An actor in line with Belarus known publicly as Ghostwriter - also traced as FrostyNeedbor, PUSHCHA, Storm-0257, TA445, Umbral Bison / RepeatingUmbra, NC1151, among others - has reactivated a series of campaigns directed against government and defence institutions in Ukraine, according to recent analysis shared with media and selling labs. These operations, active since at least 2016, show a constant evolution in methods and tools: from the use of PicassoLoader and Cobalt Strike to the exploitation of vulnerabilities in WinRAR (CVE-2023-38831) and Roundcube webmail (CVE-2024-42009).
What distinguishes this group is not only historical persistence, but its operational maturity. The attackers combine servo-side validations to avoid activating malicious loads off-target (geofencing), use dynamic CAPTCHAs as anti-analysis technique, and manually select high-value victims after collecting prints from the system. The typical flow detected since March 2026 uses decoy PDFs that include links to RAR files; these RAR contain JavaScript payloads that run a version of PicassoLoader to ultimately deploy Cobalt Strike Beacon in the systems of interest.
In addition to the main objective in Ukraine, previous and parallel campaigns have affected Poland, Lithuania and other countries in the region, with a broader victimology covering industrial, health and logistical sectors. The strategy of compromising legitimate mail accounts and using them to spread new phishing messages increases the risk: a single mailbox taken can become a chain engagement platform, allowing internal surveys, exfiltration of contacts and escalation of access.
These tactics fit into a broader context where both state or aligned groups and criminal and hacktivist actors operate with different but often overlapping objectives: to interrupt, spy or profit. Contemporary reports have pointed out Gamaredon's campaigns against Ukrainian institutions, pro-Ukrainian hacktivist operations against Russian targets and financial scams that abuse committed accounts to divert payments.
For defenders and security officials, this has several practical implications. First, the combination of convincing lures and validations servo-side complicates the traditional analysis, because many samples do not show the payload if they are consulted from PIs or use agents outside the target. Second, the existence of multiple stages (dropper JavaScript → loader → Beacon) requires detection at various levels: attachment analysis and links, browser instrumentation / JS, endpoint behavior and persistent network telemetry.
The specific recommendations begin by correcting known operating vectors: apply patches and mitigation for components such as WinRAR and Roundcube, review configurations and update to versions without the related vulnerabilities (see CVE chips for technical details). For official references on the above vulnerabilities, see the entries in the national vulnerability database: CVE-2023-38831 and CVE-2024-42009.
In parallel, strengthen protection on the perimeter and mail: enable mandatory multifactor authentication, implement SPF / DKIM / DMARC policies with active monitoring, disable or restrict code execution from compressed files or embedded documents, and use link and attachment sandboxing. EDR instrumentation with behavior detection (e.g. processes that start PowerShell / JS from RAR or open persistent connections to unusual domains) increases the probability of early detection.
From the network, monitor and block IOCs indicators and beaconing patterns associated with loads such as Cobalt Strike; limit outgoing traffic to authorized destinations and apply segmentation to prevent side movements. For organizations operating in the defence and public administration environment, consider additional controls such as white application allowlisting and rigorous reviews of privileges and remote access.
If you suspect commitment, act with immediate containment: isolate the affected machines, preserve logs and evidence, change committed credentials and conduct a range search to detect exfiltrations and accounts used to pivote. Coordinate the response with national cybersecurity authorities and intelligence providers, and share TTPs and artifacts to improve collective detection.
The relationship between state operations, hacktivism and organized crime in the region shows that cybersecurity is no longer a technical issue but a geopolitical and economic issue. To maintain an effective defensive position, organizations and suppliers must combine diligent patching, multi-layer monitoring and sectoral collaboration. To follow the technical coverage and analysis published on these campaigns, the specialized press and the sales analysis are available: The Hacker News and research reports in the safety ecosystem such as those published by ESET in WeLiveSecurity.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...