A Belarus-linked hacking group known as GhostWriter has launched a new espionage campaign against Ukrainian government officials using fake emails disguised as messages from a popular online learning platform to deliver malware.

According to Ukraine’s computer emergency response team, CERT-UA, the campaign has been active since the spring of 2026 and has involved phishing emails sent from compromised accounts to employees at government organizations.

The emails were disguised as messages from Prometheus, Ukraine’s largest online learning platform, and claimed to offer certificates for completing online courses. Prometheus provides classes ranging from programming and business to public administration and also hosts courses related to military service and drone engineering.

The operation has been attributed to GhostWriter, also tracked as UNC1151 and Storm-0257, a threat actor linked to Belarusian state intelligence services. The group has previously targeted Ukrainian military personnel, Polish government institutions, and other officials in the region through credential theft and influence operations.

In the latest campaign, the phishing email contained a PDF attachment with a malicious link that downloaded a ZIP archive carrying malware identified as OysterFresh. The malware chain ultimately deployed components known as OysterBlues and OysterShuck, which collect system information from infected devices and send it to attacker-controlled infrastructure hidden behind Cloudflare.

CERT-UA said the malware gathers details including the computer name, operating system version, user account information, and running processes. The agency also warned that compromised systems could later receive a payload linked to the offensive hacking framework Cobalt Strike, a legitimate penetration -testing tool frequently abused by cybercriminals and state-backed groups.

The warning comes a day after CERT-UA disclosed another espionage campaign targeting users of Delta, Ukraine’s battlefield management and situational awareness system. In that operation, unidentified attackers sent phishing emails masquerading as alerts from Ukrainian cybersecurity agencies warning recipients about alleged unauthorized access to Delta accounts.