Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition
Feb. 26, 2025, 9:45 a.m.
Description
A new campaign attributed to the Ghostwriter threat actor has been observed targeting opposition activists in Belarus and Ukrainian military and government organizations. The operation, which began preparation in mid-2024 and entered an active phase in late 2024, employs weaponized Excel documents with malicious macros to deliver PicassoLoader variants and other payloads. The campaign uses lures related to Ukrainian military and government interests, as well as Belarusian opposition topics. Multiple stages of the attack chain involve obfuscated downloaders, decoy documents, and attempts to fetch additional payloads from command and control servers. The threat actor's tactics have evolved, showing adaptations to previous techniques and targeting both Ukrainian entities and Belarusian opposition groups.
Tags
Date
- Created: Feb. 26, 2025, 9:24 a.m.
- Published: Feb. 26, 2025, 9:24 a.m.
- Modified: Feb. 26, 2025, 9:45 a.m.
Indicators
- https://sciencealert.shop/images/2024/11/black-hole-coronaxx.jpg
- https://pigglywigglystores.shop/wp-content/themes/fp-wp-j-piggly-wiggly-nc/resources/images/logo/logo.png
- https://everythingandthedog.shop/petsblog/2020/2/25/tips-for-taking-difficult-dogs-on-a-walk.jpg
- https://cookingwithbooks.shop/images/qwerty.jpg
- sciencealert.shop
- pigglywigglystores.shop
- everythingandthedog.shop
- cookingwithbooks.shop
- americandeliriumsociety.shop
- resident.ngo
Attack Patterns
- PicassoLoader
- Cobalt Strike - S0154
- Ghostwriter
- T1102.002
- T1573.002
- T1218.011
- T1059.005
- T1059.003
- T1547.001
- T1071.001
- T1204.002
- T1105
- T1055
- T1036
- T1140
- T1027
Additional Informations
- Defense
- Government
- Belarus
- Ukraine