Ghostwriter Deploys Prometheus Phishing Lures Against Ukraine Government Entities

The Belarus-aligned advanced persistent threat actor known as Ghostwriter — also tracked by researchers as UAC-0057, UNC1151, Storm-0257, and White Lynx — is conducting an active phishing campaign against Ukrainian government entities using lures impersonating Prometheus, a legitimate Ukrainian online learning platform. The campaign, documented by Ukraine's CERT-UA (Computer Emergency Response Team of Ukraine — the national authority responsible for cybersecurity incident response) and detailed by The Hacker News, deploys a multi-stage malware chain with three novel components: OYSTERFRESH, OYSTERBLUES, and OYSTERSHUCK.

// 01 Campaign Overview: Technical Details

Ghostwriter's latest operation opens with phishing emails sent from compromised email accounts — a technique designed to bypass sender reputation filters and leverage the implicit trust that recipients place in known contacts. The emails contain PDF attachments that display a document mimicking a Prometheus learning platform notification or invitation. Embedded within the PDF is a hyperlink that, when clicked, initiates the multi-stage infection chain.

Stage 1 — OYSTERFRESH (JavaScript dropper): Clicking the link in the PDF downloads a ZIP archive containing a JavaScript file. The JavaScript file is named OYSTERFRESH by CERT-UA researchers. OYSTERFRESH serves a dual purpose: it opens a decoy document to distract the victim and create the appearance of a legitimate document exchange, while simultaneously executing the next stage of the infection chain in the background.

Stage 2 — OYSTERBLUES (encrypted payload in the Registry): OYSTERFRESH writes an obfuscated and encrypted payload called OYSTERBLUES into the Windows Registry. Using the Registry (the Windows configuration database) as a payload storage mechanism is a fileless malware technique (malware that operates entirely in memory or uses system-native storage rather than writing executable files to disk) that evades file-system-based antivirus scans and forensic analysis.

Stage 3 — OYSTERSHUCK (decoder/launcher): A component named OYSTERSHUCK is downloaded and launched by OYSTERFRESH. OYSTERSHUCK's role is to decode and execute OYSTERBLUES from the Registry. The use of a separate decoding component adds a layer of obfuscation — OYSTERBLUES alone is not executable without OYSTERSHUCK's processing.

The final payload delivered by OYSTERBLUES has not been confirmed as of this writing. Based on Ghostwriter's historical tradecraft, likely candidates include a RAT (Remote Access Trojan — malware that gives an attacker persistent, interactive control over the infected system) or a reconnaissance implant, potentially Cobalt Strike (a commercial penetration testing framework widely abused by threat actors for post-exploitation command and control) or a custom backdoor consistent with Ghostwriter's prior tooling such as PicassoLoader.

// 02 Threat Actor Background

Ghostwriter has been active since at least 2016 and operates in alignment with Belarusian state intelligence objectives. The group conducts both technical cyber operations and strategic influence operations — a combination that distinguishes it from purely technical threat actors. Ghostwriter has historically targeted Ukraine, Poland, Latvia, Lithuania, and Germany with a mix of credential phishing campaigns, website compromise operations, and disinformation spread via compromised journalist and government accounts.

CERT-UA tracks this actor as UAC-0057 and has attributed it to the Belarusian GRU (Main Intelligence Directorate). The Hacker News reporting notes that Ghostwriter has been observed conducting geofenced PDF phishing operations — delivering exploit payloads only to victims in specific geographic regions — alongside Cobalt Strike Beacon deployment operations, indicating a mature and well-resourced operational infrastructure.

The group's use of a legitimate Ukrainian educational platform as a lure theme is consistent with Ghostwriter's well-documented tradecraft: campaigns are carefully tailored to the target's current context. Ukrainian government employees using Prometheus for professional development training are far more likely to engage with a Prometheus-themed email than a generic phishing lure.

MITRE ATT&CK techniques associated with this campaign include:

• T1566.001 — Spearphishing Attachment (phishing emails with malicious attachments or links)
• T1027 — Obfuscated Files or Information (encrypted and obfuscated payloads)
• T1112 — Modify Registry (storing payloads in the Windows Registry)
• T1059.007 — Command and Scripting Interpreter: JavaScript (JavaScript dropper)

// 03 Who Is Affected

The primary targets are Ukrainian government entities, confirmed by CERT-UA's advisory. The campaign uses compromised email accounts — potentially belonging to Ukrainian government or academic contacts — which means phishing emails may appear to originate from trusted internal or partner addresses.

Beyond immediate government targets, the campaign is relevant to:

• NATO partner organisations engaged in direct cooperation with Ukrainian government counterparts — these organisations may receive forwarded or related phishing emails as part of supply-chain targeting.
• Ukrainian civil society and media — Ghostwriter historically targets journalists and NGOs alongside government entities.
• Security operations teams globally — the OYSTERFRESH/OYSTERBLUES/OYSTERSHUCK toolchain represents new malware that detection tools have limited signature coverage for.

// 04 What You Should Do Right Now

• Block execution of JavaScript files from user-accessible directories — use Windows AppLocker (a Windows application control feature) or Microsoft Defender Application Control policies to prevent JavaScript execution from Downloads, Temp, and user-profile directories.
• Deploy email security rules for PDF attachments containing external links — many email security gateways can be configured to detonate PDF attachments in a sandbox or strip external hyperlinks from PDFs arriving from external senders.
• Block ZIP-to-JavaScript execution chains — configure endpoint security to alert or block when JavaScript files extracted from ZIP archives attempt to write to the Windows Registry or launch secondary processes.
• Share CERT-UA IOCs with your SIEM and EDR — CERT-UA regularly publishes indicators of compromise. Subscribe to CERT-UA's official Telegram channel and RSS feed for timely IOC updates.
• Brief users on Prometheus-themed lures — if your organisation has Ukrainian government or academic partners, brief relevant users that Prometheus platform lures are circulating and that PDF attachments from unexpected senders should be verified out-of-band before clicking.
• Hunt for OYSTERBLUES Registry entries — search for unusual binary data in registry run keys and HKCUSoftware subkeys. Commands like reg query HKCU /s /f oyster (as a starting point for custom IOC names once CERT-UA publishes specifics) can assist initial triage.

// 05 Background: Understanding the Risk

Belarus's alignment with Russia since the 2020 Lukashenko election crisis has positioned Belarusian intelligence services as a cyber proxy for Russian strategic objectives, particularly in operations targeting Ukraine and NATO's eastern flank. Ghostwriter's campaigns serve both intelligence collection functions (stealing government communications and credentials) and influence operation functions (compromising social media accounts to spread disinformation).

The Prometheus lure is strategically selected: it references a real, actively used Ukrainian government platform, meaning that recipients have a genuine reason to expect communications about it. This level of operational research — understanding what platforms Ukrainian government employees actually use and building lures around those platforms — distinguishes Ghostwriter from commodity phishing operations and indicates significant pre-campaign reconnaissance.

HarfangLab's analysis of UAC-0057's sustained operations documents how Ghostwriter has continued to adapt its tooling and lure themes throughout the Ukraine conflict, maintaining persistent pressure on government targets despite repeated CERT-UA exposure of its operations. Each campaign exposure leads to a brief pause followed by retooling and resumption — a pattern consistent with a well-funded state-directed operation that accepts tactical setbacks as the cost of strategic continuity.

For defenders: the fileless nature of the OYSTERBLUES payload makes memory forensics and Registry analysis more valuable than file system scanning for post-compromise investigation. Security teams should ensure their EDR (Endpoint Detection and Response) platforms are configured to log Registry modification events and alert on unusual persistence mechanisms.

// 06 Conclusion

Ghostwriter (UAC-0057) is actively targeting Ukrainian government entities with Prometheus-themed phishing delivering the novel OYSTERFRESH-OYSTERBLUES-OYSTERSHUCK malware chain. Organisations cooperating with Ukrainian government counterparts should review email security controls, block JavaScript execution from user directories, and monitor CERT-UA advisories for updated indicators of compromise.