The Ghostwriter group, which is linked to Belarus, has launched a new cyberespionage campaign against Ukrainian government and military structures. Belarusian opposition activists have also come under attack.
The Belarus-connected hacking team Ghostwriter has started a new round of cyber attacks against Ukrainian state organizations. The operation makes use of phishing attachments, malicious PDF files and updated editions of Picasso Loader to bring Cobalt Strike to the target systems.
ESET reports that the group, known by other names such as Frosty Neighbor, UNC1151, UAC-0057, and White Lynx, has been functioning for a minimum of 2016. This group has focused most of its operations towards Eastern European states, while they are performing both cyber espionage, and information operations.
“FrostyNeighbor is continuing with cyberoperations, constantly updating and improving their toolset, their chain of compromise and evasion techniques, focusing their efforts toward victims based in Eastern Europe,” stated ESET researchers.
Ghostwriter had utilized the Picasso Loader malware to launch the Cobalt Strike Beacon and njRAT in previous years. At the end of 2023, hackers made use of the critical WinRAR vulnerability CVE-2023-38831 to send their payload.
At the start of 2024, Polish entities became the focus of these attacks. Later, hackers made use of the XSS weakness found in Roundcube CVE-2024-42009 to run malicious JavaScript to get access to email accounts, and then utilize those accounts to send out phishing emails on behalf of the compromised users.
As part of a newer method employed by the hackers to evade analysis, decoy documents started utilizing dynamic CAPTCHA checks prior to starting the malware chain in late 2025.
An additional phase of attacks that have taken place since early March of 2026 appear to be mainly focused on Ukrainian state structures. Hackers are making use of PDF files containing malicious URLs disguised as files coming from Ukrtelecom.
Once the user opens the document, they receive a link to a rar archive that contains a JavaScript file. That file will create a false version of a document to help reinforce the story line, while at the same time running Picasso Loader in the background.
Additionally, the researchers point out the geofiltering system. If the user’s IP address is not from Ukraine, a safe pdf document opens up instead of the malicious content. The data collected by Picasso Loader is transferred to the hacker’s server every 10 minutes. Once transferred, operators can determine if they wish to move forward with delivering Cobalt Strike Beacon in future phases of the attack.
Military, defense and government organizations continue to be the main targets of these types of attacks within Ukraine. Industry, medicine, pharmaceuticals, logistics, and the public sector are included in the larger lists of potential victims in Poland and Lithuania.
“This current chain of compromise continues with the groups desire to continually update and upgrade their arsenal in attempts to evade detection so as to successfully breach their intended targets,” said ESET researcher Damien Schaeffer.
While Ghostwriter was attacking state organizations in Ukraine, experts also reported additional attacks by the Russian group Gamaredon. Utilizing phishing RAR archives and the CVE-2025-8088 exploit, hackers delivered GammaDrop and GammaLoad downloaders to Ukrainian government agencies beginning in September 2025.
Harfang Lab reported that hackers sent emails with either compromised or fake government addresses to gain access to email boxes belonging to government employees. The emails contained multi-stage VBScript downloaders that provided detailed profiles of the infected computer systems.
Kaspersky additionally identified evidence of collaboration between BO Team (a pro-Ukraine group) and the Head Mare hackers during their coordinated attacks on Russian entities. The researchers recognized a commonality of infrastructure and tools, specifically Brocken Door, Zeronet Kit, and a new Go-based Zero SSH backdoor that can execute shell commands via cmd.exe and establish SSH tunnels.
BO Team conducted approximately twenty attacks on Russian organizations in Q1 2026 alone.
