SentinelLabs has detected an ongoing campaign targeting Ukrainian government and military organizations, alongside Belarusian opposition activists. The campaign has been under preparation since July-August 2024 and became operational in November-December 2024, with the activity still ongoing. The researchers link this activity to the long-running Ghostwriter campaign, which has been active since at least 2016.
The Ghostwriter campaign has been closely associated with Belarusian government espionage efforts and is most commonly attributed to threat actor groups like UNC1151 (Mandiant) or UAC-0057 (CERT-UA). Some reports may refer to this threat group and its campaigns as "Ghostwriter APT." Between 2020 and 2024, Ghostwriter used malicious Excel documents to deliver PicassoLoader and Cobalt Strike payloads, often luring victims with issues relevant to Ukraine's military. The targeting has often been specific to Ukrainian government officials.
The observed campaign shares characteristics with previous Ghostwriter operations, combining information manipulation with cyber espionage to target individuals and organizations in Eastern Europe.
The attack begins when a target receives an email with a link to a Google Drive shared document. Clicking the link directs the target to a RAR archive containing a malicious Excel workbook.
Once the victim opens the Excel document and enables macros, the malicious VBA code is executed. This activates a DLL payload that appears to be a simplified variant of PicassoDownloader, a malware family previously linked to Ghostwriter attacks. PicassoDownloader is used in cyberattacks against government, military, and civilian targets in Ukraine and Poland.
The observed variant of PicassoDownloader differs from earlier versions in that it is a cheaper and more expendable tool, with modifications made to the underlying code. The downloader's primary function is to fetch the next stage of the attack. SentinelLabs said that during analysis the payload delivered was a benign JPG file, possibly used for obfuscation or as a decoy. Based on the code analysis, it is likely that the real targets receive a DLL payload.
The attackers appear to control the delivery of the payload. The process includes validating the client's profile, including checking the browser user agent, IP address, and confirming the timing of the operation window.
Past research has shown that Ghostwriter often targets Ukraine more heavily, such as during a previous campaign where Cobalt Strike payloads were only delivered to systems located in Ukraine.
While many of the tactics, techniques, and procedures (TTPs) used in this campaign align with prior campaigns linked to Ghostwriter, SentinelLabs notes several new developments. These include the adaptation of the PicassoLoader malware and a shift in tactics to streamline operations. The actors behind the campaign appear to be iterating on their malware tools to create more flexible and disposable versions that can be easily replaced or modified, depending on the targets' responses.
“While Belarus doesn’t actively participate in military campaigns in the war in Ukraine, cyber threat actors associated with it appear to have no reservation about conducting cyberespionage operations against Ukrainian targets,” SentinelLabs noted. “The campaign described in this publication also serves as confirmation that Ghostwriter is closely tied with the interests of the Belarusian government waging an aggressive pursuit of its opposition and organizations associated with it.”
