Back to Intelligence

Ghostwriter UAC-0057 Campaign: Detecting Prometheus-Themed Phishing and Malware

SA
Security Arsenal Team
May 22, 2026
6 min read

The Belarus-aligned threat actor known as Ghostwriter (aka UAC-0057 and UNC1151) has resumed active operations against Ukrainian government entities. According to the Computer Emergency Response Team of Ukraine (CERT-UA), the actor is leveraging a highly specific social engineering campaign centered on "Prometheus," a legitimate Ukrainian online learning platform.

Defenders in the government and education sectors, as well as those managing critical infrastructure supporting Ukraine, need to act immediately. This campaign is not opportunistic spam; it is a targeted, nation-state initiative designed to bypass standard email filters through trusted themes. The objective of these intrusions typically ranges from credential harvesting to the deployment of persistent remote access trojans (RATs) for espionage. Given the actor's history and the geopolitical context, the severity of this alert is critical.

Technical Analysis

Threat Actor: Ghostwriter (UAC-0057 / UNC1151) Affected Sector: Ukrainian Government and associated entities. Attack Vector: Spear-phishing (Social Engineering).

The Attack Chain

  1. Initial Access: The attack begins with a phishing email distributed to government organizations. The emails utilize lures related to the "Prometheus" online learning platform. The context suggests the actor is impersonating platform administrators or curriculum updates to establish legitimacy.

  2. Execution: While the specific payload delivery mechanism in this specific advisory wasn't fully detailed in the source text, Ghostwriter historically relies on malicious HTML attachments, ISO files (to bypass Mark of the Web controls), or rigged Office documents. Once the user interacts with the lure (e.g., opening an attachment or clicking a link), a malicious payload is executed.

  3. Payload & Objective: Based on historical TTPs for UAC-0057, the payload likely involves: n * Credential Harvesting: Phishing forms mimicking the Prometheus login portal.

    • Malware Delivery: Execution of PowerShell scripts or downloaders designed to establish C2 channels, potentially using Cobalt Strike or custom tools.

Exploitation Status

  • Status: Confirmed Active Exploitation. The activity has been explicitly observed and reported by CERT-UA.
  • CISA KEV: Not explicitly listed in the provided text, but treated as an active incident response scenario.

Detection & Response

Detecting this campaign requires a focus on the behavioral anomalies associated with the lures (Prometheus) and the actor's preferred execution methods. Below are detection rules and hunt queries tailored to identify the initial compromise stages associated with this threat.

SIGMA Rules

YAML
---
title: Potential Ghostwriter Prometheus Spearphishing Attachment
id: a4b2c8d1-7e3f-4a9b-9c6d-1e2f3a4b5c6d
status: experimental
description: Detects execution of processes from ISO or IMG mounted volumes, a common TTP for Ghostwriter to bypass MOTW, often themed with educational lures.
references:
  - https://cert.gov.ua/article/37611
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.initial_access
  - attack.t1566.001
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\\C$\\'
      - ':\\'
    CommandLine|contains:
      - '.iso\\'
      - '.img\\'
  condition: selection
falsepositives:
  - Legitimate administrative software installation from mounted media
level: high
---
title: Office Application Spawning Shell related to Educational Lures
id: b5c3d9e2-8f4a-5b0a-0d7e-2f3a4b5c6d7e
status: experimental
description: Detects Microsoft Office applications spawning PowerShell or CMD, indicative of macro execution or exploitation. High relevance given the Prometheus document lures.
references:
  - https://attack.mitre.org/techniques/T1566/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.execution
  - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\\WINWORD.EXE'
      - '\\EXCEL.EXE'
      - '\\POWERPNT.EXE'
  selection_child:
    Image|endswith:
      - '\\powershell.exe'
      - '\\cmd.exe'
      - '\\wscript.exe'
      - '\\cscript.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate macro usage for document automation
level: high

KQL (Microsoft Sentinel)

The following KQL query hunts for emails containing keywords related to the "Prometheus" lure, as well as the behavioral pattern of Office applications launching command-line interpreters.

KQL — Microsoft Sentinel / Defender
// Hunt for Prometheus themed phishing emails
let EmailKeywords = dynamic(["Prometheus", "online learning", "course material", "verification"]);
EmailEvents
| where Subject has_any (EmailKeywords) 
       or Body has_any (EmailKeywords)
| where NetworkMessageId !has "internal" // Filter to reduce internal noise
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
| union (DeviceProcessEvents
| where InitiatingProcessFileName in (~"winword.exe", ~"excel.exe", ~"powerpnt.exe")
| where FileName in (~"powershell.exe", ~"cmd.exe", ~"wscript.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, CommandLine, AccountName
)

Velociraptor VQL

This VQL artifact hunts for processes spawned by Office applications and checks for specific file artifacts associated with the Prometheus lure on the endpoint.

VQL — Velociraptor
-- Hunt for suspicious process chains and filenames related to Prometheus
SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Pid IN (
    SELECT Pid
    FROM pslist()
    WHERE Name =~ "winword.exe" OR Name =~ "excel.exe"
)
   OR Name =~ "powershell.exe"
   OR CommandLine =~ "(?i)prometheus"
   OR Exe =~ "(?i)prometheus"

Remediation Script (PowerShell)

This script assists in hardening the environment against document-based initial access vectors commonly used by Ghostwriter. It audits macro settings and checks for the presence of suspicious files in user download directories.

PowerShell
# Remediation and Hardening Script for Ghostwriter Campaigns

# Function to check Office Macro Security Settings
function Test-MacroSecurity {
    Write-Host "[+] Checking Word Macro Security Settings..."
    $wordPath = "HKCU:\Software\Microsoft\Office\16.0\Word\Security"
    if (Test-Path $wordPath) {
        $vbawarnings = (Get-ItemProperty -Path $wordPath -ErrorAction SilentlyContinue).VBAWarnings
        if ($vbawarnings -ne 4) {
            Write-Host "[!] WARNING: Word Macros are not disabled. Current Level: $vbawarnings (Level 4 is disabled with notification)." -ForegroundColor Yellow
        } else {
            Write-Host "[+] Word Macros are set to secure level (4)." -ForegroundColor Green
        }
    }
}

# Function to scan for suspicious files in Downloads
function Search-PrometheusLures {
    Write-Host "[+] Scanning User Downloads for 'Prometheus' related files..."
    $users = Get-ChildItem -Path "C:\Users" -Directory
    foreach ($user in $users) {
        $downloadPath = Join-Path -Path $user.FullName -ChildPath "Downloads"
        if (Test-Path $downloadPath) {
            $suspiciousFiles = Get-ChildItem -Path $downloadPath -Recurse -File -ErrorAction SilentlyContinue | 
                Where-Object { $_.Name -match "Prometheus|Prometheus" -and $_.Extension -match "\.(doc|docx|xls|xlsx|iso|zip)$" }
            
            if ($suspiciousFiles) {
                Write-Host "[!] Suspicious file found: $($suspiciousFiles.FullName)" -ForegroundColor Red
            }
        }
    }
}

# Execute Checks
Test-MacroSecurity
Search-PrometheusLures
Write-Host "[+] Hardening scan complete. Review findings and investigate suspicious files."

Remediation

Immediate defensive actions are required to mitigate the risk posed by the Ghostwriter campaign:

  1. Block IOCs: If specific sender domains, IP addresses, or file hashes associated with this campaign are released by CERT-UA, immediately block them at the email gateway and perimeter firewall.

  2. User Awareness: Issue a specific security advisory to all users, particularly those in government roles, warning of emails purporting to be from the "Prometheus" platform. instruct users to verify the sender's actual email address rather than relying on the display name.

  3. Disable Macros: Ensure that Microsoft Office macro security settings are configured to disable macros from the internet, or enforce the use of "Mark of the Web" (MotW) flags to prevent untrusted documents from executing code.

  4. Isolate Suspected Hosts: If a user reports interacting with a suspicious Prometheus email, isolate their workstation immediately from the network to prevent potential C2 beaconing or lateral movement.

  5. Audit Email Rules: Check for suspicious inbox rules created by threat actors to hide or delete responses related to the phishing emails.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionghostwriteruac-0057phishing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action