Ghostwriter Uses Prometheus Malware Against Ukraine

The Belarus-aligned threat group Ghostwriter, also known as UAC-0057 and UNC1151, has launched targeted attacks on Ukrainian government organizations. According to the Computer Emergency Response Team of Ukraine (CERT-UA), the attackers are using phishing emails that reference the Ukrainian online learning platform Prometheus. This platform is known for its free educational offerings and is utilized by many government employees. The attacks aim to gain access to sensitive information within the Ukrainian government. CERT-UA has noted that the emails are often designed to look deceptively real, enticing recipients to click on malicious links or open attachments.

This tactic is part of a broader strategy to undermine Ukraine's cyber defenses. Ghostwriter has previously employed similar methods to steal information from military and government agencies. The current campaign demonstrates an adaptation of tactics to exploit specific vulnerabilities in Ukraine's cyber infrastructure. The use of Prometheus as bait is particularly concerning, as it is a platform used by many professionals and officials. CERT-UA has warned the affected institutions and recommends exercising caution with emails that contain links or attachments.

Security authorities have also taken measures to enhance cyber defenses to minimize the impact of such attacks. Raising employee awareness about phishing attacks is a central component of this strategy. In addition to phishing attacks, Ghostwriter has also conducted other forms of cyberattacks, including DDoS attacks on critical infrastructures. These attacks aim to disrupt the functionality of government services and undermine public trust in the government. The combination of phishing and DDoS attacks poses a serious threat to national security.

The Ukrainian government has made significant progress in improving its cyber defenses in recent years but continues to face challenges from well-organized and funded threat actors like Ghostwriter. The constant adaptation of these groups' attack strategies requires ongoing monitoring and adjustment of defensive measures. Experts emphasize the need to further strengthen cyber defenses and intensify collaboration with international partners. CERT-UA has urged the public to report suspicious activities and stay informed about the latest threats. Awareness of cyber risks is crucial to minimizing the impact of such attacks.

The Ukrainian cyber defense has recorded several successful defensive measures against similar attacks in recent months. The threat posed by Ghostwriter is part of a larger pattern of cyberattacks targeting Ukraine, especially since the onset of the conflict with Russia. The attacks have increased in intensity and complexity, underscoring the need for a robust cyber strategy. The Ukrainian government plans to further expand its cyber defense capabilities and implement new technologies. CERT-UA has classified the security situation as critical and warns of potential further attacks in the coming weeks.

The use of Prometheus as a target shows that the attackers are willing to employ innovative methods to achieve their goals. Security authorities are working to identify the threats and develop appropriate countermeasures. The cyberattacks by Ghostwriter exemplify the ever-evolving threat landscape affecting governments worldwide. Ukraine remains a focal point for such activities, highlighting the need for a proactive and responsive cyber defense strategy. According to CERT-UA, several government agencies have already been affected by the attacks. CERT-UA issued a warning on May 20, 2026, detailing the current threats and recommended protective measures.