Ghostwriter uses Prometheus lures to deploy Cobalt Strike

The Belarus-aligned threat actor known as Ghostwriter deployed Prometheus-themed phishing to target Ukrainian government agencies, according to a report from the Computer Emergency Response Team of Ukraine (CERT-UA). The campaign began in spring 2026 and relied on compromised email accounts to deliver malicious files.

Phishing messages contained a PDF that linked to a ZIP archive. The archive included a JavaScript loader CERT-UA calls OYSTERFRESH. That loader displays a decoy document while writing an obfuscated, encrypted payload named OYSTERBLUES into the Windows Registry. OYSTERFRESH also downloads a secondary script, OYSTERSHUCK, which decodes the registry-stored payload.

CERT-UA described OYSTERBLUES as a reconnaissance and staging tool. The code collects system details such as computer name, user account, operating system version, last boot time and a list of running processes. Collected information is sent to a command-and-control server using an HTTP POST request. The server can then respond with additional JavaScript that is executed on the victim machine using eval(). CERT-UA assessed the final-stage payload delivered after these steps to be Cobalt Strike, a commercial adversary simulation framework frequently abused for post-exploitation activity.

The actor is tracked under aliases UAC-0057 and UNC1151. CERT-UA reported that the primary initial access vector observed in these intrusions was the use of compromised email accounts to deliver the Prometheus lures and JavaScript files.

CERT-UA recommended basic hardening measures to reduce exposure. The agency advised limiting the ability of standard user accounts to run wscript.exe, tightening email security controls, restricting script execution for non-administrative accounts and monitoring unusual POST traffic to external servers.

Ukraine’s National Security and Defense Council reported that Russian-linked operators have tested artificial intelligence tools to select targets and to generate malicious commands at runtime. The council listed the main initial access methods seen in 2025 as social engineering, exploitation of vulnerabilities, use of compromised RDP and VPN credentials, supply-chain attacks and installation of unlicensed software that included backdoors.

Separate reporting from Ukrainian investigators connected a pro-Kremlin influence operation that hijacked real Bluesky accounts beginning in 2024 to a Moscow-based company called Social Design Agency and to a broader campaign labeled Matryoshka. Affected accounts included journalists and professors; some hijacked accounts were suspended by the platform pending owner-initiated resets.

Ukrainian authorities continue to urge organizations to apply the recommended mitigations and to monitor for signs of the JavaScript loaders, registry-stored payloads and abnormal outbound POST requests associated with these intrusions.