Ghostwriter APT Targets Ukraine With Geofenced PDF Phishing Attacks

The Belarus-aligned threat group Ghostwriter, also tracked as FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC-0057, Umbral Bison, UNC1151, and White Lynx, has launched a fresh wave of attacks targeting Ukrainian government entities since March 2026. ESET researchers report that the threat actor is employing malicious PDFs impersonating Ukrainian telecommunications company Ukrtelecom as part of a sophisticated spear-phishing campaign. The attack chain incorporates geofencing checks that serve benign PDF content to victims whose IP addresses do not originate from Ukraine, effectively filtering out security researchers and non-target populations before delivering the malicious payload. Organizations concerned about exposure to similar threats can utilize VPN/proxy detector tools to identify potentially compromised network connections.

Once the geofencing check passes, the embedded link in the PDF delivers a RAR archive containing a JavaScript payload designed to display a lure document while silently executing the attack sequence. The final stage involves deployment of a JavaScript version of PicassoLoader, which serves as a conduit for Cobalt Strike Beacon—enabling persistent remote access and lateral movement within compromised networks. This latest compromise chain represents Ghostwriter's continued evolution, with the group regularly updating its toolset and delivery mechanisms to evade detection. ESET researcher Damien Schaeffer noted that FrostyNeighbor demonstrates "a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms."

Ghostwriter has historically leveraged multiple exploitation vectors, including a WinRAR vulnerability (CVE-2023-38831, CVSS 7.8) in late 2023 and a critical Roundcube cross-site flaw (CVE-2024-42009, CVSS 9.3) targeting Polish entities in 2024. The group has also experimented with dynamic CAPTCHA checks as an anti-analysis technique to prevent sandbox detonation. Security teams can proactively assess their exposure by performing port scanner assessments and WHOIS lookup queries to identify potentially malicious infrastructure. The Ghostwriter campaign underscores the persistent and adaptive nature of state-sponsored APT operations targeting Eastern European government organizations.