Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike

The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine.

Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It's also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx.

"FrostyNeighbor has been running continual cyber operations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe," ESET said in a report shared with The Hacker News.

Previous attacks mounted by the hacking crew have leveraged a malware family known as PicassoLoader, which then acts as a conduit for Cobalt Strike Beacon and njRAT. In late 2023, the threat actor was also observed weaponizing a vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike.

As recently as last year, Polish entities were at the receiving end of a phishing campaign orchestrated by Ghostwriter that exploited a cross-site flaw in Roundcube (CVE-2024-42009, CVSS score: 9.3) to run malicious JavaScript responsible for capturing email login credentials.