HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Belarus‑linked GhostWriter Deploys OysterFresh via Fake Training Certificates Targeting Ukrainian Officials

GhostWriter (UNC1151) has been sending phishing emails disguised as Prometheus training certificates to Ukrainian government staff. The messages deliver OysterFresh malware that harvests system data and can pull in Cobalt Strike payloads, posing a significant espionage risk for public‑sector third‑party relationships.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 therecord.media
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
therecord.media

Belarus‑linked GhostWriter Uses Fake Training Certificates to Deploy OysterFresh Malware Against Ukrainian Government Officials

What Happened — A Belarus‑state‑linked espionage group (GhostWriter/UNC1151/Storm‑0257) has been sending phishing emails that masquerade as certificates from Ukraine’s largest e‑learning platform, Prometheus. The messages contain a malicious PDF that drops a ZIP archive delivering the OysterFresh malware family, which harvests system details and can pull in Cobalt Strike payloads.

Why It Matters for TPRM

  • State‑backed actors are exploiting trusted education‑platform branding to compromise third‑party government accounts.
  • The campaign demonstrates how compromised vendor or partner email accounts can become a conduit for credential theft and espionage.
  • Early detection hinges on monitoring phishing trends and verifying the authenticity of training‑related communications from suppliers.

Who Is Affected

  • Government agencies and public‑sector entities in Ukraine.
  • Any third‑party service providers that host or manage email for Ukrainian officials (e.g., cloud email providers, managed service providers).

Recommended Actions

  • Instruct all vendors handling government communications to enforce MFA and email‑origin authentication (DMARC, SPF, DKIM).
  • Conduct phishing‑simulation training focused on “certificate” and “training” lure themes.
  • Review and harden email gateway rules to block suspicious PDF/ZIP attachments from unknown senders.
  • Verify the legitimacy of any training‑certificate notifications with the purported platform before opening attachments.

Technical Notes — The phishing chain uses a PDF with a malicious link that retrieves a ZIP containing OysterFresh, which drops OysterBlues and OysterShuck modules to collect OS, username, process list, and other telemetry. Collected data is exfiltrated via Cloudflare‑protected C2. The malware can later load Cobalt Strike, a legitimate penetration‑testing tool abused for post‑exploitation. Source: The Record

📰 Original Source
https://therecord.media/oysterfresh-belarus-linked-campaign-targets-ukraine

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →