What Happened
The Belarus-aligned threat actor known as Ghostwriter (aka UAC-0057 and UNC1151) has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in the country. The activity, per the Computer Emergency Response Team of Ukraine (CERT-UA), involves sending phishing emails to government entities using compromised accounts. It's been
Why It Matters
Report facts: Ghostwriter (aka UAC-0057/UNC1151) is using Prometheus-themed phishing lures against Ukrainian government entities, delivering JavaScript-based malware and a final payload assessed as Cobalt Strike.[1][2] The campaign uses compromised accounts, decoy documents, registry-based payload staging, and host profiling to support data theft and follow-on access.[1][2] CyberSE.AI analysis: this is primarily a state-linked phishing and malware operation rather than an AI-specific incident, so it maps best to broader malicious AI-use monitoring and red-teaming controls only if the organization is assessing AI-enabled phishing defense or automated detection workflows.
CyberSE Analysis
This signal maps to malicious AI use. Organizations using AI agents, LLM APIs, SaaS integrations, or sensitive data workflows should review whether this class of issue could create unauthorized tool execution, data leakage, weak approval gates, or unmanaged supply-chain exposure.
Recommended Actions
- Restrict AI agent tool permissions and production write paths.
- Review sensitive data access across prompts, logs, embeddings, memory, and SaaS integrations.
- Add human approval workflows for high-impact or state-changing actions.
- Run prompt injection and indirect prompt injection tests against affected workflows.
- Document the owner, control gap, and remediation deadline for this risk class.
Source
https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html