The government Computer Emergency Response Team CERT-UA has recorded a new wave of cyberattacks targeting government institutions in Ukraine. Malicious actors from the hacker group UAC-0057 are using a new scheme, disguising malware as notifications of successful course completions on the popular online platform Prometheus.
This is reported by Finway
“This time, the malicious actors from the hacker group UAC-0057 are disguising malware as notifications of successful course completions on the popular online platform Prometheus.”
Phishing Attack Mechanism
The attacks, which specialists began to record as early as spring 2026, primarily target employees of government organizations. Hackers send phishing emails, often using already compromised accounts of Ukrainian companies and institutions. The victim receives a message that mimics an official letter from the educational platform, for example, from a spoofed address containing information about a generated certificate. A PDF document styled as official correspondence is attached to the email. This file contains a link leading to domains in the .icu zone. Clicking on such a link results in the automatic download of a ZIP archive containing a hidden malicious JavaScript file, the execution of which initiates the infection of the computer.
Consequences and Protection Recommendations
At the final stage of the attack, a component of the Cobalt Strike framework may be installed on the victim’s device, allowing hackers to gain full remote control over the computer. To disguise their management infrastructure, the malicious actors use Cloudflare services, complicating the detection of the attacking servers.
CERT-UA advises system administrators and cybersecurity specialists to implement basic protective measures to reduce the risks of malware infiltration. Among the key recommendations is to restrict the ability to run wscript.exe for regular employee accounts. The State Special Communications Service also urges vigilance regarding suspicious emails, carefully checking the sender’s address, and avoiding clicking on dubious links, even if they are included in attachments of popular formats.
Previously, cases of mass mailing of emails with malicious attachments disguised as official messages from financial institutions, including the National Bank of Ukraine, have been recorded.