ESET researchers published analysis of an active Ghostwriter spear-phishing campaign targeting Ukrainian government, military, and defense entities alongside Polish industrial, healthcare, logistics, and government organizations. The Belarus-aligned APT, also tracked as FrostyNeighbor, UNC1151, and Storm-0257, uses IP-based geofencing to serve malicious content only to victims located in the target countries — showing a benign PDF to anyone outside the geographic target zone — before deploying Cobalt Strike Beacon on manually validated machines.
Ghostwriter Uses Geofenced PDFs and CAPTCHA Blocks to Frustrate Analysis
The campaign begins with spear-phishing emails impersonating Ukrainian telecommunications company Ukrtelecom, carrying malicious PDF attachments. Embedded links within the PDFs direct victims to attacker-controlled infrastructure that delivers RAR archives containing JavaScript payloads. Once the JavaScript executes, it drops PicassoLoader — a downloader and dropper — in the background while displaying a decoy PDF to the victim.
The IP-based geofencing mechanism is central to the campaign’s evasion strategy. Victims connecting from IP addresses outside Ukraine or Poland receive a benign PDF instead of the malicious payload, denying researchers running analysis outside those countries the ability to replicate the full attack chain in standard sandboxing environments. ESET researchers also noted that Ghostwriter introduced a CAPTCHA-based anti-analysis technique in late 2025, which blocks automated analysis tools from progressing past the initial stage of the attack.
PicassoLoader and Cobalt Strike Beacon as the Two-Stage Post-Exploitation Chain
PicassoLoader functions as the first-stage component, executing in the background while the lure document is displayed. It fingerprints the host environment and connects to attacker infrastructure every 10 minutes. Rather than deploying additional payloads automatically, the campaign relies on manual operator validation: Ghostwriter operators review each beacon-in and decide whether to advance the intrusion. Only on validated targets — those confirmed to be genuine high-value victims, not sandboxes or researchers — does the infrastructure deliver Cobalt Strike Beacon.
Cobalt Strike Beacon is a commercial post-exploitation framework widely used by both red teams and threat actors for command and control, lateral movement, credential access, and data staging. Its deployment marks the transition from initial compromise to hands-on-keyboard attacker operations. The manual validation step before Beacon deployment adds operational security for the group, limiting tool exposure to verified victims.
Campaign Active Since March 2026 Targeting Five Sectors in Poland and Ukraine
ESET documented Ghostwriter activity in this campaign starting from at least March 2026. Ukrainian targets include government agencies, military units, and defense sector organizations. Polish targets span industrial companies, healthcare organizations, logistics firms, and government bodies — a cross-sector targeting pattern consistent with intelligence collection objectives rather than financially motivated attacks.
Ghostwriter has maintained continuous operational activity since 2016. The group has regularly updated its toolset, adding capabilities including influence operations, hack-and-leak campaigns, and disinformation efforts across Ukraine, Poland, and the Baltic states. ESET assessed the attribution with moderate-to-high confidence based on documented Ghostwriter tactics, techniques, and procedures and historical operational patterns consistent with Belarus-aligned interests.
ESET Attribution and Indicators for Defending Against Ghostwriter’s Phishing Chain
ESET researchers based their attribution to Ghostwriter on the consistency of observed TTPs with the group’s documented operational signature, including the specific use of PicassoLoader, geofencing, and Cobalt Strike in combination, and the focus on Ukrainian and Polish targets aligned with Belarus state interests.
Defenders in sectors targeted by the campaign — Ukrainian government and defense, Polish healthcare, logistics, and industrial — should treat unsolicited emails purporting to originate from Ukrtelecom with elevated scrutiny regardless of spoofing quality. The 10-minute host fingerprinting beacon interval should appear in endpoint and network telemetry before Cobalt Strike Beacon deployment. Email security controls that can identify RAR archive payloads embedded in PDF-delivered links, and sandbox environments configured to mirror target-country IP geolocation, are recommended for detection coverage against geofenced campaigns of this type.
