Scworld
Belarus-Aligned Ghostwriter Group Targets Ukraine with Phishing Campaign
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A phishing campaign targeting Ukrainian government organizations has been attributed to the Belarus-aligned Ghostwriter group, also known as UAC-0057. The campaign involves sending emails with PDF attachments that lead to ZIP archives containing malicious JavaScript files named OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES. Once executed, these files collect system information and can download a Cobalt Strike component for further exploitation. The attack leverages compromised accounts and utilizes Cloudflare-protected .icu domains for command-and-control infrastructure. CERT-UA has recommended measures such as restricting wscript.exe execution and monitoring registry changes to mitigate the threat. This activity is part of a broader trend of state-sponsored cyber operations targeting Ukraine amid ongoing geopolitical tensions.
Key Points: • Ghostwriter group is targeting Ukrainian government entities with phishing emails. • Malicious JavaScript files OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES are used for data exfiltration. • CERT-UA advises restricting certain script executions to mitigate this threat.