A hacking group with ties to Belarus, **GhostWriter** (also tracked as UNC1151 and Storm-0257), has launched a new espionage campaign targeting Ukrainian government officials. The campaign utilizes sophisticated phishing emails disguised as messages from **Prometheus**, a popular online learning platform in Ukraine, to deliver malware. According to Ukraine’s computer emergency response team, **CERT-UA**, the campaign has been active since the spring of 2024 and involves phishing emails sent from compromised accounts to employees at government organizations. ### Phishing Scheme Details The emails are crafted to appear as legitimate messages from **Prometheus**, claiming to offer certificates for completing online courses. **Prometheus** provides a wide range of courses, including those related to programming, business, public administration, military service, and even drone engineering, making it an effective lure. ### GhostWriter's Modus Operandi **GhostWriter**, a threat actor linked to Belarusian state intelligence services, has a history of targeting Ukrainian military personnel, Polish government institutions, and other officials in the region. Their previous tactics include credential theft and influence operations. ### Malware Delivery and Infection Chain The phishing emails contain a PDF attachment with a malicious link. This link downloads a ZIP archive containing malware identified as OysterFresh. The malware chain further deploys components known as OysterBlues and OysterShuck. These components are designed to collect system information from infected devices and transmit it to attacker-controlled infrastructure, which is hidden behind **Cloudflare**. ### Data Exfiltration and Potential Cobalt Strike Deployment **CERT-UA** reports that the malware gathers a comprehensive range of details, including the computer name, operating system version, user account information, and a list of running processes. The agency also warns that compromised systems could potentially receive a payload linked to **Cobalt Strike**, a legitimate penetration-testing tool frequently abused by cybercriminals and state-backed groups for malicious purposes. ### Recent Espionage Campaign Targeting Delta System This warning follows a recent disclosure by **CERT-UA** regarding another espionage campaign targeting users of Delta, Ukraine’s battlefield management and situational awareness system. In that operation, attackers sent phishing emails masquerading as alerts from Ukrainian cybersecurity agencies, warning recipients about alleged unauthorized access to Delta accounts.