Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ghostwriter (2 articles)Clear

Ghostwriter (UAC-0057/UNC1151) targets Ukrainian government with Prometheus learning-platform lure, OYSTERSHUCK/OYSTERBLUES, Cobalt Strike payload

CERT-UA has documented a fresh Ghostwriter campaign (also tracked as UAC-0057 and UNC1151) using PDF lures themed around Prometheus, a Ukrainian online learning platform, to target Ukrainian government organizations. The phishing email contains a link to a ZIP that drops a JavaScript file (OYSTERFRESH), which displays a decoy document, writes an encrypted payload (OYSTERBLUES) to the Windows Registry, and downloads a loader (OYSTERSHUCK) that decodes and runs OYSTERBLUES. The final payload is Cobalt Strike. Ghostwriter is a Belarus-linked threat group that has been hitting Ukrainian targets continuously since 2022. CERT-UA recommends restricting wscript.exe for standard user accounts.

Check
Search Windows endpoints in Ukraine-facing operations for wscript.exe execution chains spawning JavaScript files. Look for HTTP POST exfiltration to unfamiliar C2 hosts after PDF email opens.
Affected
Ukrainian government organizations and contractors. Ghostwriter has been Russia and Belarus's most persistent Ukrainian-government-focused APT since 2022. PDF and ZIP attachments are the primary delivery vector.
Fix
Restrict wscript.exe execution for standard user accounts via AppLocker or WDAC. Block .js attachment delivery at the email gateway. Hunt for Cobalt Strike beacons in Ukraine-related operations.

Belarus-aligned FrostyNeighbor (Ghostwriter) running a new geofenced PDF phishing campaign against Ukrainian government - Ukrainian IPs get malware, everyone else gets a clean PDF

ESET researchers documented a new wave of activity from FrostyNeighbor (a.k.a. Ghostwriter, UNC1151, UAC-0057), the Belarus-aligned group that has been targeting Ukraine, Poland, and Lithuania since 2016. Since March 2026, the group has been sending spear-phishing PDFs impersonating Ukrainian telecom operator Ukrtelecom. The lure server checks the visitor's IP: Ukrainian addresses get a malicious RAR archive that drops a JavaScript version of PicassoLoader, which in turn pulls down a Cobalt Strike Beacon, while everyone else just sees a clean decoy PDF. Operators appear to manually approve which fingerprinted victims actually get the implant.

Check
Hunt email gateways and proxies for spear-phishing PDFs impersonating Ukrtelecom, search endpoint telemetry for JavaScript children of wscript.exe or cscript.exe running PicassoLoader behavior, and review outbound C2 callbacks from defense-sector users.
Affected
Ukrainian government, military, and defense organizations. Polish and Lithuanian industrial manufacturing, healthcare and pharma, logistics, and government bodies. Risk is highest for any organization with Eastern European operations.
Fix
Block known FrostyNeighbor domains and IPs from ESET's report at the network edge, deploy detections for JavaScript-stage PicassoLoader and Cobalt Strike, restrict execution of downloaded scripts via AppLocker, and brief Eastern European staff on the Ukrtelecom lure.