Ghostwriter Is Back, Using a Ukrainian Learning Platform as Bait to Hit Government Targets

Ghostwriter (aka UNC1151 / UAC-0057) resumed a targeted phishing campaign against Ukrainian government organizations using the Prometheus e-learning platform as a trusted lure; attackers send PDFs from compromised accounts that link to ZIPs containing a JavaScript loader (OYSTERFRESH) which displays a decoy document while dropping an obfuscated payload (OYSTERBLUES) into the Windows Registry and fetching a decoder (OYSTERSHUCK) to ultimately deploy Cobalt Strike. CERT-UA observed the campaign since spring 2026, noted infrastructure behind Cloudflare and frequent use of .icu domains, and recommended mitigations such as restricting wscript.exe for standard users.