216.73.217.86

Ukraine's UAV Supply Chain Targeted With Besomar-Themed Malware Chain

· Published 24/06/2026 11:03

Export JSON

Essential information

Published
24/06/2026 11:03
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
besomar defense drones ghostshell supply chain uav ukraine vidar
Related entities
3 indicators, 1 intrusion sets (apt), 20 techniques (mitre), 1 malware

Description

A newly identified threat group, designated as GhostShell, has been conducting cyber operations against 's unmanned aerial vehicle since February 2026. The attackers employ malicious archives containing decoy documents that impersonate Besomar, a Ukrainian manufacturer of high-precision interceptor drones, to compromise and procurement networks. The attack chain deploys three distinct payloads: a custom backdoor (122.exe) utilizing mTLS client certificates for screen capture and command execution, an in-memory stager (update.exe) disguised as a Windows Health Service that fetches next-stage payloads via Telegram, and a proxy launcher (22.exe) that tunnels traffic through Xray Core to deploy the v2 information stealer. The targeting strongly suggests a Russian cyber operation, though analysts employ the SOLBIT framework to avoid attribution based on easily forgeable indicators.

External references