Ghostwriter Deploys Geofenced PDFs and Cobalt Strike Against Ukrainian Government

TL;DR Ghostwriter, a Belarus-aligned threat group active since 2016, has launched a new campaign targeting Ukrainian government entities since March 2026 using geofenced PDF lures that deliver PicassoLoader and Cobalt Strike. The group now incorporates anti-analysis techniques including dynamic CAPTCHA checks and IP-based payload filtering. Defenders should monitor for malicious PDF attachments, JavaScript payloads in email, and implement geolocation-aware filtering.

What happened

Since March 2026, Ghostwriter—tracked under multiple designations including FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC-0057, Umbral Bison, UNC1151, and White Lynx—has conducted spear-phishing attacks against Ukrainian government entities. The campaign uses malicious PDF attachments impersonating Ukrtelecom, the Ukrainian telecommunications company.

The attack chain incorporates a sophisticated geofencing mechanism. When a victim clicks a link in the PDF, the attacker infrastructure first performs a geolocation check. If the victim's IP address originates outside Ukraine, the server responds with a benign PDF file. If the victim is geofenced to Ukraine, the infrastructure delivers a RAR archive containing a JavaScript payload.

The JavaScript payload serves a dual purpose: it displays a lure document to maintain the social engineering pretext while simultaneously launching PicassoLoader in the background. PicassoLoader then profiles the compromised host—collecting system fingerprints—and transmits this data to attacker-controlled infrastructure every 10 minutes. Operators manually review the fingerprint data and decide whether to deploy a third-stage JavaScript dropper that executes Cobalt Strike Beacon.

ESET detailed this activity in a report shared with The Hacker News, noting that the group continues to evolve its evasion methods. Toward the end of 2025, Ghostwriter began incorporating dynamic CAPTCHA checks in lure documents as an anti-analysis technique to obstruct automated analysis and sandbox detonation.

The victimology in Ukraine centers on military, defense sector, and governmental organizations. In comparison, the group's targeting in Poland and Lithuania encompasses a broader set of sectors: industrial and manufacturing, healthcare and pharmaceuticals, logistics, and government.

Ghostwriter's operational history includes prior campaigns exploiting known vulnerabilities. In late 2023, the group weaponized CVE-2023-38831 (WinRAR, CVSS 7.8) to deploy PicassoLoader and Cobalt Strike. In 2024, Polish entities received phishing emails exploiting CVE-2024-42009 (Roundcube, CVSS 9.3) to harvest email login credentials via malicious JavaScript. Harvested credentials were then abused to analyze mailbox contents, extract contact lists, and distribute further phishing messages, according to CERT Polska's June 2025 report.

Why it matters

For defenders and SOC teams in the MENA region and Eastern Europe, this campaign highlights the sophistication of geofencing-aware phishing infrastructure. Attackers are now layering anti-analysis techniques—geolocation checks, CAPTCHA barriers, and manual operator validation—to evade both automated detection and sandboxed analysis environments.

The use of PicassoLoader as a profiling stage before Cobalt Strike deployment represents a resource-aware attack methodology: operators avoid deploying expensive Cobalt Strike licenses on low-value targets. This selective deployment increases the likelihood that compromised machines are sufficiently privileged or networked to justify further investment.

For organizations in Ukraine, Poland, Lithuania, and neighboring regions, the campaign signals sustained targeting by a capable nation-state actor. The continuous toolset updates and delivery mechanism changes demonstrate Ghostwriter's intent to maintain operational access despite detection disclosures.

The use of RAR archives in multiple recent campaigns (Ghostwriter's March 2026 activity, Gamaredon's September 2025–present operations, and BO Team's 2026 attacks) suggests that RAR container security and evasion represent an emerging operational trend across multiple threat actors.

Affected systems and CVEs

PicassoLoader (JavaScript variant, March 2026 campaign)
Cobalt Strike Beacon (via PicassoLoader deployment)
CVE-2023-38831 (WinRAR, CVSS 7.8; exploited in late 2023)
CVE-2024-42009 (Roundcube cross-site flaw, CVSS 9.3; exploited in 2024)
njRAT (previously deployed via PicassoLoader)

What to do

Monitor for PDF attachments that request user interaction, contain embedded links, or display unusual behavioral patterns (e.g., CAPTCHA prompts).
Implement geolocation-aware email filtering to detect and quarantine phishing campaigns; flag emails originating from external sources destined for government entities.
Deploy endpoint detection and response (EDR) solutions tuned to identify PicassoLoader execution, JavaScript-based downloaders, and Cobalt Strike Beacon callbacks.
Apply security patches for CVE-2023-38831 (WinRAR) and CVE-2024-42009 (Roundcube) if these products are deployed in your environment.
Implement network segmentation and egress filtering to limit Cobalt Strike lateral movement and command-and-control (C2) communication.
Block or alert on RAR archives delivered via email, particularly those containing JavaScript payloads or executable files.
Monitor for suspicious credential harvesting, email forwarding rules, and contact list exfiltration from compromised mailboxes.
Implement user awareness training focused on spear-phishing techniques, Ukrtelecom-themed lures, and the dangers of clicking embedded links in unexpected PDF attachments.
Enable multi-factor authentication for email and VPN access to limit the impact of credential compromise.
Monitor outbound HTTPS traffic for connections to attacker infrastructure every 10 minutes (the fingerprinting interval observed in this campaign).

Open questions

The source does not specify the number of successful compromises or the extent of damage resulting from the March 2026 Ghostwriter campaign.
Technical details on the implementation of dynamic CAPTCHA checks and their effectiveness against automated detection tools are not disclosed.
The specific server-side validation logic combining user agent and IP address filtering is not detailed beyond the geofencing mechanism.
It remains unclear whether the observed anti-analysis techniques (CAPTCHA, geofencing) have proven effective at evading security vendor sandboxes or automated threat detection systems.
The source does not confirm whether JavaScript-based PicassoLoader represents a new development for the group or has been used in prior unreported campaigns.