Summary: A new malware campaign targeting Belarusian opposition activists and Ukrainian military organizations involves the use of malicious Microsoft Excel documents to deliver a variant of PicassoLoader. This cyber operation, attributed to the Belarus-aligned threat actor Ghostwriter, has been ongoing since 2016, aligning with Russian security interests. Recent activity indicates that the campaign is currently active, utilizing various tactics to compromise target systems.
Affected: Belarusian opposition activists, Ukrainian military and government organizations
Keypoints :
- Malicious Excel documents are used to disseminate PicassoLoader malware.
- The campaign is an extension of the long-running Ghostwriter threat group, linked to Belarus and Russian security interests.
- Recent techniques include obfuscated VBA macros and steganography to deliver additional payloads.
Source: https://thehackernews.com/2025/02/belarus-linked-ghostwriter-uses.html