The Belarus-linked cyber espionage group known as Ghostwriter has launched a new phishing campaign targeting Ukrainian government organizations using carefully crafted PDF lures and geofenced malware delivery techniques, researchers say.
Security researchers at ESET attributed the attacks to the threat group also tracked as FrostyNeighbor, UNC1151, UAC-0057, Storm-0257, and White Lynx. The group has been active since at least 2016 and is widely believed to operate on behalf of Belarusian state interests.
According to ESET, the latest attacks began in March 2026 and focused primarily on Ukrainian government institutions and entities located in Eastern Europe. Victims received phishing emails containing PDF documents disguised as legitimate communications from Ukrainian telecommunications provider Ukrtelecom.
The campaign used a geofencing mechanism to selectively deploy malware only to intended targets. When recipients clicked embedded links inside the PDF files, attackers first checked the victim’s IP address. If the user appeared to be located inside Ukraine, the server delivered a malicious RAR archive instead of a harmless decoy file.
The archive contained PicassoLoader, a malware loader frequently associated with Ghostwriter operations. Once executed, PicassoLoader deployed additional payloads, including Cobalt Strike Beacon and njRAT, tools commonly used for espionage, remote access, and lateral movement inside compromised networks.
Researchers said the group has continuously modified its attack chain and malware infrastructure to avoid detection. ESET noted that FrostyNeighbor regularly updates its compromise techniques, delivery methods, and tooling while maintaining a long-running focus on Eastern European targets.
The campaign also relied on DLL sideloading and updated PowerShell-based tooling designed to blend malicious activity with legitimate system behavior. Previous Ghostwriter operations similarly used weaponized Excel documents, malicious macros, and WinRAR exploits to deliver malware against Ukrainian military and government entities.
Ghostwriter has been repeatedly linked to cyber espionage and disinformation operations targeting Ukraine, Poland, Lithuania, Latvia, and other European countries. Security agencies and researchers have accused the group of combining phishing attacks with influence campaigns aimed at spreading false narratives and destabilizing regional governments.
During Russia’s invasion of Ukraine, Ghostwriter activity intensified significantly. Ukrainian authorities, Microsoft, Google, Meta, and multiple cybersecurity firms previously warned that the group targeted military personnel, government officials, journalists, and public figures using credential theft campaigns and malware attacks.
Researchers say the new campaign demonstrates a growing level of operational precision. By geofencing payload delivery, attackers reduce the chance of malware being analyzed by researchers or accidentally infecting unintended victims outside the target region.