Belarus‑linked GhostWriter Uses Fake Training Certificates to Deploy OysterFresh Malware Against Ukrainian Government Officials
What Happened — A Belarus‑state‑linked espionage group (GhostWriter/UNC1151/Storm‑0257) has been sending phishing emails that masquerade as certificates from Ukraine’s largest e‑learning platform, Prometheus. The messages contain a malicious PDF that drops a ZIP archive delivering the OysterFresh malware family, which harvests system details and can pull in Cobalt Strike payloads.
Why It Matters for TPRM
- State‑backed actors are exploiting trusted education‑platform branding to compromise third‑party government accounts.
- The campaign demonstrates how compromised vendor or partner email accounts can become a conduit for credential theft and espionage.
- Early detection hinges on monitoring phishing trends and verifying the authenticity of training‑related communications from suppliers.
Who Is Affected
- Government agencies and public‑sector entities in Ukraine.
- Any third‑party service providers that host or manage email for Ukrainian officials (e.g., cloud email providers, managed service providers).
Recommended Actions
- Instruct all vendors handling government communications to enforce MFA and email‑origin authentication (DMARC, SPF, DKIM).
- Conduct phishing‑simulation training focused on “certificate” and “training” lure themes.
- Review and harden email gateway rules to block suspicious PDF/ZIP attachments from unknown senders.
- Verify the legitimacy of any training‑certificate notifications with the purported platform before opening attachments.
Technical Notes — The phishing chain uses a PDF with a malicious link that retrieves a ZIP containing OysterFresh, which drops OysterBlues and OysterShuck modules to collect OS, username, process list, and other telemetry. Collected data is exfiltrated via Cloudflare‑protected C2. The malware can later load Cobalt Strike, a legitimate penetration‑testing tool abused for post‑exploitation. Source: The Record