The Belarus-aligned Ghostwriter group has been linked to new attacks against Ukrainian government entities since March 2026, using malicious PDFs and a JavaScript version of PicassoLoader to deliver Cobalt Strike, according to a technical analysis by ESET.
KEY FACTS
- Targeting Ukrainian military, defense and government organizations were the main focus.
- Lure Attackers used PDF decoys posing as Ukrtelecom documents.
- Delivery Victims were sent to RAR archives that launched a JavaScript payload.
- Filtering The chain included a geofencing check that blocked non-Ukrainian IP addresses.
- Payload The campaign aimed to drop Cobalt Strike Beacon.
The report said the PDF lure contained an embedded link that led to a RAR archive. That archive carried JavaScript that showed a decoy document while PicassoLoader ran in the background.
The downloader also profiled infected systems and sent fingerprints to attacker-controlled infrastructure every 10 minutes. Operators then appear to have decided manually whether to deliver a third-stage JavaScript dropper for Cobalt Strike.
The disclosure said the same group has repeatedly updated its tools and delivery methods. Earlier activity included abuse of WinRAR, phishing tied to Roundcube flaws, and campaigns that used harvested mailbox credentials to spread more phishing messages.
WHY IT MATTERS
The activity shows how phishing campaigns can be tailored to a specific country and filtered to reduce exposure outside the intended target set. It also shows that the group is still combining social engineering with multi-stage malware delivery to reach government victims.