GhostShell Malware Uses mTLS Implant and Telegram Dead-Drop to Target Ukrainian Drone Operations

A newly identified malware cluster known as GhostShell has been found actively targeting Ukraine's drone operations and its broader defense supply chain. The campaign uses a sophisticated combination of techniques, including a mutual TLS implant and a Telegram-based dead-drop resolver, to quietly establish persistence inside targeted networks. The threat actor behind this operation has been active since at least February 2026 and its methods suggest a deliberate focus on organizations connected to Ukrainian UAV technology.

The malware arrives through a booby-trapped archive named Besomar_documentation.rar, which exploits two archive-handling vulnerabilities, CVE-2025-8088 and CVE-2025-6218. Once opened, the archive silently drops a malicious script into the Windows Startup folder, ensuring the malware runs every time the system starts. The archive also carries a set of decoy PDF files designed to impersonate Besomar, a Ukrainian company known for building high-precision fixed-wing drones used in defense applications.

Researchers at Synaptic Security, who published a detailed report shared with Cyber Security News, tracked the cluster and named it GhostShell, assigning it the identifier MB-0009. The decoy documents were tailored to cover military units, technical staff, procurement personnel, and volunteer organizations inside Ukraine's drone ecosystem. This broad targeting pattern strongly suggests the actor is interested not just in individual operators, but in the full supply chain supporting UAV deployments.

The malware delivers three distinct payloads after the initial script runs, each taking a different path to reach back to the attacker. One payload establishes a persistent implant, another uses a Telegram channel as a live resolver to retrieve the attacker's server address, and a third tunnels stolen data through an encrypted proxy. The use of separate communication channels makes it harder for defenders to cut off all access at once, pointing to a carefully planned operation.

The first payload, named 122.exe, acts as a loader that decrypts and runs a Stage-2 implant directly in memory without writing anything visible to disk. The implant communicates with the command server over HTTPS and authenticates using a custom client certificate issued by a private authority labeled "GhostShell Implant CA." This mutual TLS approach means the server will only respond to connections that carry the correct certificate, blocking outside attempts to probe or intercept the traffic.

The second payload, update.exe, disguises itself as the Windows Security Health Service and uses a Telegram channel at t.me/flufff6262 as a dead-drop resolver. It fetches an encoded value from that channel, decodes it to get the attacker's live server address, and then injects a shellcode payload that connects back over HTTPS. By storing the server address on Telegram, the actor can rotate the destination without rebuilding or redeploying anything.

The third component, 22.exe, is a Go-based launcher that wraps a full tunneling client inside itself. It sets up an encrypted proxy connection and delivers Vidar v2, a known infostealer, entirely in memory. Vidar can harvest browser passwords, cookies, cryptocurrency wallet data, messaging app files, and screenshots, sending everything out through the encrypted tunnel in a way that is difficult to detect on the network.

Organizations working within or alongside Ukraine's defense sector should treat unexpected compressed archives with caution, especially those referencing drone hardware or procurement materials. Blocking access to newly registered domains at the network perimeter can reduce exposure to this type of staged delivery. Security teams should also look for mTLS client certificates with the issuer string "GhostShell Implant CA" in captured traffic, as this value serves as a reliable detection anchor across all future samples tied to this cluster.