Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware

CERT-UA attributes a spring-2026 phishing campaign targeting Ukrainian government entities to the Belarus-aligned APT Ghostwriter (UAC-0057/UNC1151), where PDF lures lead to a ZIP containing a JavaScript loader (OYSTERFRESH) that stores an obfuscated/encrypted payload (OYSTERBLUES) in the Windows Registry and fetches/decodes follow-on code (OYSTERSHUCK) ultimately deploying Cobalt Strike; the report also notes Russian use of AI for targeting and a separate pro-Kremlin Bluesky account-hijacking influence operation (Matryoshka).