Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition
Essential information
- Published
- 26/02/2025 09:24
- Modified
- 26/02/2025 09:45
- Tags
- 2025-02-26 cobalt strike confuserex picassoloader uac-0057 ukraine unc1151
- Related entities
- 10 observables, 1 intrusion sets (apt), 13 techniques (mitre), 2 malware, 4 others
Description
A new campaign attributed to the Ghostwriter threat actor has been observed targeting opposition activists in Belarus and Ukrainian military and government organizations. The operation, which began preparation in mid-2024 and entered an active phase in late 2024, employs weaponized Excel documents with malicious macros to deliver PicassoLoader variants and other payloads. The campaign uses lures related to Ukrainian military and government interests, as well as Belarusian opposition topics. Multiple stages of the attack chain involve obfuscated downloaders, decoy documents, and attempts to fetch additional payloads from command and control servers. The threat actor's tactics have evolved, showing adaptations to previous techniques and targeting both Ukrainian entities and Belarusian opposition groups.