Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware

Source: The Hacker News — 22 May 2026

What we are tracking

The Belarus-aligned threat actor known as Ghostwriter (aka UAC-0057 and UNC1151Ukraine's National Security and Defense Council) has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in the country. The activity, per the Computer Emergency Response Team of Ukraine (CERT-UA), involves sending phishing emails to government

RingSafe analysis

While Ghostwriter (UAC-0057 / UNC1151) is targeting Ukrainian government bodies in this campaign, the playbook — themed-lure phishing against government, malware staged through legitimate learning and document platforms, follow-on credential theft — is structurally identical to what India observes from APT36 (SideCopy) and Transparent Tribe against Indian defence and government targets. CERT-In and NIC-CERT teams should ingest CERT-UA’s IoCs and YARA rules from this campaign as proactive defence; the TTP overlap with India-focused activity is high. Map to MITRE ATT&CK T1566.001 (Spearphishing Attachment), T1204.002 (Malicious File), and T1059 (Command and Scripting Interpreter). Under DPDP, any government data fiduciary touched should already be applying Section 8 detection-and-response standards — this is a reasonable trigger for an India-specific tabletop exercise using the CERT-UA artefacts as the injection set.

Read the original report

Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware → at The Hacker News