Ghostwriter Group Escalates Attacks on Ukrainian Government With Geofenced PDF Phishing and Cobalt Strike
- May 15
- 4 min read
Key Findings
ESET discovered new Ghostwriter (FrostyNeighbor) activity targeting Ukrainian government organizations in a campaign active since March 2026
The threat actor is linked to the government of Belarus and has operated since at least 2016 under multiple aliases including UNC1151, UAC-0057, and Umbral Bison
Attacks begin with spear-phishing emails containing PDFs impersonating Ukrtelecom, Ukraine's main telecommunications provider
A geofencing mechanism delivers harmless decoys to non-Ukrainian IP addresses while serving malicious RAR archives to Ukrainian victims
The infection chain uses a JavaScript version of PicassoLoader that profiles systems and reports every ten minutes, allowing manual operator decisions on payload delivery
High-value targets receive Cobalt Strike beacons disguised as ViberPC.exe with persistence maintained through registry Run keys
Command-and-control infrastructure hides behind Cloudflare using .icu and .buzz domains
In Ukraine, targeting is narrow and focused on military, defense, and governmental entities; in Poland and Lithuania, the victimology is broader including industrial, healthcare, and logistics sectors
Background
Ghostwriter has been conducting cyber operations since at least 2016, operating under numerous aliases that reflect different attribution perspectives. The group has split its activities between two primary functions: cyber espionage campaigns targeting Eastern European governments and disinformation operations. FireEye first documented the group's disinformation efforts in August 2020, uncovering a campaign since March 2017 aimed at discrediting NATO through fake news planted on compromised websites. The Belarus connection and Russia-aligned interests suggest state sponsorship, though the group's current activity reflects broader geopolitical tensions in Eastern Europe following 2022.
Attack Vector and Initial Compromise
The campaign begins with carefully crafted spear-phishing emails containing PDF attachments. The decoy documents impersonate Ukrtelecom with official-looking layouts and a download button. This initial vector is deliberately designed to appear legitimate, complete with messaging about customer data protection. The sophistication lies not in the technical payload but in the social engineering and operational targeting that precedes it.
Geofencing and Server-Side Validation
The delivery infrastructure incorporates an intelligent filtering mechanism that distinguishes between curious researchers and actual targets. When victims click the download link, the server checks their IP geolocation. Non-Ukrainian connections receive a genuine, harmless PDF document about electronic communications regulations sourced from Ukraine's national regulatory body. An analyst investigating from outside Ukraine sees nothing suspicious. Only Ukrainian IP addresses receive the malicious RAR archive, making this attack nearly invisible to external security researchers and creating a significant analysis challenge for the cybersecurity community.
Infection Chain and Payload Delivery
The malicious RAR archive contains a JavaScript file that executes in two concurrent operations. First, it displays the same decoy PDF that the victim expected, maintaining the illusion of legitimacy. Simultaneously, it launches a JavaScript variant of PicassoLoader in the background. This downloader profiles the compromised host, collecting the username, machine name, operating system version, boot time, and running processes. Every ten minutes, this information is transmitted via HTTP POST requests to attacker-controlled servers.
The operators then make manual decisions about victim value. If the system profile indicates a high-value target, the C&C server responds with a third-stage JavaScript dropper that deploys Cobalt Strike Beacon. Low-value systems receive only empty responses, avoiding unnecessary payload deployment and reducing detection risk.
Persistence and Evasion
The Cobalt Strike deployment employs straightforward but effective evasion techniques. The malware masquerades as ViberPC.exe, a legitimate messaging application that would appear unremarkable in a process list. Persistence is established through a registry Run key, ensuring the beacon survives system reboots. The command-and-control infrastructure leverages Cloudflare's legitimate services, hiding behind .icu and .buzz domains while disguising XML configuration data as image files. This combination of legitimate service abuse and simple obfuscation proves difficult to detect without deep packet inspection.
Targeting Strategy
The geographic distribution of Ghostwriter's targets reveals a calculated approach aligned with geopolitical interests. In Ukraine, the focus is narrow and precise: military institutions, defense contractors, and government agencies. This targeting reflects intelligence-gathering priorities in an active conflict zone. The victimology differs significantly in Poland and Lithuania, where the group targets industrial companies, healthcare and pharmaceutical organizations, logistics firms, and government bodies. This broader approach suggests either reconnaissance for future operations or influence campaigns designed to disrupt regional stability.
Operational Evolution
Ghostwriter demonstrates consistent adaptation and refinement. The group has previously deployed PicassoLoader in .NET, PowerShell, and C++ variants, showing comfort with multiple development frameworks. In late 2023, they weaponized CVE-2023-38831 in WinRAR. Throughout 2024 and 2025, the group exploited email client vulnerabilities and incorporated CAPTCHA checks into lure documents to defeat automated analysis. The introduction of geofencing represents the latest evolution, turning the analysis infrastructure itself into a targeting filter and fundamentally complicating threat research.
Broader Context
Ghostwriter's renewed activity reflects a larger regional dynamic. Earlier in 2026, ESET documented Russia-aligned operations expanding westward from Central Asia into Europe. Ghostwriter represents the Belarus-aligned side of the same contested geography, suggesting a fragmented threat landscape where multiple state-sponsored groups operate according to their respective strategic interests. The persistence of these operations indicates that Eastern Europe remains a primary battleground for cyber espionage, influence, and preparation for potential escalation.
Sources
https://securityaffairs.com/192196/apt/ghostwriter-group-resumes-attacks-on-ukrainian-government-targets.html
https://thehackernews.com/2026/05/ghostwriter-targets-ukrainian.html

Comments