Ghostwriter Uses Geofenced PDF Phishing to Deliver Cobalt Strike to Ukrainian Government

The latest activity from the Belarus‑aligned cyber‑espionage outfit known as Ghostwriter (also tracked as FrostyNeighbor, PUSHCHA, TA445, etc.) targets Ukrainian state agencies with a sophisticated PDF‑based spear‑phishing campaign. First observed in March 2026, the campaign blends geofencing, dynamic CAPTCHAs, and a multi‑stage loader chain that ultimately lands a Cobalt Strike beacon on the victim’s network.

---

How the attack works

1. Email lure – The phishing email pretends to be a routine communication from Ukrtelecom, Ukraine’s national telecom provider. The attachment is a PDF that looks like a legitimate service notice.
2. Geofencing check – When the PDF is opened, an embedded link contacts the attacker’s server. The server examines the request’s IP address and user‑agent. If the IP is outside Ukraine, a benign PDF is served, preventing analysis by researchers in other regions.
3. RAR delivery – For Ukrainian IPs, the server returns a RAR archive containing a JavaScript payload. The archive is named to appear innocuous (e.g., Ukrtelecom_Update_2026.rar).
4. Lure document – The JavaScript first renders a fake “update” document to keep the user engaged while it runs in the background.
5. PicassoLoader drop – The script drops a JavaScript version of PicassoLoader, a modular loader that has been used by Ghostwriter since 2023 to fetch additional modules.
6. Host profiling – Every ten minutes, the loader sends a concise fingerprint (OS version, installed browsers, language settings) to the command‑and‑control (C2) server. This data lets the operators decide whether to push a third‑stage payload.
7. Cobalt Strike beacon – If the target matches the group’s criteria (typically military, defense, or high‑level government departments), the attackers deliver a Cobalt Strike beacon via a second JavaScript dropper. Once active, the beacon provides full remote‑execution capabilities, lateral movement tools, and credential‑dumping modules.

The entire chain is designed to avoid detection until the final payload is needed, reducing the chance of sandbox triggers and signature‑based alerts.

---

Why this matters

• Geofencing adds a layer of operational security – By serving clean files to any IP outside Ukraine, Ghostwriter limits the exposure of its malicious infrastructure to security researchers and law‑enforcement outside the target region.
• PicassoLoader continues to evolve – First seen delivering Cobalt Strike in 2023, the loader now supports JavaScript execution, making it harder for traditional endpoint protection products that focus on compiled binaries.
• Cobalt Strike remains the go‑to post‑exploitation framework – Its beacon can masquerade as legitimate traffic, and the modular nature allows the attackers to quickly adapt to defensive measures.
• Target selection aligns with geopolitical objectives – The focus on Ukrainian ministries, especially defense and intelligence, mirrors the group’s historic alignment with Russian strategic interests.

---

Expert context

“FrostyNeighbor demonstrates a high level of operational maturity. The use of geofencing and dynamic CAPTCHAs shows they are actively trying to stay ahead of automated analysis platforms,” says Damien Schaeffer, senior malware researcher at ESET.

“While the technical novelty is modest, the combination of multiple evasion layers makes detection challenging. Organizations should treat any PDF from an unexpected source as suspicious, especially when it references local telecom providers,” adds HarfangLab analyst Marta Kowalska.

---

Practical takeaways for defenders

1. Block or sandbox PDF files that contain external links – Modern PDF readers can be configured to disable link activation or to prompt the user before opening external URLs.
2. Monitor for anomalous RAR traffic – The campaign uses RAR archives as a delivery vector. Look for spikes in outbound connections to known C2 domains after a RAR file is opened.
3. Deploy JavaScript behavior monitoring – Since the loader runs as JavaScript, endpoint detection and response (EDR) solutions should watch for script execution that spawns network connections without a corresponding legitimate process.
4. Enforce geolocation‑aware email filtering – If your organization receives emails that appear to be from local telecom providers, verify the sender through out‑of‑band channels, especially for users located in high‑risk regions.
5. Leverage threat‑intel feeds for Cobalt Strike indicators – The beacon often uses default C2 patterns (e.g., *.cobaltstrike.com subdomains). Adding these IOCs to network detection rules can surface beacon traffic early.

---

Related activity

• Gamaredon – The Russia‑aligned group has been running a parallel spear‑phishing campaign since September 2025, delivering the GammaDrop downloader via RAR archives that exploit CVE‑2025‑8088. Unlike Ghostwriter, Gamaredon relies on volume rather than targeted evasion.
• BO Team & Head Mare – Kaspersky reports a possible collaboration between these pro‑Ukraine hacktivists, using BrockenDoor and a new Go‑based backdoor ZeroSSH to target Russian entities.
• Hive0117 – A financially motivated group that has been stealing funds from Russian accountants by distributing invoice‑themed RAR attachments containing the DarkWatchman RAT.

---

Mitigation checklist

• Disable automatic PDF link opening in corporate readers (e.g., Adobe Reader, Foxit).
• Apply the latest patches for WinRAR (mitigates CVE‑2023‑38831) and Roundcube (mitigates CVE‑2024‑42009).
• Enforce multi‑factor authentication for all privileged accounts, reducing the impact of credential‑theft.
• Conduct regular phishing simulations that include geofenced PDF lures to test user awareness.
• Integrate EDR solutions with script‑behavior analytics to flag JavaScript that contacts external C2 servers.

---

Bottom line: Ghostwriter’s new geofenced PDF campaign underscores the continuing evolution of state‑aligned threat actors. By combining location checks, dynamic CAPTCHAs, and a modular JavaScript loader, the group raises the bar for detection. Organizations in Ukraine—and any entity handling Ukrainian government data—should treat PDF attachments from unknown sources as high‑risk and apply layered defenses to disrupt the multi‑stage chain before a Cobalt Strike beacon can establish a foothold.