Ghostwriter Targets Ukrainian Government in PDF Phishing, Cobalt Strike

A threat group associated with Belarus known as A ghost caused by a new set of attacks against government agencies in Ukraine.

Operating since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations directed at neighboring countries, particularly Ukraine. Also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC-0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx.

“FrostyNeighbor has been active online, changing and updating its toolset regularly, updating its chain of compromises and ways to avoid detection – targeting victims in Eastern Europe,” ESET said in a report shared with Hacker News.

A previous attack by the hacking team raised a malware family known as PicassoLoader, which then acts as a conduit for Cobalt Strike Beacon and njRAT. In late 2023, a threat actor was also spotted exploiting a vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8) to exploit PicassoLoader and Cobalt Strike.

As recently as last year, Polish businesses were on the receiving end of a phishing campaign organized by Ghostwriter that used a cross-site flaw in Roundcube (CVE-2024-42009, CVSS score: 9.3) to run malicious JavaScript responsible for capturing email login information.

At least in some cases, the threat actors are said to have used the collected information to analyze the contents of the mailbox, download contact lists, and misuse the compromised account to spread more sensitive phishing messages, according to a report from CERT Polska in June 2025. In late 2025, the group also began to integrate the CAPT inspection process where the processing of CAPT documents initiates a chain of attacks.

“FrostyNeighbor remains a persistent and flexible threat actor, demonstrating a high level of operational maturity through the use of various addictive scripts, a dynamic diversity of covers and downloads, and new delivery methods,” said ESET researcher Damien Schaeffer. “This latest series of compromises we have received is a continuation of the group’s determination to update and update its weapons, trying to evade detection in order to compromise its goals.”

The latest set of activities, seen since March 2026, includes using links to malicious PDFs sent with phishing attachments to target government agencies in Ukraine, which led to the use of a JavaScript version of PicassoLoader to stop Cobalt Strike. The PDF decoy documents were found impersonating the Ukrainian telecommunications company Ukrtelecom.

The infection sequence includes a geofencing check, which serves a false PDF file to victims whose IP address does not match Ukraine. The embedded link in the PDF document is used to deliver the RAR archive containing the loading JavaScript that displays the decoy document to maintain the trick, while at the same time launching the PicassoLoader in the background.

The downloader is also designed to profile and fingerprint the vulnerable host, based on which operators can manually decide to send the third-stage Cobalt Strike Beacon JavaScript dropper. The system’s fingerprint is transmitted to the infrastructure controlled by the attacker every 10 minutes, allowing the threat actor to check whether the victim is interested.

The work appears to be primarily focused on the military, defense sector, and government organizations in Ukraine, while victimology in Poland and Lithuania is much broader, targeting industry and manufacturing, healthcare and pharmaceutical sectors, logistics, and government sectors.

“FrostyNeighbor remains a persistent and flexible threat actor, demonstrating a high level of operational maturity through the use of various lure scripts, a flexible variety of lures and downloads, and new delivery methods,” ESET said. “The payload is delivered only after validating the victim on the server side, including automatic verification of the requesting user agent and IP address and manual verification by users.”

Gamaredon brings GammaDrop and GammaLoad to the attack on Ukraine

The disclosure comes as the Russian-backed hacker group Gamaredon has been implicated in a phishing campaign targeting Ukrainian government agencies since September 2025, with the aim of delivering the GammaDrop and GammaLoad malware via RAR archives exploiting CVE-2025-8088.

“These emails – either hijacked or sent from compromised government accounts – deliver persistent, multi-stage VBScript downloads that describe the infected program,” HarfangLab said. “There’s a bit of new technology here, but Gameredon has never relied on innovation. The team’s strength lies in its endless functionality and scale.”

Russia Directed by Team BO and Hive0117

These findings also follow a report from Kaspersky that a group of pro-Ukraine hacktivists known as BO Team (aka Black Owl) may be collaborating with Head Mare (aka PhantomCore) in attacks targeting Russian organizations, citing overlapping infrastructure and tools. The attack organized by the BO Group in 2026 used phishing to aid BrockenDoor and ZeronetKit, the latter of which can also compromise Linux systems.

Also noted in this attack is a previously unofficial Go-based backdoor called ZeroSSH that can execute arbitrary commands using “cmd.exe” and establish a reverse SSH channel. There are approximately 20 organizations targeted by the BO Group in the first half of 2026.

“The nature of the interaction between the groups is still unclear, but the recorded cross-cutting of tools and infrastructure indicates at least a possible convergence of actions against Russian organizations,” Kaspersky said.

In recent months, Russian businesses have also been targeted by a financially motivated group called Hive0117 for stealing more than 14 million rubles by hacking accountants’ computers in phishing campaigns and disguising transfers as salary payments. Phishing emails were sent to more than 3,000 Russian organizations between February and March 2026, per F6.

Besides Russia, the service also targeted users from Lithuania, Estonia, Belarus, and Kazakhstan. The attack uses invoice-themed hackers to distribute RAR archives containing malicious files to release DarkWatchman, a remote access trojan allegedly created by the group.

“Using remote access to online banking systems through compromised account writers’ computers, they started making payments to bank accounts listed on the registry,” said F6. “Previously, this looked like a salary transfer, but the registry registered the bank accounts of the mules. If such payments did not pass the anti-fraud systems, the attackers were able to withdraw significant amounts from the company’s accounts.”