The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine.
Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It’s also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx.
“FrostyNeighbor has been running continual cyber operations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe,” ESET said in a report shared with The Hacker News.
Previous attacks mounted by the hacking crew have leveraged a malware family known as PicassoLoader, which then acts as a conduit for Cobalt Strike Beacon and njRAT. In late 2023, the threat actor was also observed weaponizing a vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike.
As recently as last year, Polish entities were at the receiving end of a phishing campaign orchestrated by Ghostwriter that exploited a cross-site flaw in Roundcube (CVE-2024-42009, CVSS score: 9.3) to run malicious JavaScript responsible for capturing email login credentials.
In at least some cases, the threat actors are said to have leveraged the harvested credentials to analyze mailbox contents, download the contact list, and abuse the compromised account to propagate more phishing messages, per a report from CERT Polska in June 2025. Towards the end of 2025, the group also began to incorporate an anti-analysis technique where lure documents relied on dynamic CAPTCHA checks to trigger the attack chain.
“FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms,” ESET researcher Damien Schaeffer said. “This newest compromise chain that we detected is a continuation of the group’s willingness to update and renew its arsenal, trying to evade detection to compromise its targets.”
The latest set of activities, observed since March 2026, involves using links in malicious PDFs sent via spear-phishing attachments to target government entities in Ukraine, ultimately resulting in the deployment of a JavaScript version of PicassoLoader to drop Cobalt Strike. The PDF decoy documents have been found to impersonate the Ukrainian telecommunications company Ukrtelecom.
The infection sequence incorporates a geofencing check, serving a benign PDF file to victims whose IP address does not correspond to Ukraine. The embedded link in the PDF document is used to deliver a RAR archive containing a JavaScript payload that displays a lure document to keep up the ruse, while simultaneously launching PicassoLoader in the background.
The downloader is also…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
