A new wave of cyber-attacks linked to the Ghostwriter threat actor has been observed focusing on Ukraine and opposition groups in Belarus.
The latest campaign, uncovered by SentinelLABS, employs weaponized Excel documents designed to deliver malicious payloads through phishing attacks.
Ghostwriter’s New Tactics
Ghostwriter, a cyber-espionage group linked to the Belarusian government, has evolved its attack strategies. SentinelLABS found that the group now uses Excel spreadsheets as phishing lures, embedding obfuscated VBA macros to execute payloads.
Researchers also identified new malware variants, including PicassoLoader and a recently developed downloader, aimed at Ukrainian government entities and Belarusian opposition figures.
Researchers analyzed multiple attack samples, including a document titled Political Prisoners in Minsk Courts. This file was distributed through a phishing email with a Google Drive link, leading to a malicious RAR archive containing an infected Excel workbook.
Once opened, the spreadsheet’s VBA macro executes a series of commands:
-
Writes a disguised DLL file (Realtek(r)Audio.dll) to the system
-
-
Runs it via regsvr32.exe to execute malicious code
-
Loads a .NET assembly designed to download additional payloads
Another attack vector included an Excel lure titled Anti-Corruption Initiative, targeting Ukrainian officials. This file used similar tactics, with a downloader disguised as a legitimate Windows process. Attackers employed domain spoofing, copying legitimate URLs but altering the top-level domain (.shop instead of .com) to deceive security systems.
Stealth Techniques and Attribution
Ghostwriter’s campaign also employs advanced obfuscation techniques, modifying its own memory structure and altering portable executable (PE) headers to evade detection.
Researchers identified specific patterns consistent with past Ghostwriter operations, including the use of PicassoLoader malware and obfuscation tools such as ConfuserEx and Macropack. The group’s choice of targets aligns with Belarusian government interests. While no direct evidence links these attacks to Russia, the ongoing focus on Ukraine suggests a broader geopolitical strategy.
The campaign coincides with Belarus’ presidential elections, indicating an effort to conduct cyber-espionage while suppressing political opposition.
Implications and Recommendations
Organizations in Ukraine and surrounding regions should implement security measures to mitigate threats, including:
-
Disabling Office macros by default
-
Using email filtering to detect phishing attempts
-
Employing endpoint detection and response (EDR) solutions
-
Monitoring network traffic for suspicious activity
The SentinelLABS report emphasizes that Ghostwriter remains a persistent threat. Governments, NGOs and private organizations operating in Eastern Europe should remain vigilant against evolving cyber tactics.
