Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware

The Belarus-aligned threat actor known as Ghostwriter (tracked as UAC-0057 and UNC1151) has resurfaced with a targeted phishing campaign against Ukrainian government organizations, this time leveraging lures themed around Prometheus — a legitimate Ukrainian online learning platform widely used in the public sector.

Campaign Overview

According to the Computer Emergency Response Team of Ukraine (CERT-UA), the campaign uses socially engineered emails that impersonate notifications from the Prometheus platform to lure government employees into clicking malicious links or opening weaponized attachments.

The goal is to deliver malware capable of establishing persistent access on victim systems, enabling data theft and further lateral movement within compromised government networks.

Who is Ghostwriter?

Ghostwriter is a well-documented advanced persistent threat (APT) group believed to operate on behalf of Belarusian intelligence services. The group has been active since at least 2017 and is known for:

• Influence operations: Fabricating content attributed to legitimate news outlets and government officials
• Spear phishing: Highly targeted campaigns against military, government, and civil society targets in Ukraine, Poland, and Baltic states
• Website compromises: Injecting malicious content into legitimate websites to spread disinformation
• Credential harvesting: Using phishing infrastructure to steal login credentials for follow-on access

The group overlaps significantly with the threat cluster tracked by Google as UNC1151 and has been linked to Belarusian GRU activities.

Prometheus Lure Technique

By impersonating Prometheus — a widely recognized educational platform for Ukrainian government employees — Ghostwriter demonstrates a sophisticated understanding of the target environment. Government staff regularly receive legitimate notifications from such platforms, making the lures difficult to distinguish from genuine communications.

The technique follows a pattern of platform impersonation phishing increasingly favored by state-sponsored actors, where trust established by popular internal tools is weaponized against the very organizations that rely on them.

Delivered Malware

CERT-UA's analysis indicates the campaign delivers malware upon successful phishing, though specific payload details vary across observed waves. Previous Ghostwriter campaigns have been associated with:

• AgentTesla and Formbook infostealers
• Cobalt Strike beacons for persistent access
• Custom loaders designed to evade endpoint detection

Indicators and Recommendations

Organizations in Ukraine's government sector should:

1. Verify sender addresses carefully for any Prometheus or e-learning platform notifications
2. Enable multi-factor authentication on all government portals and email accounts
3. Block macro execution in Microsoft Office documents from external sources
4. Review CERT-UA advisories regularly for updated indicators of compromise
5. Train staff to recognize impersonation-based spear phishing

The campaign underscores the persistent threat posed by state-aligned actors who continuously adapt their lures to exploit trust in familiar, legitimate services.

Attribution Context

Ghostwriter's continued targeting of Ukrainian government entities reflects the broader pattern of Belarus-Russia coordinated cyber operations against Ukraine. The group frequently coordinates activity around real-world geopolitical events and escalations, making timing-based threat intelligence particularly valuable for Ukrainian defenders.

CERT-UA has published indicators of compromise related to this campaign through official channels.