Source: SentinelLABS
SentinelLABS has detected a new wave of cyberattacks targeting Belarusian opposition figures, as well as Ukrainian military personnel and government institutions. The campaign, which began its preparatory phase in July–August 2024, entered full-scale execution between November and December. According to SentinelLABS, these attacks remain ongoing.
Experts have attributed the activity to Ghostwriter, a threat actor operating since 2016, previously documented under the designations UNC1151 (Mandiant) and UAC-0057 (CERT-UA). Ghostwriter employs a combination of social engineering and sophisticated hacking techniques, primarily directed against European nations.
The latest attacks were identified in early 2025. One of the malicious payloads was embedded in an Excel file titled “Political Prisoners (Minsk Courts)”, which was distributed via Google Drive as an email attachment from vladimir.nikiforeach@gmail[.]com. The document contained a macro that, once executed, downloaded an external library. The malware was disguised as a Realtek Audio driver, with its code obfuscated using ConfuserEx.
A second malicious document, “Zrazok.xls”, was crafted to mimic an anti-corruption initiative within Ukrainian government agencies. Like the previous attack, it contained a macro, but instead relied on Macropac, a tool favored by cybercriminals for concealing malicious code. When opened, the document initiated the download of a new malicious library, replacing a legitimate Excel file.
The third infected document, “Донесення 5 реч – зразок.xls”, posed as a logistical report for military supplies. Its structure mirrored the previous files: macros were used to download hidden malware, which subsequently established a connection with the attackers’ command-and-control servers.
SentinelLABS also identified several similar XLS files uploaded from Ukraine in February 2025, exhibiting identical attack mechanisms and utilizing .shop domain servers. A notable feature of Ghostwriter’s operations is its use of conditional execution triggers—malicious components are deployed only if specific criteria are met. For instance, the malware activates only when an IP address falls within Ukrainian network ranges; otherwise, a harmless image is downloaded instead.
Ghostwriter remains one of the most persistent cyber-espionage groups in Eastern Europe. Despite continued investigative efforts, its attacks are becoming increasingly sophisticated. Security researchers caution that similar tactics could soon be leveraged against other nations, underscoring the growing scale and adaptability of cyber threats.
