Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
Campaign
Summary
Hide ▲
Show ▼
A Ghostwriter phishing campaign is targeting Ukraine government organizations with Prometheus-themed lures, increasing the risk of credential theft and follow-on access. The operation has been active since spring 2026 and uses compromised accounts to send the emails. The delivery chain moves victims from a PDF link to a ZIP archive that launches JavaScript and can stage Cobalt Strike.
Related Happenings
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
Campaign
First: 14.05.2026 17:00
Last: 14.05.2026 17:00
Sources 1
About this happening:
The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
UAC-0050 spear-phishing campaign targeting European financial institutions
Campaign
First: 24.02.2026 16:21
Last: 24.02.2026 16:21
Sources 1
About this happening:
The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
UAC-0050 spear-phishing campaign targeting European financial institutions
CampaignAbout this happening: The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft
Malware Activity
First: 12.12.2025 16:04
Last: 12.12.2025 16:04
Sources 1
About this happening:
**BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...
BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft
Malware ActivityAbout this happening: **BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...
UTA0388 spear-phishing campaign delivering GOVERSHELL
Campaign
First: 09.10.2025 20:19
Last: 09.10.2025 20:19
Sources 1
About this happening:
A **China-aligned** actor, **UTA0388**, is running a **spear-phishing campaign** across **North America, Asia, and Europe** to deliver the **GOVERSHELL** implant. The operation ma...
UTA0388 spear-phishing campaign delivering GOVERSHELL
CampaignAbout this happening: A **China-aligned** actor, **UTA0388**, is running a **spear-phishing campaign** across **North America, Asia, and Europe** to deliver the **GOVERSHELL** implant. The operation ma...
Timeline
-
22.05.2026 19:20 2 articles · 5d ago
Ghostwriter Prometheus phishing campaign against Ukraine government organizations
Initial DisclosureCERT-UA disclosed that Ghostwriter (aka UAC-0057 and UNC1151) is targeting government organizations in Ukraine with Prometheus-themed phishing emails sent from compromised accounts. The delivery chain uses a PDF attachment with a link to a ZIP archive containing JavaScript named OYSTERFRESH, which drops OYSTERBLUES and launches OYSTERSHUCK; OYSTERBLUES gathers system information and sends it to a command-and-control server, and the final payload is assessed to be Cobalt Strike. CERT-UA advised restricting the ability to run wscript.exe for standard user accounts.
Show sources
- Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware — thehackernews.com — 22.05.2026 19:20
- Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware — thehackernews.com — 22.05.2026 19:20