Threat Intelligence

ESET details new Ghostwriter activity targeting Ukrainian government

Plain code with the word "cyberattack" in red.

ESET researchers have uncovered new activity from the APT group FrostyNeighbor, also known as Ghostwriter, which has been targeting Ukrainian government organizations since at least March 2026. This campaign mirrors previous operations by the threat actor, which is linked to the government of Belarus, based on information published by Security Affairs.

The latest FrostyNeighbor campaign begins with a spear-phishing email containing a PDF attachment disguised as an official communication from Ukrtelecom, a major Ukrainian telecommunications provider. The document includes a download button that leads to a delivery server. This server employs geofencing, serving a decoy document about electronic communications regulations to IP addresses outside Ukraine. However, for Ukrainian IP addresses, it delivers a RAR archive containing a JavaScript file. This file executes a JavaScript version of PicassoLoader, the group's payload downloader, which collects system information and sends it to attacker-controlled servers. Operators then manually decide whether to deliver a third-stage payload, typically a Cobalt Strike beacon, to high-value targets.

The group's targeting is specific, focusing on military, defense, and governmental entities in Ukraine, while also impacting industrial, healthcare, logistics, and government bodies in Poland and Lithuania. This evolution aligns with broader geopolitical security dynamics in Eastern Europe.

Source: Security Affairs

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds