Cybersecurity researchers at SentinelLABS have uncovered a new campaign linked to the long-running Ghostwriter operation, targeting Belarusian opposition activists and Ukrainian military and government entities.
The campaign, which entered its active phase in late 2024, is ongoing, with recent malware samples and command-and-control (C2) activity indicating continued threats.
A Persistent Espionage Operation
Ghostwriter, an advanced persistent threat (APT) campaign with ties to Belarusian intelligence, has been active since at least 2016.
Previously tracked by cybersecurity firms under the names UNC1151 (Mandiant) and UAC-0057 (CERT-UA), the campaign blends information manipulation with cyber intrusions.
Over the years, it has targeted European countries with phishing attacks and malware-laden documents.
Its latest iteration follows a familiar playbook, using weaponized Excel documents as lures. The themes of these malicious files indicate a focus on political and military affairs, aligning with previous Ghostwriter activities that targeted Ukraine’s Ministry of Defense.
Malicious Documents Exploit Political Sensitivities
SentinelLABS identified multiple weaponized Excel files distributed through phishing emails. One such file, titled “Political Prisoners in Minsk Courts”, was sent from a fraudulent Gmail account and hosted on Google Drive.
Inside the document lurked an obfuscated VBA macro that, when executed, deployed a malicious payload disguised as an audio driver. The malware used advanced evasion techniques, including self-modifying code and memory obfuscation, to help it fly under the radar.
Notably, the decoy document aped data that is publicly available through Belarusian human rights entities to add credibility to the attack. Researchers speculate that the timing of this attack—not long before Belarus’s presidential election—is a deliberate attempt to target political opponents.
Another document, labeled “Anti-Corruption Initiative”, was aimed at Ukrainian government personnel. In this instance, similar techniques were used, and a ConfuserEx-protected .NET-based malware downloader was deployed.
The malware attempted to retrieve a secondary payload from an attacker-controlled domain, a sign of a multi-stage infection process.
Evolving Tactics and Infrastructure
While Ghostwriter’s latest campaign is similar to previous operations in many ways, it introduces new techniques. The malefactors employed:
- Multi-layered obfuscation: The use of ConfuserEx and Macropack to protect malicious scripts.
- Decoy documents: Convincing fake spreadsheets containing real-world information to lure victims.
- Targeted payload delivery: Secondary malware payloads are likely distributed only to specific victims based on geolocation and system profiling.
The infrastructure behind the campaign also reveals evolution—SentinelLABS identified multiple command-and-control (C2) servers and observed activity linking the operation to previously known Ghostwriter domains. The use of deceptive top-level domains (TLDs) and apparently legitimate images from public websites is another way the threat actors tried to evade detection.
Ongoing Threat and Attribution
Considering the sophistication of the malware and the way it targets Belarusian opposition and Ukrainian entities, SentinelLABS attributes this campaign to Ghostwriter with high confidence.
The group’s ongoing focus on regional political and military themes suggests alignment with Belarusian state interests.
Certain attack components remain under analysis, but the evidence so far indicates an adaptive adversary with deep pockets. Considering the ongoing geopolitical tensions in the region, researchers warn that similar campaigns could escalate in the coming months.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.