HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Ghostwriter APT Resurfaces, Phishing Ukrainian Government via Prometheus Learning Platform

Ghostwriter (UNC1151) revived its campaign against Ukrainian state agencies, leveraging the Prometheus e‑learning portal to deliver malicious PDFs that install a JavaScript loader and Cobalt Strike. The operation underscores the risk of third‑party platforms being weaponized for credential theft and persistent access.

LiveThreat™ Intelligence · 📅 May 23, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Ghostwriter APT Resurfaces, Phishing Ukrainian Government via Prometheus Learning Platform

What Happened — The Belarus‑linked APT group Ghostwriter (UNC1151/UAC‑0057) launched a new phishing campaign against Ukrainian government entities, using the legitimate “Prometheus” online learning platform as lure. Compromised email accounts sent PDFs that linked to a ZIP containing a malicious JavaScript (OYSTERFRESH) which installs a registry‑based loader (OYSTERBLUES) and ultimately delivers a Cobalt Strike post‑exploitation framework.

Why It Matters for TPRM

  • State‑run agencies and their supply‑chain partners are exposed to credential theft and lateral movement.
  • The use of a trusted, sector‑specific platform demonstrates how attackers can weaponize third‑party services to bypass traditional email defenses.
  • Persistent Cobalt Strike footholds increase the risk of data exfiltration and further compromise of downstream vendors.

Who Is Affected — Government ministries, public‑sector IT service providers, and any third‑party vendors supporting Ukrainian state IT infrastructure.

Recommended Actions

  • Verify that all third‑party email gateways enforce DMARC, DKIM, and SPF for internal and external communications.
  • Conduct phishing‑simulation training focused on sector‑specific platforms (e.g., learning portals).
  • Deploy endpoint detection that can flag registry‑based JavaScript loaders and Cobalt Strike beacon traffic.

Technical Notes — Attack vector: spear‑phishing PDFs → ZIP → JavaScript (OYSTERFRESH) → registry payload (OYSTERBLUES) → decoder (OYSTERSHUCK) → Cobalt Strike. No CVE cited; the payload uses standard obfuscation (string reversal, ROT13, URL‑decode). Data collected includes system identifiers, OS version, process list, and is exfiltrated via HTTP POST to a C2 server. Source: Security Affairs

📰 Original Source
https://securityaffairs.com/192538/apt/ghostwriter-is-back-using-a-ukrainian-learning-platform-as-bait-to-hit-government-targets.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →