Ghostwriter's Pivot: Prometheus Lures & Gov Targeting

Just saw the latest CERT-UA alert regarding Ghostwriter (aka UAC-0057) pivoting back to Ukrainian government entities. They are now using lures impersonating the 'Prometheus' online learning platform. This threat actor has been relentless, and the shift to educational-themed lures suggests they are trying to exploit the current reliance on remote learning platforms in the region.

Typically, these campaigns involve phishing emails that deliver malicious attachments. While there isn't a specific CVE for the lure itself, the payload usually involves credential harvesters or remote access trojans (RATs).

For those defending similar environments, I recommend scanning user download directories for the suspicious file extensions often used in these campaigns, specifically ISO and LNK files which bypass standard Mark of the Web (MOTW) protections.

Here is a quick PowerShell snippet to scan recent downloads for these artifacts on endpoints:

Get-ChildItem -Path "C:\Users\*\Downloads" -Include @('*.iso', '*.lnk', '*.docm') -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) } | Select-Object FullName, LastWriteTime, Length

Are any of you seeing these lures localized in Ukrainian, or are they using English templates to seem more 'official'? Curious if the language detection is holding up in your SEGs.