Ethical Hacking News
The Belarus-aligned threat group known as Ghostwriter has been linked to a fresh set of attacks targeting governmental organizations in Ukraine. The latest set of activities involves using links in malicious PDFs sent via spear-phishing attachments to target government entities in Ukraine, ultimately resulting in the deployment of a JavaScript version of PicassoLoader to drop Cobalt Strike. This is not the first time Ghostwriter has been involved in such campaigns, with previous attacks leveraging malware families known as PicassoLoader and njRAT. The group's operational maturity and adaptability have made it a persistent threat actor, demonstrating a high level of sophistication in its TTPs.
Ghostwriter, a Belarus-aligned threat group, has been linked to sophisticated phishing campaigns targeting Ukrainian government entities since at least 2016. The group's latest attacks involve using links in malicious PDFs sent via spear-phishing attachments to deploy a JavaScript version of PicassoLoader and Cobalt Strike. The PDF decoy documents impersonate Ukrtelecom, with geofencing checks that serve a benign PDF file to victims whose IP address does not correspond to Ukraine. The threat actor profiles and fingerprints the compromised host, sending a system fingerprint to attacker-controlled infrastructure every 10 minutes. The involvement of other threat groups, such as Gamaredon and BO Team, adds complexity to the overall threat landscape. The use of sophisticated phishing campaigns highlights the need for continued vigilance in the face of advanced persistent threats (APTs).
The threat landscape has seen its fair share of sophisticated phishing campaigns over the years, but one group that has consistently demonstrated an impressive level of operational maturity is the Belarus-aligned threat group known as Ghostwriter. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. The most recent set of attacks, observed since March 2026, involves using links in malicious PDFs sent via spear-phishing attachments to target government entities in Ukraine, ultimately resulting in the deployment of a JavaScript version of PicassoLoader to drop Cobalt Strike.
The PDF decoy documents have been found to impersonate the Ukrainian telecommunications company Ukrtelecom, with geofencing checks that serve a benign PDF file to victims whose IP address does not correspond to Ukraine. The embedded link in the PDF document is used to deliver a RAR archive containing a JavaScript payload that displays a lure document to keep up the ruse, while simultaneously launching PicassoLoader in the background.
The downloader is also designed to profile and fingerprint the compromised host, based on which the operators may manually decide to send a third-stage JavaScript dropper for Cobalt Strike Beacon. The system fingerprint is transmitted to attacker-controlled infrastructure every 10 minutes, allowing the threat actor to assess whether the victim is of interest.
This latest set of activities by Ghostwriter demonstrates its continued commitment to adapt and evolve its tactics, techniques, and procedures (TTPs) in response to changing security measures and detection methods. The use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms are all hallmarks of the group's operational maturity.
Furthermore, the involvement of other threat groups, such as Gamaredon and BO Team, adds a layer of complexity to the overall threat landscape. Gamaredon has been tied to a spear-phishing campaign targeting Ukrainian state institutions since September 2025, while the BO Team may be working with Head Mare in attacks aimed at Russian organizations.
The findings also raise questions about the nature of the interaction between these groups and their potential coordination of actions against common targets. While it is unclear whether there is direct collaboration or simply overlapping infrastructure and tools, the impact on the overall threat landscape cannot be overstated.
The use of sophisticated phishing campaigns like those employed by Ghostwriter serves as a stark reminder of the ever-evolving threat landscape and the importance of staying vigilant in the face of advanced persistent threats (APTs). As organizations continue to navigate this complex landscape, it is essential that they prioritize robust security measures, including regular patching, monitoring, and employee education.
In conclusion, the resurgence of Ghostwriter and its sophisticated phishing campaigns targeting Ukrainian government entities highlights the need for continued vigilance in the face of evolving threats. By understanding the tactics and techniques employed by these groups, organizations can better position themselves to mitigate the impact of such attacks and protect their sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Resurgence-of-Ghostwriter-Unpacking-the-Sophisticated-Phishing-Campaigns-Targeting-Ukrainian-Government-ehn.shtml
https://thehackernews.com/2026/05/ghostwriter-targets-ukrainian.html
Published: Thu May 14 11:11:12 2026 by llama3.2 3B Q4_K_M
