Attack Vector and Execution
The Belarus-linked threat actor known as Ghostwriter has launched a new wave of targeted attacks against Ukrainian government organizations. The group, which has been active since 2016, is known for combining cyber espionage with influence operations. In this latest campaign, the attackers are using geofenced PDF files as a delivery mechanism, ensuring that only victims in specific geographic locations can access the malicious payloads.
Once the PDF is opened, it triggers an infection chain that ultimately deploys Cobalt Strike Beacon, a powerful post-exploitation tool. ESET researchers report that the group has continuously refined its methods, introducing dynamic CAPTCHA checks and evolving its lure documents to evade security controls. The geofencing technique adds an extra layer of sophistication, limiting detection by security researchers operating outside the target region.
Impact and Scope
The primary targets are governmental agencies in Ukraine, continuing a long pattern of activity by Ghostwriter against Eastern European nations. The group has previously used malware families such as PicassoLoader alongside Cobalt Strike and njRAT in earlier operations. Past attacks have also included exploiting vulnerabilities in WinRAR and Roundcube webmail to gain initial access.
CERT Polska documented cases where Ghostwriter used harvested credentials to analyze mailbox contents, download contact lists, and propagate additional phishing messages from compromised accounts. ESET characterizes the group as a persistent and adaptive threat with a high level of operational maturity, regularly updating its compromise chains and delivery mechanisms to stay ahead of detection efforts.
Source: The Hacker News
