Ghostwriter (UAC-0057/UNC1151) targets Ukrainian government with Prometheus learning-platform lure, OYSTERSHUCK/OYSTERBLUES, Cobalt Strike payload
CERT-UA has documented a fresh Ghostwriter campaign (also tracked as UAC-0057 and UNC1151) using PDF lures themed around Prometheus, a Ukrainian online learning platform, to target Ukrainian government organizations. The phishing email contains a link to a ZIP that drops a JavaScript file (OYSTERFRESH), which displays a decoy document, writes an encrypted payload (OYSTERBLUES) to the Windows Registry, and downloads a loader (OYSTERSHUCK) that decodes and runs OYSTERBLUES. The final payload is Cobalt Strike. Ghostwriter is a Belarus-linked threat group that has been hitting Ukrainian targets continuously since 2022. CERT-UA recommends restricting wscript.exe for standard user accounts.
- Check
- Search Windows endpoints in Ukraine-facing operations for wscript.exe execution chains spawning JavaScript files. Look for HTTP POST exfiltration to unfamiliar C2 hosts after PDF email opens.
- Affected
- Ukrainian government organizations and contractors. Ghostwriter has been Russia and Belarus's most persistent Ukrainian-government-focused APT since 2022. PDF and ZIP attachments are the primary delivery vector.
- Fix
- Restrict wscript.exe execution for standard user accounts via AppLocker or WDAC. Block .js attachment delivery at the email gateway. Hunt for Cobalt Strike beacons in Ukraine-related operations.