UNC1151

Ghostwriter is a long-running cyber-enabled influence and espionage threat actor/campaign also tracked as UNC1151 and UAC-0057. The content describes it as Belarus-aligned or Belarus-linked, with multiple reports linking it to Belarusian state intelligence services, while other cited government statements and reporting associate Ghostwriter activity with the Russian state or Russian special services. Mandiant assessed with high confidence that UNC1151, a suspected state-sponsored cyber espionage actor, conducts at least some components of Ghostwriter activity, but stated that intelligence gaps prevent conclusive attribution of all Ghostwriter activity to UNC1151. Ghostwriter has primarily targeted audiences and organizations in Lithuania, Latvia, and Poland, promoting narratives critical of NATO’s presence in Eastern Europe and seeking to undercut regional security cooperation. Reported activity includes disinformation, hack-and-leak operations, false-flag activity, website compromises used to publish fabricated stories, spoofed emails, use of inauthentic personas, and compromise of social media and email accounts. More recent operations cited in the content used compromised social media accounts of right-leaning Polish officials to create domestic political disruption in Poland, and UNC1151-linked credential theft activity expanded to target German politicians. The content also describes sustained phishing, credential harvesting, and malware delivery operations attributed to UAC-0057 / UNC1151 / Ghostwriter against Ukrainian government organizations. CERT-UA reported campaigns using macro-enabled lure documents to launch PICASSOLOADER and deliver Cobalt Strike Beacon, as well as exploitation of WinRAR vulnerability CVE-2023-38831 using BAT, LNK, HTA, JavaScript, and SVG-hosted payloads that ultimately deployed Cobalt Strike Beacon. In 2026 reporting, Ghostwriter targeted Ukrainian government entities with Prometheus-themed phishing sent from compromised accounts. Those campaigns used PDF lures leading to ZIP archives containing JavaScript malware identified as OYSTERFRESH, which displayed decoy content, stored OYSTERBLUES in the Windows Registry, launched OYSTERSHUCK to decode it, profiled infected hosts, sent host data to command-and-control infrastructure via HTTP POST, and could lead to delivery of Cobalt Strike. Additional reporting cited JavaScript-based PicassoLoader variants, geofenced delivery to Ukrainian IP space, persistence via registry Run keys or scheduled tasks, infrastructure hidden behind Cloudflare, and frequent use of .icu domains. Reported targeting in the content includes government officials, politicians, journalists, civil society, military and defense-related entities, and government organizations in Eastern Europe, especially Poland, Lithuania, Latvia, Germany, and Ukraine.