Ghostwriter APT Resumes Spear‑Phishing Campaign Targeting Ukrainian Government Agencies
What Happened – ESET reports that the state‑aligned Ghostwriter (aka FrostyNeighbor, UNC1151, UAC‑0057) has re‑activated a spear‑phishing operation against Ukrainian government entities. The campaign, active since March 2026, delivers a malicious JavaScript‑based PicassoLoader payload via a PDF that appears to come from Ukrtelecom.
Why It Matters for TPRM –
- Demonstrates how nation‑state actors exploit trusted local brands to compromise third‑party suppliers and government partners.
- Highlights the risk of supply‑chain exposure for organizations that host or process Ukrainian public‑sector data.
- Shows the use of geo‑based delivery gating, making remote detection harder for non‑Ukrainian defenders.
Who Is Affected – Government ministries, public‑sector IT service providers, telecom operators, and any third‑party vendors supporting Ukrainian state infrastructure.
Recommended Actions –
- Review all Ukrainian‑related third‑party contracts for phishing‑resilience clauses.
- Enforce strict email attachment scanning and PDF sandboxing for all inbound communications.
- Verify that any remote access solutions used by Ukrainian partners enforce geo‑IP restrictions and multi‑factor authentication.
Technical Notes – The initial lure is a PDF named 53_7.03.2026_R.pdf impersonating Ukrtelecom. If the requester’s IP resolves to Ukraine, the server delivers a RAR containing a JavaScript file that runs PicassoLoader, a custom downloader that harvests system details and exfiltrates data via periodic HTTP POSTs. Attack vector: spear‑phishing with a malicious PDF; payload: JavaScript‑based downloader; no CVE referenced. Source: SecurityAffairs