{"id":252661,"date":"2026-05-22T12:20:00","date_gmt":"2026-05-22T16:20:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/22\/ghostwriter-targets-ukraine-government-entities-with-prometheus-phishing-malware\/"},"modified":"2026-05-22T13:50:07","modified_gmt":"2026-05-22T17:50:07","slug":"ghostwriter-targets-ukraine-government-entities-with-prometheus-phishing-malware","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/22\/ghostwriter-targets-ukraine-government-entities-with-prometheus-phishing-malware\/","title":{"rendered":"Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware"},"content":{"rendered":"

Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/05\/ghostwriter-targets-ukraine-government.html<\/a><\/p>\n

Publish Date: 2026-05-22 12:20:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802May 22, 2026<\/span><\/span>Malware \/ Artificial Intelligence<\/span><\/p>\n

The Belarus-aligned threat actor known as Ghostwriter (aka UAC-0057 and UNC1151Ukraine’s National Security and Defense Council) has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in the country.<\/p>\n

The activity, per the Computer Emergency Response Team of Ukraine (CERT-UA), involves sending phishing emails to government entities using compromised accounts. It’s been active since the spring of 2026.<\/p>\n

“Typically, the email contains a PDF attachment with a link that, when clicked, leads to the download of a ZIP archive containing a JavaScript file,” the agency said in a Thursday report.<\/p>\n

The JavaScript file, dubbed OYSTERFRESH, is designed to display a decoy document as a distraction mechanism, while stealthily writing an obfuscated and encrypted payload called OYSTERBLUES to the Windows Registry, as well as downloading and launching OYSTERSHUCK, which is responsible for decoding OYSTERBLUES.<\/p>\n

OYSTERBLUES is equipped to harvest a wide range of system information, including computer name, user account, OS version, time of the last OS boot, and a list of running processes. The collected data is sent to a command-and-control (C2) server over an HTTP POST request.<\/p>\n

It then awaits further responses containing next-stage JavaScript code, which is executed using the eval() function. The final payload is assessed to be Cobalt Strike, an adversary simulation framework that’s widely abused for post-exploitation activities.<\/p>\n

\"\"<\/p>\n

“To reduce the likelihood of this cyber threat being exploited, it is advisable to apply known basic approaches to reducing the attack surface, specifically by restricting the ability to run wscript.exe for standard user accounts,” CERT-UA said.<\/p>\n

The disclosure comes as Ukraine’s National Security and Defense Council revealed Russia’s use of artificial intelligence (AI) tools like OpenAI ChatGPT and Google Gemini to…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware https:\/\/thehackernews.com\/2026\/05\/ghostwriter-targets-ukraine-government.html Publish Date: 2026-05-22 12:20:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":252663,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhNDmjcnVzVIqFFB-CQU7L6G8XVTifkZGmIMcPrui1EoffwwvtPXCrjKhRtIfxYsfPb5OUON4KQ1MVRosbP1BgCeFpqIIWRbgv34naUxEUTzyGRsPB6fY2gJJa5AXgT085SLFuc8ykNinXhnnpQzGAT2Kw1YwNe05vxSxlb6EVTu8_CoDws3QwR_SCk7dXm\/s1600\/ukuk.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,32,25,34],"class_list":["post-252661","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-malware","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/252661"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=252661"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/252661\/revisions"}],"predecessor-version":[{"id":252665,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/252661\/revisions\/252665"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/252663"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=252661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=252661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=252661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}