Ghostwriter Intensifies Cyber Attacks on Ukrainian Government with Advanced Phishing Tactics
The Belarus-aligned cyber threat group known as Ghostwriter has launched a new wave of sophisticated attacks targeting Ukrainian governmental organizations. Active since at least 2016, Ghostwriter has been associated with cyber espionage and influence operations, particularly focusing on Eastern European nations like Ukraine. The group is also identified by various aliases, including FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx.
According to cybersecurity firm ESET, Ghostwriter has been continuously evolving its cyber operations by regularly updating its toolset and refining its methods to evade detection, specifically targeting victims in Eastern Europe. Previous campaigns by the group have utilized a malware family known as PicassoLoader, which serves as a conduit for deploying Cobalt Strike Beacon and njRAT. In late 2023, Ghostwriter exploited a vulnerability in WinRAR (CVE-2023-38831) to deliver these malicious payloads.
In 2024, the group expanded its operations to include Polish entities, orchestrating phishing campaigns that exploited a cross-site scripting flaw in Roundcube (CVE-2024-42009) to execute malicious JavaScript aimed at capturing email login credentials. CERT Polska reported that the attackers used the harvested credentials to access mailbox contents, download contact lists, and propagate further phishing messages. By the end of 2025, Ghostwriter incorporated dynamic CAPTCHA checks in their lure documents as an anti-analysis technique to trigger the attack chain.
ESET researcher Damien Schaeffer noted that Ghostwriter remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity through the use of diverse lure documents, evolving downloader variants, and new delivery mechanisms. The latest compromise chain detected is a continuation of the group’s efforts to update and renew its arsenal to evade detection and compromise its targets.
Since March 2026, Ghostwriter has been observed using malicious PDFs sent via spear-phishing emails to target Ukrainian government entities. These PDFs impersonate the Ukrainian telecommunications company Ukrtelecom and contain links that lead to the deployment of a JavaScript version of PicassoLoader, which subsequently drops Cobalt Strike.
The infection sequence includes a geofencing check that serves a benign PDF file to users whose IP addresses do not correspond to Ukraine. For Ukrainian targets, the embedded link in the PDF delivers a RAR archive containing a JavaScript payload. This payload displays a lure document to maintain the ruse while simultaneously launching PicassoLoader in the background.
The downloader is designed to profile and fingerprint the compromised host. Based on this information, the operators may manually decide to send a third-stage JavaScript dropper for Cobalt Strike Beacon. The system fingerprint is transmitted to attacker-controlled infrastructure every 10 minutes, allowing the threat actor to assess whether the victim is of interest.
Ghostwriter’s activities primarily focus on military, defense sector, and governmental organizations in Ukraine. In Poland and Lithuania, the group’s victimology is broader, targeting industrial and manufacturing, healthcare and pharmaceuticals, logistics, and government sectors.
ESET emphasized that Ghostwriter remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms. The payload is only delivered after server-side victim validation, combining automated checks of the requesting user agent and IP address with manual validation by the operators.
In related developments, the Russia-affiliated Gamaredon hacking group has been linked to a spear-phishing campaign targeting Ukrainian state institutions since September 2025. The campaign aims to deliver GammaDrop and GammaLoad downloader malware through RAR archives that exploit CVE-2025-8088. HarfangLab reported that these emails, spoofed or sent from compromised government accounts, deliver persistent, multi-stage VBScript downloaders that profile the infected system. While there is little technical novelty, Gamaredon’s strength lies in its relentless operational tempo and scale.
Additionally, the pro-Ukraine hacktivist group known as BO Team (aka Black Owl) may be collaborating with Head Mare (aka PhantomCore) in attacks aimed at Russian organizations. Kaspersky cited overlapping infrastructure and tools, indicating potential coordination of actions against Russian organizations. Attacks orchestrated by the BO Team in 2026 have employed spear-phishing to serve BrockenDoor and ZeronetKit, the latter capable of compromising Linux systems. A previously undocumented Go-based backdoor referred to as ZeroSSH has also been observed, capable of executing arbitrary commands using cmd.exe and establishing a reverse SSH channel. As many as 20 organizations have been targeted by the BO Team in the first quarter of 2026.
Furthermore, Russian enterprises have been targeted by a financially motivated group called Hive0117, which has stolen over 14 million rubles by breaking into accountants’ computers via phishing campaigns and disguising transfers as salary payments. The phishing emails were sent to more than 3,000 Russian organizations between February and March 2026. The attacks employ invoice-themed lures to distribute RAR archives containing malicious files that drop DarkWatchman, a remote access trojan attributed to the group. Using remote access to online banking systems via compromised accountants’ computers, the attackers initiated payments to be credited to bank accounts listed in the registry. These transactions appeared as payroll transfers but listed the bank accounts of mules. If such payment transactions bypassed anti-fraud systems, the attackers were able to withdraw significant amounts from the companies’ accounts.
