Belarus-linked hackers are sending fake course-certificate emails to Ukrainian government staff to infect their computers with espionage malware. CERT-UA says the campaign, active since spring 2026, uses compromised email accounts and messages posing as Ukraine’s Prometheus learning platform; a PDF leads victims to a ZIP that installs OysterFresh, then OysterBlues and OysterShuck, which collect host and user details and may later deliver Cobalt Strike.
Why it matters: This is a targeted government espionage campaign, so affected organizations should treat related Prometheus certificate emails as suspicious, hunt for the named malware and infrastructure, and isolate infected systems quickly. For users, the practical takeaway is not to open certificate attachments or download archives from unexpected training-platform emails, even if they come from known contacts.
2026.05.21
100% relevant
The article establishes a distinct CERT-UA-attributed GhostWriter espionage operation using fake Prometheus certificate lures and the OysterFresh malware chain against Ukrainian officials.
← Back to all stories