← All articles

Ghostwriter (UAC-0057/UNC1151) targets Ukrainian government with Prometheus learning-platform lure, OYSTERSHUCK/OYSTERBLUES, Cobalt Strike payload

CERT-UA has documented a fresh Ghostwriter campaign (also tracked as UAC-0057 and UNC1151) using PDF lures themed around Prometheus, a Ukrainian online learning platform, to target Ukrainian government organizations. The phishing email contains a link to a ZIP that drops a JavaScript file (OYSTERFRESH), which displays a decoy document, writes an encrypted payload (OYSTERBLUES) to the Windows Registry, and downloads a loader (OYSTERSHUCK) that decodes and runs OYSTERBLUES. The final payload is Cobalt Strike. Ghostwriter is a Belarus-linked threat group that has been hitting Ukrainian targets continuously since 2022. CERT-UA recommends restricting wscript.exe for standard user accounts.

Check
Search Windows endpoints in Ukraine-facing operations for wscript.exe execution chains spawning JavaScript files. Look for HTTP POST exfiltration to unfamiliar C2 hosts after PDF email opens.
Affected
Ukrainian government organizations and contractors. Ghostwriter has been Russia and Belarus's most persistent Ukrainian-government-focused APT since 2022. PDF and ZIP attachments are the primary delivery vector.
Fix
Restrict wscript.exe execution for standard user accounts via AppLocker or WDAC. Block .js attachment delivery at the email gateway. Hunt for Cobalt Strike beacons in Ukraine-related operations.