PicassoLoader JavaScript Variant

The threat group known as Ghostwriter has been linked to a new wave of cyberattacks targeting governmental organizations in Ukraine. Active since at least 2016, the group has built a reputation for conducting both cyber espionage and influence campaigns across Eastern Europe, with a strong operational focus on Ukraine and neighboring states.

The threat actor is also tracked under several aliases, including FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC-0057, Umbral Bison, UNC1151, and White Lynx. Over the years, the group has continuously refined its infrastructure, attack chains, and evasion methods in an effort to bypass security controls and maintain long-term operational effectiveness.

Constantly Evolving Malware Arsenal

Ghostwriter has consistently modernized its malware ecosystem and delivery techniques. Earlier campaigns relied heavily on the PicassoLoader malware family, which functioned as a delivery mechanism for additional payloads such as Cobalt Strike Beacon and njRAT.

In late 2023, the group expanded its capabilities by exploiting the WinRAR vulnerability CVE-2023-38831 to distribute PicassoLoader and Cobalt Strike. The following year, Polish organizations became targets of a phishing campaign that abused a cross-site scripting flaw in Roundcube identified as CVE-2024-42009. The malicious activity enabled attackers to execute JavaScript capable of harvesting email credentials from victims.

Compromised accounts were later used to inspect mailbox contents, steal contact lists, and distribute additional phishing messages during June 2025. By the end of 2025, the group had also integrated advanced anti-analysis techniques into its operations. Certain lure documents began using dynamic CAPTCHA verification to selectively activate the malicious infection chain and frustrate automated analysis environments.

Sophisticated Spear-Phishing Campaigns Target Ukraine

Since March 2026, researchers have observed a new campaign directed at Ukrainian government institutions through spear-phishing emails carrying malicious PDF attachments. The decoy documents impersonate the Ukrainian telecommunications provider Ukrtelecom in an effort to appear legitimate and increase victim engagement.

The attack chain relies on embedded links within the PDF files that redirect victims to a malicious RAR archive containing a JavaScript-based payload. Once executed, the malware displays a decoy document to preserve the illusion of legitimacy while silently launching a JavaScript variant of PicassoLoader in the background. The loader subsequently deploys Cobalt Strike Beacon on compromised systems.

Geofencing and Victim Validation Enhance Stealth

One of the most notable aspects of the latest campaign is the implementation of geofencing and layered victim validation mechanisms. Systems connecting from IP addresses outside Ukraine receive harmless PDF content instead of the malicious payload, significantly reducing exposure to researchers and automated scanning systems.

The malware also performs extensive fingerprinting of compromised hosts before delivering additional payloads. Collected system information is transmitted to attacker-controlled infrastructure every ten minutes, enabling operators to manually determine whether a victim warrants further exploitation. Only after this validation process is complete does the infrastructure deliver a third-stage JavaScript dropper responsible for installing Cobalt Strike Beacon.

The operation combines automated filtering methods, including user-agent and IP-based verification, with manual operator review, highlighting a highly disciplined and mature attack methodology.

Regional Targeting Strategy Expands Across Eastern Europe

Current activity appears to focus primarily on military, defense, and governmental entities in Ukraine. However, operations attributed to Ghostwriter in Poland and Lithuania demonstrate a broader targeting strategy that extends into multiple critical sectors:

• Industrial and manufacturing organizations
• Healthcare and pharmaceutical institutions
• Logistics providers
• Government agencies

The continued evolution of Ghostwriter’s tooling, delivery mechanisms, and operational security practices underscores the group’s persistence and adaptability. Its ability to combine customized lure documents, selective payload delivery, anti-analysis techniques, and manual victim validation demonstrates a sophisticated cyber-espionage capability designed to evade detection while maximizing operational impact.