Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
Belarus-aligned threat actor Ghostwriter is targeting Ukrainian government entities with geofenced PDF phishing campaigns that deliver PicassoLoader and Cobalt Strike, with malicious payloads only served to Ukrainian IP addresses.
The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine, according to a report from ESET shared with The Hacker News. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It is also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison, UNC1151, and White Lynx.
The latest campaign, observed since March 2026, involves spear-phishing emails carrying malicious PDFs that impersonate the Ukrainian telecommunications company Ukrtelecom. The PDFs contain embedded links that deliver a RAR archive containing a JavaScript payload. This payload displays a lure document to maintain the ruse while simultaneously launching a JavaScript version of PicassoLoader in the background. The downloader then profiles and fingerprints the compromised host, transmitting system information to attacker-controlled infrastructure every 10 minutes, allowing operators to manually decide whether to deploy a third-stage JavaScript dropper for Cobalt Strike Beacon.
A key feature of this campaign is a geofencing check: victims check. If the victim's IP address does not correspond to Ukraine, the PDF serves only a benign file, ensuring the malicious payload is reserved for targets within the country. This server-side validation combines automated checks of the requesting user agent and IP address with manual validation by the operators, demonstrating a high level of operational maturity.
"FrostyNeighbor has been running continual cyber operations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe," ESET researcher Damien Schaeffer said. The group has previously exploited vulnerabilities such as CVE-2023-38831 in WinRAR and CVE-2024-42009 in Roundcube to deploy PicassoLoader and Cobalt Strike in attacks against Poland and Lithuania.
The activity primarily centers around military, defense sector, and governmental organizations in Ukraine, whereas the victimology in Poland and Lithuania is much broader, targeting industrial and manufacturing, healthcare and pharmaceuticals, logistics, and government sectors. In some cases, the threat actors leveraged harvested credentials to analyze mailbox contents, download contact lists, and abuse compromised accounts to propagate more phishing messages, according to a report from CERT Polska in June 2025.
Towards the end of 2025, the group also began to incorporate an anti-analysis technique where lure documents relied on dynamic CAPTCHA checks to trigger the attack chain. "FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms," ESET said. The disclosure comes alongside reports of other Russia-aligned threat activity targeting Ukraine, including Gamaredon's spear-phishing campaign delivering GammaDrop and GammaLoad malware through RAR archives exploiting CVE-2025-8088.