Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware

Ghostwriter, a Belarus-aligned threat actor also tracked as UAC-0057 and UNC1151, actively targets Ukrainian government entities through phishing campaigns exploiting Prometheus, a domestic online learning platform. CERT-UA identified the operation, which uses Prometheus-themed lures in phishing emails directed at government organizations.

The group leverages social engineering tied to legitimate Ukrainian infrastructure to increase credibility and bypass security awareness. By impersonating communications related to Prometheus, attackers trick recipients into clicking malicious links or downloading weaponized attachments. The phishing emails likely contain credential-stealing payloads or remote access trojans designed to establish footholds within government networks.

Ghostwriter maintains close operational ties to Belarus and has conducted sustained campaigns against Ukrainian targets since at least 2020, with activity escalating during geopolitical tensions. The group's targeting of government entities reflects a broader pattern of state-sponsored cyberespionage against Ukrainian critical infrastructure and administrative systems. Previous Ghostwriter operations have deployed info-stealers, backdoors, and wipers designed to extract sensitive data or disrupt operations.

Ukrainian government employees represent high-value targets for foreign intelligence services. Compromise of these accounts grants attackers access to classified communications, policy documents, diplomatic correspondence, and operational plans. The use of platform-specific lures demonstrates operational sophistication and suggests the group conducts reconnaissance on target organizations before launching attacks.

Organizations in Ukraine and allied nations should treat this activity as a persistent threat. Security teams should implement email filtering rules to detect Prometheus-themed phishing attempts, enforce multi-factor authentication across government systems, and conduct security awareness training focused on social engineering tactics. CERT-UA's advisory provides indicators of compromise and technical details to support defensive operations.

The campaign underscores how threat actors exploit trusted local services to establish credibility with targets. Even platforms designed for education become attack vectors when