Ghostwriter Strikes Ukraine with Geofenced PDF Phishing

Ghostwriter Reemerges with Geofenced PDF Phishing Attacks on Ukraine

According to recent reports, the Belarus-aligned threat actor known as Ghostwriter has been implicated in a new wave of cyberattacks aimed at Ukrainian government entities. The group, active since at least 2016, is notorious for conducting both espionage and influence operations, primarily targeting neighboring countries like Ukraine. Ghostwriter operates under several aliases, including FrostyNeighbor, PUSHCHA, Storm-0257, TA445, and UAC‑0057.

Geofenced PDFs and Cobalt Strike

The latest campaign leverages geofenced PDF files to deliver malicious payloads. These PDFs are designed to activate only when opened from specific geographic locations, likely to evade detection and focus on Ukrainian targets. Once triggered, the PDFs drop Cobalt Strike beacons, a popular post-exploitation tool used for remote access and data exfiltration.

Implications and Attribution

This operation underscores Ghostwriter's persistent focus on Ukraine, aligning with broader geopolitical tensions. The use of geofencing indicates a sophisticated level of targeting, aiming to minimize exposure and increase the success rate of the phishing attempts. Security researchers continue to monitor the group's evolving tactics, as such activities pose significant risks to national security and critical infrastructure.