HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Ghostwriter Phishing Campaign Uses Prometheus Lures to Target Ukrainian Government Entities

Ghostwriter, a Belarus‑aligned threat actor, is delivering spear‑phishing emails that impersonate the Prometheus e‑learning platform to compromise credentials of Ukrainian government officials. The campaign raises third‑party risk for public‑sector entities that share data with external services.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

Ghostwriter Phishing Campaign Uses Prometheus Lures to Target Ukrainian Government Entities

What Happened — The Belarus‑aligned threat actor Ghostwriter (also known as UNC1151) has been distributing phishing emails that masquerade as communications from Prometheus, a popular Ukrainian e‑learning platform. The messages are aimed at ministries, agencies, and other government bodies in Ukraine.

Why It Matters for TPRM

  • Phishing attacks can lead to credential theft, enabling deeper compromise of third‑party services used by government agencies.
  • Successful credential compromise may expose sensitive data shared with external vendors or cloud providers.
  • Early awareness allows organizations to tighten email security controls and educate staff, reducing supply‑chain risk.

Who Is Affected — Government ministries, regulatory bodies, and any public‑sector entities that rely on email communications with Ukrainian officials.

Recommended Actions

  • Review and harden email filtering rules for all government‑related domains.
  • Conduct phishing awareness training focused on lures tied to local services (e.g., Prometheus).
  • Verify that privileged accounts use multi‑factor authentication and have limited access to third‑party systems.

Technical Notes — Attack vector: spear‑phishing emails with malicious links or attachments. No specific CVEs disclosed. Potential data types at risk include login credentials, internal communications, and any downstream data accessed with compromised accounts. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →