Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike

Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike Ravie LakshmananMay 14, 2026Hacktivism / Data Theft The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It's also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx. "FrostyNeighbor has been running continual cyber operations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe," ESET said in a report shared with The Hacker News. Previous attacks mounted by the hacking crew have leveraged a malware family known as PicassoLoader, which then acts as a conduit for Cobalt Strike Beacon and njRAT. In late 2023, the threat actor was also observed weaponizing a vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike. As recently as last year, Polish entities were at the receiving end of a phishing campaign orchestrated by Ghostwriter that exploited a cross-site flaw in Roundcube (CVE-2024-42009, CVSS score: 9.3) to run malicious JavaScript responsible for capturing email login credentials. In at least some cases, the threat actors are said to have leveraged the harvested credentials to analyze mailbox contents, download the contact list, and abuse the compromised account to propagate more phishing messages, per a report from CERT Polska in June 2025. Towards the end of 2025, the group also began to incorporate an anti-analysis technique where lure documents relied on dynamic CAPTCHA checks to trigger the attack chain. "FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms," ESET researcher Damien Schaeffer said. "This newest compromise chain that we detected is a continuation of the group's willingness to update and renew its arsenal, trying to evade detection to compromise its targets." The latest set of activities, observed since March 2026, involves using links in malicious PDFs sent via spear-phishing attachments to target government entities in Ukraine, ultimately resulting in the deployment of a JavaScript version of PicassoLoader to drop Cobalt Strike. The PDF decoy documents have been found to impersonate the Ukrainian telecommunications company Ukrtelecom. The infection sequence incorporates a geofencing check, serving a benign PDF file to victims whose IP address does not correspond to Ukraine. The embedded link in the PDF document is used to deliver a RAR archive containing a JavaScript payload that displays a lure document to keep up the ruse, while simultaneously launching PicassoLoader in the background. The downloader is also designed to profile and fingerprint the compromised host, based on which the operators may manually decide to send a third-stage JavaScript dropper for Cobalt Strike Beacon. The system fingerprint is transmitted to attacker-controlled infrastructure every 10 minutes, allowing the threat actor to assess whether the victim is of interest. The activity primarily appears to center around military, defense sector, and governmental organizations in Ukraine, whereas the victimology in Poland and Lithuania is much broader, targeting industrial and manufacturing, healthcare and pharmaceuticals, logistics, and government sectors. "FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms," ESET said. "The payload is only delivered after server-side victim validation, combining automated checks of the requesting user agent and IP address with the manual validation by the operators." Gamaredon Delivers GammaDrop and GammaLoad in Ukraine Attacks The disclosure comes as the Russia-affiliated Gamaredon hacking group has been tied to a spear-phishing campaign targeting Ukrainian state institutions since September 2025, with an aim to deliver GammaDrop and GammaLoad downloader malware through RAR archives that exploit CVE-2025-8088. "These emails – spoofed or sent from compromised government accounts – deliver persistent, multi-stage VBScript downloaders that profile the infected system," HarfangLab said. "There is little technical novelty here, but Gamaredon has never relied on sophistication. The group's strength lies in its relentless operational tempo and scale." Russia Targeted by BO Team and Hive0117 The findings also follow a report from Kaspersky that the pro-Ukraine hacktivist group known as BO Team (aka Black Owl) may be working with Head Mare (aka PhantomCore) in attacks aimed at Russian organizations, citing overlapping infrastructure and tools. Attacks orchestrated by the BO Team in 2026 have employed spear-phishing to serve BrockenDoor and ZeronetKit, the latter of which is capable of also compromising Linux systems. Also observed in these attacks is a previously undocumented Go-based backdoor referred to as ZeroSSH that can execute arbitrary commands using "cmd.exe" and establish a reverse SSH channel. As many as 20 organizations have been targeted by the BO Team in the first quarter of 2026. "The nature of the interaction between the groups remains unclear, but the recorded intersections of tools and infrastructure indicate at least the potential coordination of actions against Russian organizations," Kaspersky said. In recent months, Russian enterprises have also been targeted by a financially motivated group called Hive0117to steal over 14 million rubles by breaking into accountants' computers via phishing campaigns and disguising transfers as salary payments. The phishing emails were sent to more than 3,000 Russian organizations between February and March 2026, per F6. Besides Russia, the activity has also targeted users from Lithuania, Estonia, Belarus, and Kazakhstan. The attacks employ invoice-themed lures to distribute RAR archives that contain malicious files to drop DarkWatchman, a remote access trojan attributed to the group. "Using remote access to online banking systems via compromised accountants' computers, they initiated payments to be credited to bank accounts listed in the registry," F6 said. "Formerly, this looked like a payroll transfer, but the registry listed the bank accounts of mules. If such payment transactions did not go through anti-fraud systems, the attackers were able to withdraw significant amounts from the companies' accounts." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cobalt Strike, cybersecurity, data theft, Ghostwriter, Hacktivism, Remote Access Trojan, Spear Phishing ⚡ Top Stories This Week 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions Day Zero Readiness: The Operational Gaps That Break Incident Response 2026: The Year of AI-Assisted Attacks Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Trellix Confirms Source Code Breach With Unauthorized Repository Access New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass Load More ▼ ⭐ Featured Resources [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Demo] Discover How to Control Autonomous Identity Risks Effectively [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster [Guide] Get Practical AI SOC Insights to Improve Threat Detection