The Belarus-aligned threat actor Ghostwriter (UAC-0057/UNC1151) targeted Ukrainian government entities with phishing emails using lures related to the Prometheus online learning platform. The attack deployed OYSTERFRESH, OYSTERBLUES, and OYSTERSHUCK malware to harvest system information and establish Cobalt Strike for post-exploitation activities.
Initial Access
Prometheus Phishing Lure
confirmed
Ghostwriter sent phishing emails to Ukrainian government entities, using compromised accounts and lures related to the Prometheus online learning platform.
Defender cut points
Implement email gateway filtering for known malicious links and attachmentsConduct regular security awareness training on phishing recognition
