strike, a framework widely used for post‑exploitation activity.
CERT‑UA mitigation advice: restrict wscript.exe for standard users
To reduce the likelihood of this threat being exploited, CERT‑UA recommended applying “known basic approaches to reducing the attack surface, specifically by restricting the ability to run wscript.exe for standard user accounts.” That guidance speaks directly to the attack chain documented: the initial JavaScript stages rely on Windows scripting hosts and the ability to execute script‑based payloads on user systems.
Ukraine's National Security and Defense Council: AI‑assisted reconnaissance and long‑term footholds
The disclosure from CERT‑UA arrives alongside findings from Ukraine's National Security and Defense Council, which reported Kremlin‑linked actors using artificial intelligence tools — specifically OpenAI ChatGPT and Google Gemini — to scout targets and to embed AI into malware to generate malicious commands at runtime. The Council also highlighted a strategic emphasis by these actors on obtaining intelligence and maintaining long‑term presence in compromised networks to enable follow‑on exploitation and influence operations.
Reviewing activity in 2025, the Council named the primary initial penetration vectors: social engineering, exploitation of vulnerabilities, use of compromised RDP and VPN accounts, attacks on supply chains, and the use of unlicensed software that “already contains built‑in backdoors at the installation stage.” The attackers’ focus, the Council said, has been on stealing sensitive information, intercepting communications and tracking the location of targets.
What this means for Ukrainian government IT teams, platform operators, and the public
- Ukrainian government IT teams: Expect phishing using trusted domestic brands such as Prometheus and low‑noise, multi‑stage JavaScript chains that write encrypted data into the Registry and fetch code dynamically. Practical priorities are restricting script execution (for example, wscript.exe for standard users), monitoring HTTP POST patterns to unknown C2 endpoints, and scanning for unusual registry entries tied to obfuscated blobs.
- Platform operators and social networks: The Council and CERT‑UA linked political influence and account‑hijacking campaigns to pro‑Kremlin actors. Separately, reporting shows a pro‑Kremlin campaign hijacked real Bluesky users’ accounts — including journalists and professors — to post fake content since 2024; some accounts were suspended by Bluesky pending owner‑initiated resets. Operators should be alert to account compromise and reuse of hijacked identities in influence operations.
- The general public and users of Ukrainian services: Lures may appear to come from internal or familiar sources. Because the initial message uses a PDF with a link that leads to a ZIP and a JavaScript file, users should treat unexpected PDFs with embedded links cautiously and follow institutional instructions for reporting suspected phishing.
The technical profile CERT‑UA published ties a familiar playbook — social‑engineering lures, script‑based loaders and staged C2 callbacks — to an actor already associated with strategic intelligence collection and influence activities. With AI tools flagged as part of adversary reconnaissance and malware generation, the documented campaign underscores two linked realities: attackers continue to refine low‑cost, high‑yield initial access methods, and defenders must harden mundane controls such as script execution policies and account compromise detection to deny adversaries that first foothold.




