Ghostwriter Is Back, Using a Ukrainian Learning Platform as Bait to Hit Government Targets
Ghostwriter targeted Ukrainian government agencies with phishing emails delivering malware and Cobalt Strike payloads. The Belarus-nexus APT group Ghostwriter (also tracked as UAC-0057 and UNC1151) has resurfaced with a new phishing campaign targeting Ukrainian government organizations. This time the lure is Prometheus, a legitimate Ukrainian online learning platform that many government employees actually use. Using […]
The Belarus-nexus APT group Ghostwriter (also tracked as UAC-0057 and UNC1151) has resurfaced with a new phishing campaign targeting Ukrainian government organizations. This time the lure is Prometheus, a legitimate Ukrainian online learning platform that many government employees actually use. Using something familiar and trusted as bait is a deliberate choice, and it works better than generic phishing for exactly that reason.
Ukraine’s Computer Emergency Response Team (CERT-UA) flagged the activity this week, noting it has been running since spring 2026. The delivery mechanism is straightforward: phishing emails sent from already-compromised accounts — making the sender look legitimate — carrying PDF attachments. Inside the PDF is a link that, when clicked, downloads a ZIP archive containing a JavaScript file. Nothing groundbreaking technically, but effective when the email appears to come from a known contact.
Related breach coverage
- Ghostwriter group resumes attacks on Ukrainian Government targets2026-05-15
ESET uncovered new Ghostwriter (aka FrostyNeighbor) activity targeting Ukrainian government organizations in a campaign active since March 2026. ESET researchers published a new report documenting fresh activity attributed to the APT group FrostyNeighbor, aka Ghostwriter, active since at least March 2026, targeting Ukrainian governmental organizations. The campaign is similar to previous FrostyNeighbor’s campaigns. The threat […]
- Poland shifts away from Signal following cyberattacks on officials’ accounts2026-05-19
Poland told officials to stop using the popular instant messaging app Signal after cyberattacks targeted government accounts. Poland has instructed government officials to stop using Signal for sensitive communications and move to a state-developed alternative. The decision follows repeated cyberattacks targeting Signal accounts belonging to politicians, military personnel, and public servants. Officials believe the campaigns […]
- One Telecom Provider Hosted Most of the Middle East ’s Active C2 Infrastructure2026-05-22
Hunt.io mapped 1,350+ C2 servers across the Middle East, revealing how a small group of providers quietly supports major malware activity. For years, threat intelligence focused mostly on malware families, phishing domains, and individual indicators. But a new report from Hunt.io shows why defenders may need to pay closer attention to something more boring, hosting […]
- Ukraine probes teen suspect in cyber theft scheme targeting California online shoppers2026-05-20
The investigation began after U.S. authorities informed their Ukrainian counterparts that hackers operating from Ukraine could be involved in attacks targeting users of American e-commerce platforms, Ukraine's Prosecutor General said.