Campaign Targets Ukrainian Government Networks
Cybersecurity researchers have identified a new phishing campaign linked to the threat group known as Ghostwriter, which is targeting government entities in Ukraine with a malware strain called Prometheus. The campaign was first detected in early May 2026 and has compromised at least one ministry-level network as of May 22, according to a report published Friday by the Cyber Threat Intelligence team at Mandiant.
The attackers, also tracked as UNC1151, are sending emails that impersonate Ukrainian military officials. The messages contain password-protected archive files that, when opened, deploy Prometheusβa remote access trojan that allows the attackers to steal credentials, map internal networks, and exfiltrate documents. Mandiant analysts state that the campaign appears focused on the Ministry of Defense and several regional administrative offices.
Prometheus Malware Details
Prometheus is a .NET-based backdoor that has been in active development since at least 2024. It communicates over encrypted channels to command-and-control servers and can execute arbitrary commands, log keystrokes, and capture screenshots. In this campaign, the malware is delivered as a DLL file hidden inside a ZIP archive that requires a password disclosed in the email bodyβa tactic intended to bypass email security scanners.
Once inside a network, Prometheus attempts to spread to adjacent systems using stolen credentials. Mandiant researchers observed the malware querying Active Directory servers to identify high-value accounts. The ultimate goal, according to the report, is persistent access to classified communications and operational planning documents.
Ghostwriterβs History
Ghostwriter has been active since at least 2016 and has historically targeted military and political organizations in Eastern Europe. The group is widely attributed to Belarusian state interests, though it also operates in support of Russian strategic objectives. Previous campaigns involved defacing news websites, spreading disinformation about NATO exercises, and stealing credentials from Ukrainian energy companies.
This latest campaign aligns with a broader pattern of cyber espionage campaigns that quietly compromise critical infrastructure and government systems to steal sensitive operational data. The Prometheus toolset marks an escalation in technical capability for Ghostwriter, which previously relied heavily on publicly available phishing kits.
Response and Attribution
The Security Service of Ukraine (SBU) confirmed it is investigating the incidents and has advised all government agencies to rotate credentials and enable multi-factor authentication. Mandiantβs report includes technical indicators of compromise, including IP addresses and file hashes, which have been shared with Ukrainian CERT-UA.
No official attribution has been issued by the Ukrainian government, but Mandiant assesses with moderate confidence that Ghostwriter operates under the direction of the Belarusian Main Intelligence Directorate (GRU). The assessment is based on infrastructure overlaps and TTPs observed in previous operations. Researchers noted that the phishing emails used Ukrainian-language templates sourced from leaked government documents, suggesting detailed preparation.
Implications for Regional Security
This campaign comes amid heightened tensions in the region and follows a series of cyber attacks linked to the ongoing conflict. The targeting of government networks for espionage rather than disruption suggests the attackers are seeking intelligence advantage rather than simply causing chaos. Mandiant warned that the Prometheus backdoor could be retooled for attacks against neighboring countries, including Poland and the Baltic states.
Organizations in the defense and energy sectors across Europe are advised to review their email security policies and monitor for suspicious archive files. The full technical report is available on Mandiantβs website, and Ukrainian government agencies are expected to issue updated security directives in the coming weeks.
