1
Threat Overview
Ghostwriter APT group targets Ukrainian government agencies with phishing emails delivering malware and Cobalt Strike payloads, using a legitimate Ukrainian online learning platform as bait.
2
Key Intelligence Points
1. The attack uses phishing emails with Cobalt Strike payloads to deliver malware to Ukrainian government agencies. 2. The phishing campaign targets Ukrainian government organizations using a legitimate Ukrainian online learning platform called Prometheus as bait. 3. The attackers use a spearphishing technique to deliver malware to the targeted organizations. 4. Detection opportunities include monitoring for suspicious emails with Cobalt Strike payloads and analyzing network traffic for signs of malicious activity.
3
MITRE ATT&CK Techniques
T1566.001 Spearphishing Attachment T1204 User Execution
4
Indicators of Compromise (IOCs) / Affected Systems
Cobalt Strike Prometheus learning platform Ukrainian government agencies
5
Mitigation & Detection
Implement email filtering and monitoring to detect and block suspicious emails with Cobalt Strike payloads, and ensure that all software and systems are up-to-date with the latest security patches.