Ghostwriter has launched new spear-phishing attacks against Ukrainian government organizations, using malicious PDFs, geofencing, and a JavaScript version of PicassoLoader to deploy Cobalt Strike. The wider report also highlights Gamaredon’s Ukraine-focused campaigns, BO Team-linked operations against Russian organizations, and Hive0117’s phishing activity for financial theft. #Ghostwriter #PicassoLoader #CobaltStrike #Gamaredon #BOTeam #HeadMare #Hive0117 #DarkWatchman #ZeroSSH #GammaDrop #GammaLoad
Keypoints
- Ghostwriter is targeting Ukrainian governmental organizations with fresh spear-phishing attacks.
- Malicious PDFs impersonating Ukrtelecom are used to deliver PicassoLoader and Cobalt Strike.
- The infection chain uses geofencing and host fingerprinting to validate victims before payload delivery.
- Gamaredon is conducting spear-phishing campaigns against Ukrainian state institutions using GammaDrop and GammaLoad.
- BO Team, Head Mare, and Hive0117 are also active in campaigns against Russian and regional targets.
Read More: https://thehackernews.com/2026/05/ghostwriter-targets-ukrainian.html