A Belarusian threat group known as Ghostwriter is believed to be behind new attacks targeting government agencies in Ukraine.
Ghostwriter has been active since at least 2016 and is said to be involved in both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It has also been tracked under the names FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx.
“FrostyNeighbor is conducting a continuous cyber operation, regularly changing and updating its toolset, updating its compromise chain and methods to evade detection, and targeting victims located in Eastern Europe,” ESET said in a report shared with Hacker News.
Previous attacks launched by the hacking team utilized a malware family known as PicassoLoader, which served as a conduit to Cobalt Strike Beacon and njRAT. In late 2023, this actor was also observed deploying PicassoLoader and Cobalt Strike by exploiting a vulnerability in WinRAR (CVE-2023-38831, CVSS score: 7.8).
Just last year, Polish companies were victims of a phishing campaign organized by Ghostwriter. This campaign exploited a cross-site flaw in Roundcube (CVE-2024-42009, CVSS score: 9.3) to execute malicious JavaScript that retrieved email login credentials.
In at least some cases, attackers used the harvested credentials to analyze mailbox contents, download contact lists, and exploit compromised accounts to spread further phishing messages, according to a June 2025 CERT Polska report. Towards the end of 2025, the group also began incorporating counter-analytic techniques, with decoy documents relying on dynamic CAPTCHA checks to trigger attack chains.
“FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with its diverse lure documentation, evolving lure and downloader variants, and use of new delivery mechanisms,” said ESET researcher Damien Schaeffer. “This latest chain of compromises we detected is a continuation of the group’s willingness to update and update its arsenal in an attempt to evade detection in order to compromise its targets.”
The most recent set of activities observed since March 2026 included targeting Ukrainian government agencies using links in malicious PDFs sent via spear phishing attachments, and ultimately deploying a JavaScript version of PicassoLoader to drop Cobalt Strike. The PDF decoy document was found to be impersonating the Ukrainian telecommunications company Ukrtelcom.
The infection sequence includes a geofencing check, which provides a harmless PDF file to victims whose IP address does not correspond to Ukraine. An embedded link within the PDF document is used to deliver a RAR archive containing a JavaScript payload that displays a decoy document to continue the ruse, while also launching PicassoLoader in the background.
This downloader is designed to profile and fingerprint compromised hosts, based on which operators can manually decide to send the Cobalt Strike Beacon third-stage JavaScript dropper. System fingerprints are sent to attacker-controlled infrastructure every 10 minutes, allowing the attacker to assess whether the victim is of interest.
In Ukraine, this activity appears to be primarily focused on the military, defense sector, and government organizations, but in Poland and Lithuania, the damage is much broader, targeting industry and manufacturing, healthcare and pharmaceuticals, logistics, and government sectors.
“FrostyNeighbor remains a persistent and adaptable attacker, demonstrating a high level of operational maturity with diverse lure documentation, evolving lure and downloader variants, and use of new delivery mechanisms,” ESET said. “The payload is only delivered after server-side victim verification, which combines automatic checking of the requesting user agent and IP address with manual verification by the operator.”
Gamaredon provides GammaDrop and GammaLoad in Ukraine attack
This disclosure comes as the Russian hacking group Gamaredon has been involved in a spear-phishing campaign targeting Ukrainian state institutions since September 2025 with the goal of distributing GammaDrop and GammaLoad downloader malware through RAR archives that exploit CVE-2025-8088.
“These emails come from spoofed or compromised government accounts and deliver persistent, multi-stage VBScript downloaders that profile infected systems,” HarfangLab said. “While there is little technological novelty here, Gamaredon has never relied on sophistication. The group’s strength lies in its relentless operational tempo and scale.”
Russia targeted by BO team and Hive0117
The findings also follow a report by Kaspersky Lab that a pro-Ukrainian hacktivist group known as BO Team (also known as Black Owl) may be collaborating with Head Mare (also known as PhantomCore) in attacks targeting Russian organizations, citing overlapping infrastructure and tools. An attack orchestrated by the BO team in 2026 used spear phishing to attack BrockenDoor and ZeronetKit, the latter of which could also compromise Linux systems.
These attacks also identified a previously undocumented Go-based backdoor called ZeroSSH that can use “cmd.exe” to execute arbitrary commands and establish a reverse SSH channel. As many as 20 organizations will be targeted by BO teams in the first quarter of 2026.
“Although the nature of the interactions between the two groups remains unclear, the recorded intersection of tools and infrastructure suggests that at least the actions against the Russian entity may be coordinated,” Kaspersky said.
In recent months, Russian companies have also been targeted by a financially motivated group called Hive0117, which attempted to steal more than 14 million rubles by infiltrating accountants’ computers through phishing campaigns and disguising transfers as payroll payments. According to F6, the phishing emails were sent to more than 3,000 organizations in Russia between February and March 2026.
In addition to Russia, the campaign also targets users in Lithuania, Estonia, Belarus, and Kazakhstan. The attack uses an invoice-themed decoy to distribute a RAR archive containing malicious files and drop DarkWatchman, a remote access Trojan attributed to the group.
F6 said it “remotely accessed the online banking system through the infected accountant’s computer and began depositing money into the bank account listed in the registry.” “Previously, this looked like a payroll deposit, but the registry listed Rava’s bank account. If such payment transactions did not pass through fraud prevention systems, the attacker could withdraw large sums of money from the company’s account.”
Source link
