Ukraine's UAV Supply Chain Targeted With Besomar-Themed Malware Chain
Essential information
- Published
- 24/06/2026 11:03
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- besomar defense drones ghostshell supply chain uav ukraine vidar
- Related entities
- 3 indicators, 1 intrusion sets (apt), 20 techniques (mitre), 1 malware
Description
A newly identified threat group, designated as GhostShell, has been conducting cyber operations against Ukraine's unmanned aerial vehicle supply chain since February 2026. The attackers employ malicious archives containing decoy documents that impersonate Besomar, a Ukrainian manufacturer of high-precision interceptor drones, to compromise defense and procurement networks. The attack chain deploys three distinct payloads: a custom backdoor (122.exe) utilizing mTLS client certificates for screen capture and command execution, an in-memory stager (update.exe) disguised as a Windows Health Service that fetches next-stage payloads via Telegram, and a proxy launcher (22.exe) that tunnels traffic through Xray Core to deploy the Vidar v2 information stealer. The targeting strongly suggests a Russian cyber operation, though analysts employ the SOLBIT framework to avoid attribution based on easily forgeable indicators.