ESET Details New Ghostwriter Activity Targeting Ukrainian Government

Since early 2026, the APT group known as FrostyNeighbor, or Ghostwriter, has resurfaced with a focused intrusion campaign against Ukrainian state institutions. Linked to the Belarusian government, the group’s renewed activity reflects a pattern of state‑sponsored cyber‑espionage that intensifies as regional tensions rise. By leveraging a seemingly innocuous PDF that pretends to be an official Ukrtelecom notice, Ghostwriter exploits the trust placed in domestic telecom communications. This approach not only bypasses generic email filters but also capitalizes on the high‑value information stored within ministries of defense and public administration.

The delivery chain employs sophisticated geofencing: IP addresses outside Ukraine receive a harmless regulatory brief, while Ukrainian addresses are served a RAR archive containing a JavaScript loader. The loader runs a customized version of PicassoLoader, a lightweight downloader that harvests system fingerprints and reports them to command‑and‑control servers. Operators then manually decide whether to push a third‑stage payload, typically a Cobalt Strike beacon, to privileged accounts. This manual step reduces automated noise, making detection harder and allowing the attackers to prioritize high‑impact targets such as military networks and critical infrastructure.

The spillover into Poland and Lithuania underscores the campaign’s broader geopolitical scope, signaling that neighboring states are also within the adversary’s sight. Enterprises in these regions should reinforce email security, enforce strict attachment sandboxing, and monitor for anomalous JavaScript execution. Threat‑intelligence teams must track indicators of compromise tied to PicassoLoader and Cobalt Strike to accelerate incident response. As Eastern European governments brace for continued cyber pressure, the Ghostwriter episode serves as a reminder that state‑aligned actors can rapidly adapt tactics, demanding equally agile defensive postures.