Ghostwriter Uses Geofenced PDFs to Deploy Cobalt Strike

Researchers at ESET reported that the Belarus-aligned threat group Ghostwriter used geofenced PDF phishing to target Ukrainian government and defense agencies beginning in March 2026. The malicious PDFs impersonated the Ukrainian telecom Ukrtelecom and contained links that fetched a RAR archive with a JavaScript payload.

When a recipient opened the lure file, the JavaScript displayed a visible document while running a JavaScript version of PicassoLoader in the background. That loader profiles the host, transmits a system fingerprint to attacker-controlled servers every ten minutes, and can prompt operators to deliver a third-stage JavaScript dropper that launches a Cobalt Strike Beacon.

The campaign includes server-side checks that validate the requesting user agent and IP address. If the request does not originate from within Ukraine, the server returns a benign PDF.

ESET researcher Damien Schaeffer wrote: “FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms.” ESET also reported that payload delivery combines automated victim validation with manual operator review.

Ghostwriter has used PicassoLoader in earlier campaigns to deliver Cobalt Strike and other malware. In late 2023 the group exploited a WinRAR vulnerability tracked as CVE-2023-38831 to deploy PicassoLoader and Cobalt Strike.

CERT Polska reported a 2024 campaign that abused a Roundcube cross-site scripting flaw tracked as CVE-2024-42009 to run malicious JavaScript, harvest email credentials and use compromised accounts to send additional phishing messages. Toward the end of 2025 operators added a dynamic CAPTCHA anti-analysis technique to trigger the attack chain only for real victims.

The recent activity in Ukraine primarily targeted military, defense and government organizations. Campaigns observed in Poland and Lithuania reached industrial and manufacturing firms, healthcare and pharmaceutical organizations, logistics providers and government offices.

Separately, HarfangLab linked a Russia-affiliated group known as Gamaredon to a spear-phishing campaign that began in September 2025 and delivered GammaDrop and GammaLoad downloaders inside RAR archives exploiting CVE-2025-8088. HarfangLab described those attacks as multi-stage VBScript downloaders that profile infected systems and noted the group’s sustained operational tempo.

Kaspersky reported attacks attributed to a pro-Ukraine group called BO Team working with Head Mare. Those campaigns used BrockenDoor and ZeronetKit, and researchers identified a previously undocumented Go-based backdoor named ZeroSSH that can run commands via cmd.exe and establish a reverse SSH channel. Up to 20 organizations were targeted in the first quarter of 2026.

F6 reported that a financially motivated group tracked as Hive0117 ran phishing campaigns against more than 3,000 Russian organizations between February and March 2026. The campaigns used invoice-themed lures and RAR archives to drop a remote access trojan called DarkWatchman, then enabled payroll-style transfers to mule accounts that resulted in thefts totaling over 14 million rubles.

Researchers noted that the set of incidents in Eastern Europe involved phishing, exploitation of known vulnerabilities and multi-stage loaders to gain and maintain access to targeted networks.