CERT-UA says the Belarus-aligned Ghostwriter group used fake Prometheus certificate lures to target Ukrainian government entities. The campaign, active since spring 2026, used compromised email accounts and PDFs that pushed recipients toward a ZIP archive carrying JavaScript malware.
The user-facing trick is specific: the lure pretends to be tied to Prometheus, a Ukrainian online learning platform, and offers a certificate download. That makes the click feel administrative rather than dramatic. Once opened, the JavaScript component tracked as OYSTERFRESH shows a decoy document while writing an obfuscated payload called OYSTERBLUES into the Windows Registry and launching OYSTERSHUCK to decode it.
How the lure works
The campaign does not rely on a flashy fake prize or obvious account warning. It uses a familiar administrative flow: a PDF attachment, a link, and a promised training certificate. CERT-UA described emails sent from compromised accounts, which increases trust because the message may appear to come from a real contact or organization.
The suspicious jump is the file chain. A normal certificate should not require a ZIP archive with JavaScript. In this campaign, the PDF leads to a ZIP, the ZIP contains the JavaScript loader, and the loader starts the malware chain while showing a decoy document to reduce suspicion.
What defenders should look for
OYSTERBLUES collects host inventory before sending it to attacker infrastructure. Public reporting says the collected data includes items such as the computer name, user account, OS version, last boot time, and running processes. CERT-UA also warned that infected systems may later receive a Cobalt Strike payload.
- Emails with Prometheus, training, or certificate wording sent from otherwise legitimate accounts.
- PDF attachments that redirect users to ZIP downloads.
- JavaScript execution from extracted archives, especially through
wscript.exe. - Registry writes associated with obfuscated script payloads.
- HTTP POST activity after script execution and any later Cobalt Strike indicators.
Practical mitigation
The fastest defensive control is to reduce script execution from user-space archives. CERT-UA specifically recommends restricting wscript.exe for standard user accounts where possible [1]. That does not replace mail filtering or endpoint detection, but it removes one of the most convenient execution paths for this campaign.
This is a good example of why certificate or training-themed files still need the same scrutiny as invoice lures. If a ZIP drops JavaScript after a user follows a “download certificate” prompt, the certificate is no longer the story. It is the cover. We covered a related Ukraine-focused document lure chain in FrostyNeighbor’s PicassoLoader campaign.
