THE Ghostwriter group, described as Belarus-aligned, has been attributed with a fresh wave of attacks against Ukrainian government organisations, according to The Hacker News. Since March 2026, the latest activity seen involves spear-phishing PDFs that drop a JavaScript version of PicassoLoader to deploy Cobalt Strike, with the PDFs impersonating Ukrtelecom.
The infection chain features a geofencing check that serves a benign PDF to victims outside Ukraine, while a link in the document delivers a RAR archive containing a JavaScript payload and a lure document. The downloader fingerprints the compromised host and may trigger a third‑stage JavaScript dropper for Cobalt Strike Beacon, with victim data reported to attacker infrastructure every 10 minutes.
“FrostyNeighbor” (Ghostwriter) remains a persistent, adaptive threat actor, with ESET noting ongoing updates to lure documents, delivery mechanisms, and the overall compromise chain, according to ESET.