A Belarus-linked hacking group known as GhostWriter has launched a new espionage campaign against Ukrainian government officials using fake emails disguised as messages from a popular online learning platform to deliver malware.
Phishing Campaign Targets Ukrainian Officials
According to Ukraine’s computer emergency response team, CERT-UA, the campaign has been active since the spring of 2026 and has involved phishing emails sent from compromised accounts to employees at government organizations.
The emails were disguised as messages from Prometheus, Ukraine’s largest online learning platform, and claimed to offer certificates for completing online courses. Prometheus provides classes ranging from programming and business to public administration and also hosts courses related to military service and drone engineering.
Attribution and Previous Campaigns
The operation has been attributed to GhostWriter, also tracked as UNC1151 and Storm-0257, a threat actor linked to Belarusian state intelligence services. The group has previously targeted Ukrainian military personnel, Polish government institutions, and other officials in the region through credential theft and influence operations.
In the latest campaign, the phishing email contained a PDF attachment with a malicious link that downloaded a ZIP archive carrying malware identified as OysterFresh. The malware chain ultimately deployed components known as OysterBlues and OysterShuck, which collect system information from infected devices and send it to attacker-controlled infrastructure hidden behind Cloudflare.
Malware Capabilities and Warning
CERT-UA said the malware gathers details including the computer name, operating system version, user account information, and running processes. The agency also warned that compromised systems could later receive a payload linked to the offensive hacking framework Cobalt Strike, a legitimate penetration-testing tool frequently abused by cybercriminals and state-backed groups.
The warning comes a day after CERT-UA disclosed another espionage campaign targeting users of Delta, Ukraine’s battlefield management and situational awareness system. In that operation, unidentified attackers sent phishing emails masquerading as alerts from Ukrainian cybersecurity agencies warning recipients about alleged unauthorized access to Delta accounts.
Context and Previous Reporting
Daryna Antoniuk, a reporter for Recorded Future News based in Ukraine, has been following the developments in the cyberwar between Ukraine and Russia. She writes about cybersecurity startups, cyberattacks in Eastern Europe, and the state of the cyberwar between Ukraine and Russia.
Her work has also been published at Sifted, The Kyiv Independent, and The Kyiv Post, providing insights into the ongoing conflict and its impact on the region. The latest campaign by GhostWriter highlights the ongoing threat posed by state-backed hacking groups and the need for increased vigilance and cybersecurity measures to protect against these types of attacks.
The use of fake training certificates and phishing emails disguised as messages from legitimate online learning platforms is a tactics, techniques, and procedures (TTP) that has been used by GhostWriter in the past, and it is likely that the group will continue to evolve and adapt its methods to evade detection and achieve its goals.
- The campaign has been active since the spring of 2026.
- The phishing emails were sent from compromised accounts to employees at government organizations.
- The emails were disguised as messages from Prometheus, Ukraine’s largest online learning platform.
- The malware chain deployed components known as OysterBlues and OysterShuck.
- The malware gathers details including the computer name, operating system version, user account information, and running processes.
The incident highlights the importance of cybersecurity awareness and the need for individuals and organizations to be vigilant when receiving emails or messages from unknown or unverified sources. By being aware of the tactics and techniques used by threat actors like GhostWriter, individuals and organizations can take steps to protect themselves and prevent similar attacks in the future.
Source: The Record