Ghostwriter Targets Ukrainian Government with Geofenced PDF Phishing and Cobalt Strike

A new wave of cyberattacks attributed to the Belarus-aligned threat group Ghostwriter has emerged, specifically targeting governmental organizations in Ukraine. This development underscores the ongoing cyber warfare landscape in Eastern Europe, particularly as geopolitical tensions continue to escalate.

Background on Ghostwriter

Active since at least 2016, Ghostwriter has been associated with various cyber espionage and influence operations, primarily aimed at Ukraine and neighboring countries. The group is also known by several aliases, including FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison, UNC1151, and White Lynx. Their operations have evolved over time, adapting their tools and techniques to evade detection and maintain their foothold in the region.

ESET, a cybersecurity firm, has reported that “FrostyNeighbor has been running continual cyber operations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe.” This adaptability highlights the group’s operational maturity and persistent threat.

Technical Details of Recent Attacks

Ghostwriter has previously employed a malware family known as PicassoLoader, which serves as a conduit for deploying Cobalt Strike Beacon and njRAT. In late 2023, the group exploited a vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8) to facilitate the deployment of PicassoLoader and Cobalt Strike. Their tactics have also included phishing campaigns that leveraged cross-site flaws in platforms like Roundcube (CVE-2024-42009, CVSS score: 9.3) to capture email credentials.

Recent activities, observed since March 2026, involve spear-phishing campaigns that utilize malicious PDFs to target Ukrainian government entities. These PDFs impersonate the Ukrainian telecommunications company Ukrtelecom and contain links that lead to JavaScript payloads designed to drop Cobalt Strike. The infection process includes a geofencing mechanism that serves benign PDF files to users outside Ukraine, ensuring that only targeted victims are exposed to the malicious content.

Evolving Tactics and Techniques

The infection sequence is sophisticated; it employs a geofencing check to identify the victim’s location. If the IP address does not match Ukraine, a harmless PDF is served. The malicious link within the PDF downloads a RAR archive containing a JavaScript payload that displays a lure document while simultaneously executing PicassoLoader in the background. This downloader is engineered to profile and fingerprint the compromised host, allowing the operators to determine whether to escalate the attack by deploying a third-stage JavaScript dropper for Cobalt Strike Beacon.

ESET researchers have noted that “FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms.” The payload is delivered only after thorough server-side victim validation, combining automated checks of user agents and IP addresses with manual validation by the operators.

Broader Implications of Ghostwriter’s Activities

The primary focus of Ghostwriter’s recent campaigns appears to be military and governmental organizations in Ukraine. However, their activities have also extended to broader sectors in Poland and Lithuania, including industrial, healthcare, and logistics organizations. This wide-ranging targeting indicates a strategic approach to destabilize not just governmental functions but also critical infrastructure in the region.

As the conflict in Ukraine continues, the implications of such cyberattacks extend beyond immediate data breaches. They pose significant risks to national security, public safety, and economic stability. The ability of threat actors to adapt and evolve their tactics raises concerns about the resilience of targeted organizations and the effectiveness of existing cybersecurity measures.

Concurrent Threats: Gamaredon and Other Actors

In parallel to Ghostwriter’s activities, the Russia-affiliated Gamaredon hacking group has been linked to spear-phishing campaigns aimed at Ukrainian state institutions since September 2025. These attacks aim to deliver GammaDrop and GammaLoad malware via RAR archives exploiting vulnerabilities like CVE-2025-8088. HarfangLab has noted that these emails, often spoofed or sent from compromised accounts, deliver multi-stage VBScript downloaders that profile infected systems.

Additionally, the pro-Ukraine hacktivist group BO Team has been reported to collaborate with Head Mare in attacks against Russian organizations, utilizing overlapping infrastructure and tools. Their operations have included spear-phishing to deploy malware capable of compromising both Windows and Linux systems.

Financially Motivated Threats

Recent months have also seen the emergence of financially motivated groups like Hive0117, which have targeted Russian enterprises to steal significant sums through phishing campaigns disguised as payroll transfers. This highlights the multifaceted nature of cyber threats in the region, where geopolitical tensions intersect with financial motivations.

The evolving landscape of cyber threats necessitates a proactive approach to cybersecurity, particularly for organizations operating in high-risk environments. As threat actors continue to refine their tactics, the importance of robust security measures and awareness cannot be overstated.

For further insights and updates on cybersecurity developments, visit thehackernews.com.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.