The Belarus-linked cyber threat group, known as Ghostwriter, has launched a new wave of attacks against Ukrainian governmental bodies. Active since 2016, Ghostwriter is recognized for its cyber espionage and influence campaigns in Eastern Europe, particularly against Ukraine. This group is also identified under numerous aliases, including FrostyNeighbor and White Lynx.
Ghostwriter’s Evolving Tactics
Ghostwriter has consistently adapted its tactics, regularly updating its tools and methods to bypass security measures. According to a report by ESET shared with The Hacker News, the group has utilized malware like PicassoLoader, facilitating the deployment of Cobalt Strike Beacon and njRAT. Notably, in late 2023, they exploited a vulnerability in WinRAR (CVE-2023-38831) to introduce these malicious tools.
In their previous campaigns, Polish targets faced phishing attacks exploiting a flaw in Roundcube (CVE-2024-42009) to hijack email credentials. CERT Polska’s June 2025 report detailed how Ghostwriter used these credentials to access and misuse email accounts for further phishing.
Latest Attack Strategies
Since March 2026, Ghostwriter’s recent activities involve phishing emails with malicious PDF attachments aimed at Ukrainian government entities. These PDFs masquerade as documents from Ukrtelecom, a Ukrainian telecom firm, and include links that deliver a RAR archive with a JavaScript payload, culminating in Cobalt Strike deployment.
The attack involves a geofencing mechanism, delivering harmless PDFs to those outside Ukraine while targeting Ukrainians with malicious payloads. The downloader profiles compromised systems and transmits data every 10 minutes, helping attackers decide on further action.
Target Sectors and Global Implications
The primary focus of these attacks is on Ukraine’s military and government sectors, while in Poland and Lithuania, the targets include industries like healthcare and logistics. ESET emphasizes Ghostwriter’s persistence and adaptability, employing diverse tactics to evade detection.
Alongside Ghostwriter, the Russia-affiliated Gamaredon group continues phishing attacks on Ukrainian state institutions, deploying malware like GammaDrop. On another front, the pro-Ukraine hacktivist group BO Team is reportedly targeting Russian organizations, hinting at potential coordination with other groups.
These developments underscore the ongoing complexity and evolution of cyber threats in the region. As threat actors like Ghostwriter and Gamaredon refine their strategies, organizations must remain vigilant and enhance their cybersecurity defenses to mitigate risks.
