Government security Belarus-linked Ghostwriter group targets Ukraine using Prometheus learning platform lures May 22, 2026 Share By SC Staff (Adobe Stock) The Belarus-aligned threat actor known as Ghostwriter has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in the country. This activity, which began in the spring of 2026, involves sending phishing emails to government entities using compromised accounts, with further coverage provided by The Hacker News. Ghostwriter, also known as UAC-0057 and UNC1151, employs a multi-stage attack. Phishing emails containing a PDF attachment with a link lead to the download of a ZIP archive with a JavaScript file. This file, dubbed OYSTERFRESH, displays a decoy document while stealthily writing an obfuscated payload, OYSTERBLUES, to the Windows Registry. OYSTERBLUES then downloads and launches OYSTERSHUCK, which decodes the payload. OYSTERBLUES collects system information like computer name, user account, OS version, and running processes, sending it to a command-and-control server. The final payload is identified as Cobalt Strike, a framework often abused for post-exploitation activities. CERT-UA advises restricting the ability to run wscript.exe for standard user accounts to mitigate this threat. This campaign occurs amidst broader concerns about state-sponsored cyber activities, including Russia's reported use of AI tools for target scouting and embedding technology into malware, as revealed by Ukraine's National Security and Defense Council. Source: The Hacker News SC Staff Related Government security State officials urge Congress to reauthorize cybersecurity grant program SC Staff May 22, 2026 State officials emphasized that the State and Local Cybersecurity Grant Program (SLCGP) provided essential aid to local governments, many of which lack dedicated cybersecurity staff and resources. Critical Infrastructure Security Senator urges classified briefing after CISA data leak on GitHub Steve Zurier May 21, 2026 A GitHub leak exposed CISA credentials, sparking concerns over secrets management and leadership. Government security Poland directs officials to cease Signal use amid cyberattack concerns SC Staff May 20, 2026 The cyberattacks did not compromise Signal's encryption but instead relied on social engineering and account takeover tactics. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe You can skip this ad in 5 seconds