25.05.2026
3 min
123
Hacker group Ghostwriter has launched a new campaign against Ukrainian government organizations using malicious Microsoft Office documents and fake files disguised as official materials. Researchers say the attacks are aimed at stealing data and securing access inside systems.
A Belarus-linked attacker known as Ghostwriter (also known as UAC-0057 and UNC1151) has been using decoys linked to Prometheus, a Ukrainian online learning platform, to attack government organizations in the country.
According to the Computer Emergency Response Team of Ukraine (CERT-UA), the activity involves sending phishing emails to government agencies using compromised accounts. It has been ongoing since spring 2026.
“The email typically contains a PDF file with a link that, when clicked, downloads a ZIP archive containing a JavaScript file,” the agency said in a report published Thursday.
A JavaScript file called OYSTERFRESH is designed to display a decoy document as a distraction mechanism, while also covertly writing an encrypted payload called OYSTERBLUES to the Windows registry, and loading and running OYSTERSHUCK, which is responsible for decoding OYSTERBLUES.
OYSTERBLUES is equipped to collect a wide range of system information, including the computer name, user account, OS version, last OS boot time, and a list of running processes. The collected data is sent to a command-and-control (C2) server via an HTTP POST request.
It then waits for subsequent responses containing the next-stage JavaScript code, which is executed using the eval() function. The final payload is evaluated by Cobalt Strike, a widely used post-exploitation framework for attacker simulation.
“To reduce the likelihood of this cyberthreat being exploited, it is advisable to apply known, basic approaches to reducing the attack surface, including by restricting the ability to run wscript.exe for standard user accounts,” CERT-UA said in a statement.
The disclosure comes after the National Security and Defense Council of Ukraine exposed Russia’s use of artificial intelligence (AI) tools such as OpenAI ChatGPT and Google Gemini to scout targets and embed this technology in malware to generate malicious commands at runtime, while accusing Kremlin-backed hacking groups of carrying out cyberattacks aimed at obtaining intelligence and ensuring a long-term presence in compromised networks for further exploitation, including to support influence operations.
“The main vectors of the initial penetration in 2025 were social engineering, vulnerability exploitation, the use of compromised RDP and VPN accounts, supply chain attacks, and the use of unlicensed software that already contains backdoors built into the installation,” the Council said. “The attackers focused on stealing confidential information, intercepting communications, and tracking the location of targets.”
In a related development, details emerged about a pro-Kremlin propaganda campaign that had been hijacking the accounts of real Bluesky users since 2024 to publish fake content. The accounts stolen included journalists and professors. The activity is attributed to a Moscow-based company called the Social Design Agency, which is linked to a campaign called Matryoshka. In some of these cases, Bluesky resorted to suspending accounts until the owners initiated their reactivation.
