Find notable cyber news and cases, enriched with sources, timelines, and signals.

Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A Ghostwriter phishing campaign is targeting Ukraine government organizations with Prometheus-themed lures, increasing the risk of credential theft and follow-on access. The operation has been active since spring 2026 and uses compromised accounts to send the emails. The delivery chain moves victims from a PDF link to a ZIP archive that launches JavaScript and can stage Cobalt Strike.

Related Happenings

Hotel and hospitality photo-ZIP phishing campaign

Campaign
H score40 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

About this happening: An **active phishing campaign** is targeting **hotel and hospitality organizations** across **Europe and Asia**, increasing the risk of **front-desk machine compromise** and durab...

WhatsApp VBScript attachment distribution campaign

Campaign
H score42 First: 23.06.2026 08:38 Last: 23.06.2026 08:38 Sources 1

About this happening: The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...

Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities

Campaign
H score50 First: 14.05.2026 17:00 Last: 14.05.2026 17:00 Sources 1

About this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...

UAC-0050 spear-phishing campaign targeting European financial institutions

Campaign
H score29 First: 24.02.2026 16:21 Last: 24.02.2026 16:21 Sources 1

About this happening: The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...

BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft

Malware Activity
H score36 First: 12.12.2025 16:04 Last: 12.12.2025 16:04 Sources 1

About this happening: **BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...

Timeline

  1. 22.05.2026 19:20 2 articles · 1mo ago

    Ghostwriter Prometheus phishing campaign against Ukraine government organizations

    Initial Disclosure

    CERT-UA disclosed that Ghostwriter (aka UAC-0057 and UNC1151) is targeting government organizations in Ukraine with Prometheus-themed phishing emails sent from compromised accounts. The delivery chain uses a PDF attachment with a link to a ZIP archive containing JavaScript named OYSTERFRESH, which drops OYSTERBLUES and launches OYSTERSHUCK; OYSTERBLUES gathers system information and sends it to a command-and-control server, and the final payload is assessed to be Cobalt Strike. CERT-UA advised restricting the ability to run wscript.exe for standard user accounts.

    Show sources