The Belarus-aligned threat actor known as **Ghostwriter** (aka UAC-0057 and UNC1151) has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in Ukraine. The Computer Emergency Response Team of Ukraine (CERT-UA) has been tracking this activity, which involves sending phishing emails from compromised accounts since the spring of 2026. ### Phishing Campaign Details According to CERT-UA, the phishing emails typically contain a PDF attachment with a link. Clicking this link leads to the download of a ZIP archive containing a malicious JavaScript file. "Typically, the email contains a PDF attachment with a link that, when clicked, leads to the download of a ZIP archive containing a JavaScript file," the agency [said](https://cert.gov.ua/article/6315762) in a Thursday report. ### Malware Breakdown: OYSTERFRESH, OYSTERBLUES, and OYSTERSHUCK The JavaScript file, named OYSTERFRESH, acts as a dropper. It displays a decoy document to distract the user while it stealthily writes an obfuscated and encrypted payload, OYSTERBLUES, to the Windows Registry. It also downloads and launches OYSTERSHUCK, which is responsible for decoding OYSTERBLUES. OYSTERBLUES is designed to harvest system information, including the computer name, user account details, OS version, time of the last OS boot, and a list of running processes. This data is then sent to a command-and-control (C2) server via an HTTP POST request. Following the initial data exfiltration, the malware awaits further instructions in the form of next-stage JavaScript code. This code is executed using the `eval()` function. The final payload is assessed to be **Cobalt Strike**, an adversary simulation framework commonly abused for post-exploitation tasks.  ### Mitigation Recommendations "To reduce the likelihood of this cyber threat being exploited, it is advisable to apply known basic approaches to reducing the attack surface, specifically by restricting the ability to run wscript.exe for standard user accounts," CERT-UA advised. ### AI in Cyber Warfare and Influence Operations This disclosure aligns with recent revelations from Ukraine's National Security and Defense Council regarding Russia's increasing use of artificial intelligence (AI) tools. These tools, including **OpenAI**'s ChatGPT and **Google** Gemini, are being used for reconnaissance and target selection. Furthermore, AI is being integrated into malware to generate malicious commands at runtime. The Council highlighted the main attack vectors observed in 2025, which included social engineering, exploitation of vulnerabilities, compromised RDP and VPN accounts, supply chain attacks, and the use of unlicensed software containing built-in backdoors. ### Pro-Kremlin Propaganda Campaign on Bluesky In a separate development, details have emerged concerning a pro-Kremlin propaganda campaign that hijacked legitimate **Bluesky** user accounts to disseminate fake content since 2024. Targets included journalists and professors. The activity has been attributed to the **Social Design Agency**, a Moscow-based firm linked to the Matryoshka campaign. **Bluesky** has responded by suspending affected accounts pending owner-initiated resets.