A new cyber threat, dubbed GhostShell, has been identified as targeting Ukraine’s drone technology and its wider defense supply chain. The sophisticated malware utilizes mutual TLS (mTLS) and Telegram-based dead-drop methods to maintain a stealthy presence within affected networks.
Advanced Techniques in Cyber Attacks
GhostShell employs multiple advanced techniques, including a mutual TLS implant and a Telegram dead-drop resolver, to ensure stealth and persistence. These methods indicate a deliberate strategy by the threat actor, who has been active since at least February 2026, to compromise entities within the Ukrainian UAV sector.
The malware is delivered through an archive named Besomar_documentation.rar, which exploits vulnerabilities CVE-2025-8088 and CVE-2025-6218. Opening this file silently installs a malicious script in the Windows Startup folder, ensuring the malware’s execution with each system boot.
Targeting the Drone Ecosystem
According to Synaptic Security researchers, who detailed their findings in a report shared with Cyber Security News, GhostShell’s decoy documents are crafted to resemble those of Besomar, a Ukrainian drone manufacturer. These documents cover a wide range of targets, from military units to procurement staff, suggesting a broad interest in the entire drone supply chain.
The malware delivers three distinct payloads after execution. One establishes a persistent implant, another utilizes a Telegram channel to acquire the attacker’s server address, and a third tunnels data through an encrypted proxy. This multifaceted approach complicates efforts to completely disrupt the attacker’s access.
Implications for Defense and Security
The GhostShell attack sequence begins with the malicious RAR archive, exploiting its vulnerabilities to plant a startup script. This script then facilitates the download of three payloads from a domain registered in early 2026. Diversifying registrars and hosting providers minimizes the risk of a complete shutdown.
Organizations connected to Ukraine’s defense industry must exercise caution with unsolicited compressed files, particularly those referencing drone equipment. Blocking newly registered domains and monitoring for specific mTLS client certificates can help mitigate exposure to similar threats.
The emergence of GhostShell underscores the evolving nature of cyber threats targeting critical defense infrastructure. As attackers employ increasingly sophisticated methods, continuous adaptation in defense strategies is crucial to safeguarding sensitive operational technologies.
