Ghostwriter (UAC-0057) Reloaded: Prometheus Lures Targeting Ukraine Gov
Just saw the latest alert from CERT-UA regarding the Ghostwriter group (aka UAC-0057). They are actively targeting Ukrainian government entities, specifically the National Security and Defense Council. The attack vector relies on spear-phishing emails using lures related to 'Prometheus,' a legitimate Ukrainian online learning platform.
This is a classic trust-exploitation tactic. By impersonating a platform likely used by government employees for training, the actor significantly increases the likelihood of a successful click. Given Ghostwriter's history, we are likely looking at credential harvesting or an initial access dropper.
If you are securing mail gateways or monitoring SIEMs for similar IOCs, here is a KQL query to help hunt for suspicious emails referencing these lures within your Microsoft Sentinel or Defender environment:
EmailEvents
| where Timestamp > ago(7d)
| where Subject has "Prometheus" or Subject has "навчання"
| where SenderFromAddress !contains "prometheus.ua"
| project Timestamp, SenderFromAddress, Subject, RecipientEmailAddress, NetworkMessageId
| order by Timestamp desc
It's critical to block the specific domains and attachment hashes listed in the CERT-UA advisory. Has anyone else observed secondary C2 activity or specific malware families associated with these Prometheus lures in their telemetry?
Good catch on the specific lure. We've seen a spike in HTML smuggling attempts tied to this campaign. The actors are embedding malicious scripts within HTML attachments to bypass perimeter filters. If you're analyzing the attachments, look for heavy obfuscation in the JavaScript and calls to mshta.exe or powershell.exe in the process tree.
We implemented the block on the sender domains immediately. It's worth noting that these emails often bypass SPF/DKIM checks if they are using compromised legitimate accounts rather than spoofing. I'd recommend adding an alert for any successful authentication from unusual geo-locations immediately after a user interacts with a 'Prometheus' related subject line.
Interesting they are focusing on the education platform angle. We usually see Ghostwriter stick to military-themed lures. This shift suggests they are trying to broaden their net within the gov sector. I've updated our phishing simulation templates to include similar 'platform update' hooks to test user awareness against this specific vector.
Given that Nate mentioned compromised accounts, this campaign is almost certainly credential harvesting. If you haven't already, enforcing FIDO2/WebAuthn is the strongest move here; it renders stolen passwords useless. For a quick audit on impacted users, you can run:
Get-MgRiskyUser -Filter "RiskLevel eq 'high'"
This helps identify if any users have already interacted with these lures.
Validating the lure content is crucial given the heavy JavaScript obfuscation in these Prometheus HTML files. If you need to quickly triage an attachment, checking for specific character patterns helps. Here is a quick Python snippet to strip common encoding layers for analysis:
import base64
# Decodes common layer used in these lures
decoded = base64.b64decode(obfuscated_string)
print(decoded)
Has anyone else observed the follow-up payload shifting away from Cobalt Strike in this specific wave?
Building on the obfuscation discussion, a quick PowerShell scan of user directories can help locate these dormant payloads. I often look for common encoding functions used in HTML smuggling scripts:
Get-ChildItem -Path C:\Users -Recurse -Include *.html, *.htm -ErrorAction SilentlyContinue | Select-String -Pattern "atob\(|unescape\(|charCodeAt" | Select-Object Path, LineNumber
This specific regex targets common de-obfuscation techniques used by Ghostwriter to unpack the final payload. It’s a fast way to triage endpoints if you suspect an email made it through.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access