Listen to this Post

Introduction
The threat actor tracked as UNC1151—also known as Ghostwriter, FrostyNeighbor, UAC-0057, and Storm-0257—has evolved from a disinformation-focused operation into one of Eastern Europe’s most aggressive credential-harvesting cyber-espionage groups. Originally gaining notoriety in 2020 by hacking media websites to plant political disinformation, the group has since shifted heavily into large-scale spear-phishing operations targeting Gmail users, Ukrainian government email portals, and high-profile individuals across the region. What sets this campaign apart is not just the scale of its infrastructure, but the technical sophistication of its multi-factor authentication (MFA) bypass—a real-time WebSocket relay that captures passwords and one-time codes simultaneously, rendering SMS and OTP-based protections effectively useless.
Learning Objectives
- Understand the technical architecture of UNC1151/Ghostwriter’s WebSocket-based MFA bypass and real-time credential relay.
- Identify the group’s infrastructure concealment techniques, including CDN routing and certificate-based fingerprinting.
- Learn to detect, analyze, and mitigate phishing campaigns leveraging compromised Ukrainian websites, fake Google login pages, and malicious JavaScript loaders.
- Implement defensive measures across Linux and Windows environments to block OYSTERFRESH/OYSTERBLUES malware chains and Cobalt Strike post-exploitation activity.
You Should Know
1. The WebSocket MFA Bypass: Real-Time Credential Relaying
The cornerstone of Ghostwriter’s current campaign is a real-time WebSocket relay designed to defeat SMS and OTP-based multi-factor authentication. In the attack against Belarusian pro-democracy politician Yury Hubarevich, the victim received a spear-phishing email—written in Russian—purporting to be a Google security alert warning of suspicious account activity. The link redirected to a compromised Ukrainian website that then served a fake Google login page.
Behind the scenes, the attackers engineered a clever technical bypass: a WebSocket connection captured both the password and the authentication code in real time, instantly relaying them back to their own servers. This live relay enabled operators to use the stolen credentials and OTP before they expired, effectively bypassing SMS or one-time password protections. The threat actors attempted to hide the true locations of their malicious servers by routing traffic through popular content delivery networks such as Bunny CDN and Cloudflare.
How to Detect WebSocket-Based Phishing Infrastructure:
Security researchers unmasked this infrastructure by using internet-scanning tools to identify the real IP addresses hosting the domains. By analyzing historical certificate data, they discovered that the fake authentication domain was actively hosted on an exposed IP address located in Poland—a critical operational security failure that stripped away the CDN protection.
Linux Command – Certificate Fingerprinting and Infrastructure Pivoting:
Extract SSL certificate SHA256 fingerprint from a suspicious domain echo | openssl s_client -servername mail.service-support.digital -connect mail.service-support.digital:443 2>/dev/null | openssl x509 -1oout -fingerprint -sha256 | cut -d= -f2 Example output format (actual fingerprint): 2434E1A88CF2EFFA13FC4EB335560E3CF49790DDD4BD0DF7E100DE9867A19748 Scan for open ports and WebSocket endpoints on suspicious IPs nmap -p 3002,443,80 --open -sV 45.197.133.104 Check for the unique WebSocket error signature curl -I http://45.197.133.104:3002 Expected unique signature: "VPS2 endpoint only for WebSocket"
Windows Command – Certificate Verification and Network Tracing:
Retrieve SSL certificate thumbprint from a domain
$domain = "mail.service-support.digital"
$webRequest = [Net.WebRequest]::Create("https://$domain")
$webRequest.GetResponse() | Out-1ull
$cert = $webRequest.ServicePoint.Certificate
$cert.GetCertHashString()
Outputs SHA1 thumbprint; convert to SHA256 using GetRawCertData()
Check for WebSocket connections in active network sessions
netstat -ano | findstr :3002
Get-1etTCPConnection -LocalPort 3002,443,80 | Where-Object {$_.State -eq "Established"}
Identified Indicators of Compromise (IOCs) from the Campaign:
| IP Address | SHA256 Certificate Fingerprint | Hostname |
||-|-|
| 45.197.133[.]104 | 2434e1a88cf2effa13fc4eb335560e3cf49790ddd4bd0df7e100de9867a19748 | mail[.]service-support[.]digital |
| 45.197.133[.]104 | 6542f8fa3e1f00a3c0e9994c34d8b49d2c3d2684cf73c23a0b1030daaaaa4786 | accounts-verification[.]cc[.]cd |
| 45.197.133[.]104 | cb5230b57589132f63441244183f24ce727d1a2f5454d7636a3548207a585 | (additional fraudulent domain) |
Using this exact certificate fingerprint, investigators identified three additional IP addresses exhibiting the same server behavior. These newly discovered servers hosted a massive array of fraudulent domains disguised as legitimate security or account verification portals.
- The OYSTER Malware Chain: From PDF Lure to Cobalt Strike
Ghostwriter has refined its initial access methodology beyond simple credential phishing. Since spring 2026, the group has been targeting Ukrainian government organizations using a multi-stage malware chain leveraging the legitimate Ukrainian online learning platform Prometheus as bait. This deliberate choice of a trusted platform that many government employees actually use significantly increases the effectiveness of the campaign.
Step-by-Step Attack Chain:
- Spear-Phishing Email: Sent from already-compromised accounts, making the sender appear legitimate. The email contains a PDF attachment.
-
PDF Lure: The PDF contains a link that, when clicked, downloads a ZIP archive containing a JavaScript file.
-
OYSTERFRESH (JavaScript Loader): The JavaScript file provides display of a decoy document to avoid suspicion while simultaneously:
– Dropping an obfuscated and encoded payload called OYSTERBLUES into the Windows Registry
– Loading and launching the OYSTERSHUCK component
- OYSTERSHUCK (Decoder): Decodes OYSTERBLUES using sequential string reversal, ROT13 transformation, and URL decoding.
-
OYSTERBLUES (Malware Workhorse): Profiles the compromised system by grabbing computer name, username, OS version, last boot time, and a list of running processes, then ships everything to a command-and-control server via HTTP POST. It waits for instructions delivered as JavaScript code executed via the `eval()` function.
-
Final Payload: Cobalt Strike Beacon, providing persistent, flexible access to compromised systems.
Linux Command – Detecting OYSTER-Related Traffic:
Monitor for suspicious outbound HTTP POST requests to C2 infrastructure
sudo tcpdump -i any -1n -A 'tcp port 80 and tcp[bash] & 0x08 != 0' | grep -E "POST|User-Agent|Host"
Extract JavaScript files from suspicious ZIP archives
unzip -l suspicious_file.zip
Examine JavaScript content for obfuscation patterns
cat extracted.js | grep -E "eval|fromCharCode|atob|ROT13"
Check for registry-like persistence mechanisms on Linux (Windows Registry is Windows-specific, but Linux equivalents include cron, systemd, etc.)
For cross-platform detection, monitor for encoded payloads
find / -1ame ".js" -exec grep -l "fromCharCode|atob|eval" {} \; 2>/dev/null
Windows Command – Detecting OYSTERFRESH/OYSTERBLUES Activity:
Monitor wscript.exe execution (primary JavaScript execution path)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$_.Message -match "wscript.exe"} | Select-Object TimeCreated, Message
Check Windows Registry for obfuscated OYSTERBLUES payloads
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Search for encoded PowerShell or JavaScript in registry values
Get-ChildItem -Path Registry::HKLM\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$value = Get-ItemProperty -Path $<em>.PSPath -ErrorAction SilentlyContinue
if ($value -match "(fromCharCode|atob|eval|ROT13)") { $</em>.PSPath }
}
Block wscript.exe for regular user accounts (CERT-UA recommended mitigation)
Create a Software Restriction Policy or use AppLocker
Example using PowerShell to deny execution for standard users:
$rule = New-AppLockerPolicy -RuleType Exe -User "Everyone" -Action Deny -Path "%windir%\System32\wscript.exe"
Set-AppLockerPolicy -Policy $rule -Merge
CERT-UA recommends a practical mitigation: restricting the ability to run `wscript.exe` for regular user accounts. This simple configuration change cuts off one of the most common JavaScript execution paths these campaigns rely on.
3. Infrastructure Concealment and Pivoting Techniques
Ghostwriter’s infrastructure is typically hidden behind Cloudflare, and a significant portion of the domain names used belong to the `.icu` TLD. The group registers highly deceptive domains to trick victims into handing over sensitive credentials.
How Attackers Conceal Infrastructure:
- CDN Routing: Traffic is routed through Bunny CDN and Cloudflare to mask origin servers.
- Geofencing: The group employs geographic filtering to deliver malicious payloads only to victims in specific regions (e.g., Ukrainian IPs), evading sandbox analysis and automated scanners.
- Human Validation: Manual verification ensures only intended targets receive the full attack chain, reducing the likelihood of detection by security researchers.
- Compromised Legitimate Sites: Phishing redirects use hacked Ukrainian websites as intermediaries, making the attack appear more trustworthy.
Defensive Pivoting – How to Hunt for Ghostwriter Infrastructure:
Use Shodan or Censys to search for WebSocket endpoints with unique error signatures Search query example: "VPS2 endpoint only for WebSocket" Identify all IPs hosting certificates with known malicious fingerprints Using openssl to check certificate fingerprints across IP ranges for ip in $(seq 1 254); do echo | openssl s_client -servername example.com -connect 45.197.133.$ip:443 2>/dev/null | openssl x509 -1oout -fingerprint -sha256 done | grep -E "2434e1a88cf2effa13fc4eb335560e3cf49790ddd4bd0df7e100de9867a19748|6542f8fa3e1f00a3c0e9994c34d8b49d2c3d2684cf73c23a0b1030daaaaa4786" Query DNS for .icu domains associated with the campaign dig +short ANY .icu | grep -E "45.197.133|Cloudflare"
Windows Command – Blocking Malicious Domains via Hosts File:
Add malicious domains to hosts file to prevent resolution
$hostsPath = "$env:windir\System32\drivers\etc\hosts"
$blockedDomains = @(
"mail.service-support.digital",
"accounts-verification.cc.cd"
)
foreach ($domain in $blockedDomains) {
Add-Content -Path $hostsPath -Value "127.0.0.1 $domain"
Add-Content -Path $hostsPath -Value "::1 $domain"
}
Flush DNS cache
ipconfig /flushdns
Block outbound connections to known malicious IPs using Windows Firewall
New-1etFirewallRule -DisplayName "Block UNC1151 C2 IP" -Direction Outbound -LocalPort Any -Protocol Any -Action Block -RemoteAddress "45.197.133.104"
4. Cloud Hardening and Email Security Configuration
Given that Ghostwriter targets Gmail and Ukrainian email portals, organizations must harden their cloud email configurations and implement advanced threat protection measures.
Google Workspace / Gmail Security Hardening:
- Enable Advanced Protection Program: Require security keys for all high-risk users.
- Configure Context-Aware Access: Restrict access based on IP geolocation, device compliance, and risk level.
- Implement Allowlists/Denylists: Block known malicious domains (.icu TLDs) and IP ranges associated with UNC1151.
- Deploy Data Loss Prevention (DLP): Flag and quarantine emails containing suspicious links or attachments.
Microsoft 365 / Exchange Online Security Configuration:
Connect to Exchange Online PowerShell Connect-ExchangeOnline Block .icu TLD domains at the mail flow level New-TransportRule -1ame "Block_ICU_TLD" -Priority 1 -SenderDomainIs ".icu" -RejectMessageReasonText "Domain blocked due to security policy" -RejectMessageEnhancedStatusCode "5.7.1" Implement anti-phishing policies with impersonation protection Set-AntiPhishPolicy -Identity "Default" -EnableSpoofIntelligence $true -EnableMailboxIntelligence $true -EnableSimilarUsersSafetyTips $true -EnableSimilarDomainsSafetyTips $true -EnableUnusualCharactersSafetyTips $true Block execution of JavaScript attachments Set-AttachmentFilteringConfig -Enable $true -Action Reject -IncludeFileTypes ".js", ".vbs", ".wsf", ".ps1"
Linux Email Server (Postfix) Hardening:
Block .icu domains in Postfix echo ".icu REJECT Domain blocked due to security policy" >> /etc/postfix/access postmap /etc/postfix/access postfix reload Block known malicious IPs using iptables iptables -A INPUT -s 45.197.133.104 -j DROP iptables -A OUTPUT -d 45.197.133.104 -j DROP Configure SpamAssassin to flag phishing indicators echo "header PHISHING_WEBSOCKET Subject =~ /WebSocket/i" >> /etc/spamassassin/local.cf echo "score PHISHING_WEBSOCKET 3.0" >> /etc/spamassassin/local.cf
- Endpoint Detection and Response (EDR) Evasion and Mitigation
Ghostwriter’s use of fileless techniques—registry-resident payloads and JavaScript-based execution—poses significant challenges for traditional signature-based defenses.
Detection Strategies:
- Monitor wscript.exe and cscript.exe execution from non-standard locations.
- Track registry modifications in Run, RunOnce, and other persistence keys.
- Analyze outbound HTTP POST requests to .icu domains or unusual IP addresses.
- Detect Cobalt Strike Beacon indicators including named pipes, beaconing patterns, and specific HTTP user-agent strings.
Linux EDR Configuration (Auditd Rules):
Monitor JavaScript file creation and execution auditctl -w /tmp -p rwx -k suspicious_js auditctl -w /var/tmp -p rwx -k suspicious_js Monitor for outbound connections to suspicious ports auditctl -a always,exit -F arch=b64 -S connect -k outbound_connection Review audit logs for suspicious activity ausearch -k suspicious_js --format text
Windows EDR Configuration (Sysmon + PowerShell Logging):
Enable PowerShell script block logging Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -1ame "EnableScriptBlockLogging" -Value 1 Enable Sysmon with custom configuration for tracking wscript.exe and registry modifications Sample Sysmon config to track process creation and registry events $sysmonConfig = @" <Sysmon schemaversion="4.22"> <EventFiltering> <ProcessCreate onmatch="include"> <CommandLine condition="contains">wscript.exe</CommandLine> <CommandLine condition="contains">cscript.exe</CommandLine> </ProcessCreate> <RegistryEvent onmatch="include"> <TargetObject condition="contains">CurrentVersion\Run</TargetObject> <TargetObject condition="contains">CurrentVersion\RunOnce</TargetObject> </RegistryEvent> </EventFiltering> </Sysmon> "@ $sysmonConfig | Out-File -FilePath "C:\Sysmon\config.xml" Restart Sysmon with new config: sysmon.exe -c config.xml
6. API Security and Credential Protection
Given that Ghostwriter targets credential theft, organizations must implement robust API security measures to protect authentication endpoints and prevent account takeover.
API Security Best Practices:
- Implement Rate Limiting: Prevent brute-force and credential-stuffing attacks.
- Use OAuth 2.0 with PKCE: Mitigate authorization code interception attacks.
- Enforce Short-Lived Tokens: Reduce the window of opportunity for stolen credentials.
- Monitor for Anomalous API Calls: Detect unusual patterns indicative of account compromise.
NGINX Rate Limiting Configuration:
Limit requests to authentication endpoints
limit_req_zone $binary_remote_addr zone=login_limit:10m rate=5r/m;
server {
location /api/auth/login {
limit_req zone=login_limit burst=3 nodelay;
proxy_pass http://backend;
}
}
OAuth 2.0 with PKCE Implementation (Python Example):
import hashlib
import secrets
import base64
Generate code_verifier and code_challenge for PKCE
def generate_pkce_pair():
code_verifier = secrets.token_urlsafe(64)
code_challenge = base64.urlsafe_b64encode(
hashlib.sha256(code_verifier.encode()).digest()
).decode().rstrip('=')
return code_verifier, code_challenge
Validate token exchange with PKCE
def validate_pkce(code_verifier, code_challenge):
computed_challenge = base64.urlsafe_b64encode(
hashlib.sha256(code_verifier.encode()).digest()
).decode().rstrip('=')
return computed_challenge == code_challenge
What Undercode Say
- WebSocket MFA bypass represents a paradigm shift in phishing capabilities. The real-time relay of credentials and OTPs renders traditional SMS-based 2FA ineffective. Organizations must transition to FIDO2/WebAuthn security keys or hardware-based authenticators that are resistant to proxy-based attacks.
-
The fusion of influence operations and credential theft is a dangerous evolution. Ghostwriter’s shift from disinformation to cyber-espionage demonstrates how state-aligned threat actors are consolidating capabilities. Defenders must treat phishing campaigns not as isolated incidents but as components of broader intelligence-gathering operations.
-
Infrastructure fingerprinting is a powerful defensive technique. The exposed WebSocket endpoint signature (“VPS2 endpoint only for WebSocket”) enabled researchers to pivot and identify additional malicious infrastructure. Security teams should proactively scan their environments for similar fingerprints and share IOCs across the community.
-
Geofencing and human validation make detection significantly harder. Traditional sandbox and automated analysis tools are often bypassed because the malicious payloads only trigger for victims in specific geographic regions. Defenders should augment automated detection with threat hunting and behavioral analysis.
-
The OYSTER malware chain exemplifies the fileless threat trend. By storing encoded payloads in the Windows Registry and using JavaScript loaders, Ghostwriter evades many traditional endpoint protection solutions. Organizations must deploy EDR solutions with memory and behavior-based detection capabilities.
-
Basic attack surface reduction remains highly effective. CERT-UA’s recommendation to block `wscript.exe` for standard users is a simple but powerful mitigation. Security teams should review and restrict the execution of scripting engines across their environments.
-
Compromised legitimate accounts are the new phishing vector. Ghostwriter sends phishing emails from already-compromised accounts, making sender reputation checks ineffective. Organizations must implement multi-layered email security that includes content analysis, link sandboxing, and anomaly detection.
-
The use of CDNs for malicious infrastructure complicates threat hunting. Attackers leveraging Cloudflare and Bunny CDN obscure their origin servers. Defenders must use certificate analysis, historical DNS records, and Internet-wide scanning to unmask hidden infrastructure.
-
Cobalt Strike remains the post-exploitation framework of choice. The consistent use of Cobalt Strike across Ghostwriter campaigns underscores the need for robust detection of Beacon indicators, including named pipes, HTTP beaconing patterns, and process injection techniques.
-
Proactive threat intelligence sharing is essential. The identification of malicious certificate fingerprints, IP addresses, and domain patterns depends on collaborative analysis. Organizations should contribute to and consume threat intelligence feeds to stay ahead of evolving adversary tactics.
Prediction
-
+1 The adoption of WebSocket-based MFA bypass techniques will proliferate beyond state-aligned APT groups to ransomware operators and cybercriminal gangs within the next 12–18 months, democratizing advanced phishing capabilities.
-
-1 Organizations that fail to transition from SMS/OTP-based 2FA to phishing-resistant authenticators (FIDO2/WebAuthn) will face increasing rates of account compromise, as traditional MFA is rendered ineffective against real-time credential relays.
-
+1 The exposure of Ghostwriter’s infrastructure through certificate fingerprinting and WebSocket signatures will drive threat actors to adopt more sophisticated operational security measures, potentially including dynamic certificate rotation and ephemeral infrastructure.
-
-1 Geofencing and human validation will continue to evade automated detection systems, forcing security teams to invest more heavily in threat hunting and behavioral analytics to detect targeted spear-phishing campaigns.
-
+1 The shift toward fileless, registry-resident malware will accelerate the adoption of memory forensics and endpoint detection solutions with advanced behavioral analysis capabilities, driving innovation in the EDR market.
-
-1 The use of compromised legitimate accounts as phishing vectors will undermine traditional email security controls, requiring organizations to implement zero-trust email architectures and continuous authentication mechanisms.
-
+1 Collaborative threat intelligence sharing—exemplified by the CERT-UA advisory and Censys research—will become increasingly critical as adversaries continue to evolve their tactics, techniques, and procedures at an accelerated pace.
▶️ Related Video (82% Match):
https://www.youtube.com/watch?v=0OZmns3WkDI
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Varshu25 Ghostwriter – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


