VYPR
breachPublished May 14, 2026· Updated May 22, 2026· 3 sources

Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike

Belarus-aligned threat actor Ghostwriter is targeting Ukrainian government entities with geofenced PDF phishing campaigns that deliver PicassoLoader and Cobalt Strike, with malicious payloads only served to Ukrainian IP addresses.

The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine, according to a report from ESET shared with The Hacker News. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It is also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison, UNC1151, and White Lynx.

The latest campaign, observed since March 2026, involves spear-phishing emails carrying malicious PDFs that impersonate the Ukrainian telecommunications company Ukrtelecom. The PDFs contain embedded links that deliver a RAR archive containing a JavaScript payload. This payload displays a lure document to maintain the ruse while simultaneously launching a JavaScript version of PicassoLoader in the background. The downloader then profiles and fingerprints the compromised host, transmitting system information to attacker-controlled infrastructure every 10 minutes, allowing operators to manually decide whether to deploy a third-stage JavaScript dropper for Cobalt Strike Beacon.

A key feature of this campaign is a geofencing check: victims check. If the victim's IP address does not correspond to Ukraine, the PDF serves only a benign file, ensuring the malicious payload is reserved for targets within the country. This server-side validation combines automated checks of the requesting user agent and IP address with manual validation by the operators, demonstrating a high level of operational maturity.

"FrostyNeighbor has been running continual cyber operations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe," ESET researcher Damien Schaeffer said. The group has previously exploited vulnerabilities such as CVE-2023-38831 in WinRAR and CVE-2024-42009 in Roundcube to deploy PicassoLoader and Cobalt Strike in attacks against Poland and Lithuania.

The activity primarily centers around military, defense sector, and governmental organizations in Ukraine, whereas the victimology in Poland and Lithuania is much broader, targeting industrial and manufacturing, healthcare and pharmaceuticals, logistics, and government sectors. In some cases, the threat actors leveraged harvested credentials to analyze mailbox contents, download contact lists, and abuse compromised accounts to propagate more phishing messages, according to a report from CERT Polska in June 2025.

Towards the end of 2025, the group also began to incorporate an anti-analysis technique where lure documents relied on dynamic CAPTCHA checks to trigger the attack chain. "FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms," ESET said. The disclosure comes alongside reports of other Russia-aligned threat activity targeting Ukraine, including Gamaredon's spear-phishing campaign delivering GammaDrop and GammaLoad malware through RAR archives exploiting CVE-2025-8088.

In the latest wave, GhostWriter is impersonating Ukraine's largest online learning platform Prometheus, sending emails with PDF attachments that lead to a malware chain deploying OysterBlues and OysterShuck via the OysterFresh loader, according to CERT-UA. The campaign has been active since spring 2026 and uses compromised accounts to target government employees; infected systems may later receive a Cobalt Strike beacon. This is distinct from the geofenced PDF approach previously reported, but follows the same GhostWriter playbook against Ukrainian state institutions.

CERT-UA's latest report details a variant of the campaign using Prometheus-themed lures and a multi-stage malware chain involving OYSTERFRESH, OYSTERBLUES, and OYSTERSHUCK, which ultimately delivers Cobalt Strike. The attack leverages compromised email accounts to distribute PDF attachments containing links to ZIP archives with JavaScript payloads, a shift from the previously reported geofenced PDF approach. CERT-UA advises restricting wscript.exe execution for standard users to mitigate the threat.

Synthesized by Vypr AI