Belarus-Aligned Ghostwriter Group Targets Ukraine with Phishing Campaign

Belarus-Aligned Ghostwriter Group Targets Ukraine with Phishing Campaign

First seen 22 May 2026, 22:25 UTC SocprimeScworld 76% similarity 77.0

Article Content

Browse articles
ThreatCluster

A phishing campaign targeting Ukrainian government organizations has been attributed to the Belarus-aligned Ghostwriter group, also known as UAC-0057. The campaign involves sending emails with PDF attachments that lead to ZIP archives containing malicious JavaScript files named OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES. Once executed, these files collect system information and can download a Cobalt Strike component for further exploitation. The attack leverages compromised accounts and utilizes Cloudflare-protected .icu domains for command-and-control infrastructure. CERT-UA has recommended measures such as restricting wscript.exe execution and monitoring registry changes to mitigate the threat. This activity is part of a broader trend of state-sponsored cyber operations targeting Ukraine amid ongoing geopolitical tensions.

Key Points: • Ghostwriter group is targeting Ukrainian government entities with phishing emails. • Malicious JavaScript files OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES are used for data exfiltration. • CERT-UA advises restricting certain script executions to mitigate this threat.

ThreatCluster AI

Timeline

2026-05-22
Phishing campaign reported by CERT-UA
CERT-UA reported a phishing campaign by Ghostwriter targeting Ukrainian government organizations using malicious JavaScript files.
Socprime
2026-05-22
Ghostwriter group identified
The Belarus-aligned threat actor Ghostwriter was linked to the phishing campaign, using Prometheus lures to target Ukraine.
Scworld

Community

Browse all →