Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
Campaign
Summary
Hide ▲
Show ▼
A Ghostwriter phishing campaign is targeting Ukraine government organizations with Prometheus-themed lures, increasing the risk of credential theft and follow-on access. The operation has been active since spring 2026 and uses compromised accounts to send the emails. The delivery chain moves victims from a PDF link to a ZIP archive that launches JavaScript and can stage Cobalt Strike.
Related Happenings
Hotel and hospitality photo-ZIP phishing campaign
Campaign
H score40
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
An **active phishing campaign** is targeting **hotel and hospitality organizations** across **Europe and Asia**, increasing the risk of **front-desk machine compromise** and durab...
Hotel and hospitality photo-ZIP phishing campaign
CampaignAbout this happening: An **active phishing campaign** is targeting **hotel and hospitality organizations** across **Europe and Asia**, increasing the risk of **front-desk machine compromise** and durab...
WhatsApp VBScript attachment distribution campaign
Campaign
H score42
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...
WhatsApp VBScript attachment distribution campaign
CampaignAbout this happening: The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
Campaign
H score50
First: 14.05.2026 17:00
Last: 14.05.2026 17:00
Sources 1
About this happening:
The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...
UAC-0050 spear-phishing campaign targeting European financial institutions
Campaign
H score29
First: 24.02.2026 16:21
Last: 24.02.2026 16:21
Sources 1
About this happening:
The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
UAC-0050 spear-phishing campaign targeting European financial institutions
CampaignAbout this happening: The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft
Malware Activity
H score36
First: 12.12.2025 16:04
Last: 12.12.2025 16:04
Sources 1
About this happening:
**BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...
BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft
Malware ActivityAbout this happening: **BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...
Timeline
-
22.05.2026 19:20 2 articles · 1mo ago
Ghostwriter Prometheus phishing campaign against Ukraine government organizations
Initial DisclosureCERT-UA disclosed that Ghostwriter (aka UAC-0057 and UNC1151) is targeting government organizations in Ukraine with Prometheus-themed phishing emails sent from compromised accounts. The delivery chain uses a PDF attachment with a link to a ZIP archive containing JavaScript named OYSTERFRESH, which drops OYSTERBLUES and launches OYSTERSHUCK; OYSTERBLUES gathers system information and sends it to a command-and-control server, and the final payload is assessed to be Cobalt Strike. CERT-UA advised restricting the ability to run wscript.exe for standard user accounts.
Show sources
- Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware — thehackernews.com — 22.05.2026 19:20
- Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware — thehackernews.com — 22.05.2026 19:20