Ghostwriter APT Resurfaces, Phishing Ukrainian Government via Prometheus Learning Platform
What Happened — The Belarus‑linked APT group Ghostwriter (UNC1151/UAC‑0057) launched a new phishing campaign against Ukrainian government entities, using the legitimate “Prometheus” online learning platform as lure. Compromised email accounts sent PDFs that linked to a ZIP containing a malicious JavaScript (OYSTERFRESH) which installs a registry‑based loader (OYSTERBLUES) and ultimately delivers a Cobalt Strike post‑exploitation framework.
Why It Matters for TPRM —
- State‑run agencies and their supply‑chain partners are exposed to credential theft and lateral movement.
- The use of a trusted, sector‑specific platform demonstrates how attackers can weaponize third‑party services to bypass traditional email defenses.
- Persistent Cobalt Strike footholds increase the risk of data exfiltration and further compromise of downstream vendors.
Who Is Affected — Government ministries, public‑sector IT service providers, and any third‑party vendors supporting Ukrainian state IT infrastructure.
Recommended Actions —
- Verify that all third‑party email gateways enforce DMARC, DKIM, and SPF for internal and external communications.
- Conduct phishing‑simulation training focused on sector‑specific platforms (e.g., learning portals).
- Deploy endpoint detection that can flag registry‑based JavaScript loaders and Cobalt Strike beacon traffic.
Technical Notes — Attack vector: spear‑phishing PDFs → ZIP → JavaScript (OYSTERFRESH) → registry payload (OYSTERBLUES) → decoder (OYSTERSHUCK) → Cobalt Strike. No CVE cited; the payload uses standard obfuscation (string reversal, ROT13, URL‑decode). Data collected includes system identifiers, OS version, process list, and is exfiltrated via HTTP POST to a C2 server. Source: Security Affairs