{ "id": "687bfd11-ee5b-4e53-b606-ac7043db178c", "created_at": "2026-04-06T00:19:09.927337Z", "updated_at": "2026-04-10T13:13:08.664007Z", "deleted_at": null, "sha1_hash": "20e756348ab1001b08a049d046bfa64d572b6368", "title": "Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10196476, "plain_text": "Ghostwriter | New Campaign Targets Ukrainian Government and\r\nBelarusian Opposition\r\nBy Tom Hegel\r\nPublished: 2025-02-25 · Archived: 2026-04-05 14:57:05 UTC\r\nExecutive Summary\r\nSentinelLABS has observed a campaign targeting opposition activists in Belarus as well as Ukrainian\r\nmilitary and government organizations.\r\nThe campaign has been in preparation since July-August 2024 and entered the active phase in November-December 2024.\r\nRecent malware samples and command-and-control (C2) infrastructure activity indicate that the operation\r\nremains active in recent days.\r\nSentinelLABS assesses that this cluster of threat activity is an extension of the long-running Ghostwriter\r\ncampaign identified in previous public reporting.\r\nGhostwriter | Background\r\nGhostwriter is a long-running campaign likely active since 2016 and subsequently described in various public\r\nreports throughout 2020 to 2024. The actor behind Ghostwriter campaigns is closely linked with Belarusian\r\ngovernment espionage efforts, while most commonly reported under the APT names UNC1151 (Mandiant) or\r\nUAC-0057 (CERT-UA). Some public reports may use the term “Ghostwriter APT” interchangeably to refer to\r\nboth the threat actor and its associated campaigns.\r\nPrevious research on the evolution of Ghostwriter noted how it operated successfully across a range of platforms,\r\nblending information manipulation with hacking to target a number of European countries. Reporting throughout\r\n2022 to 2024 described activity in which malicious Excel documents were used to deliver PicassoLoader and\r\nCobalt Strike payloads. Observed document lures were themed around issues pertaining to the Ukraine military\r\nand the likely targeting of the Ministry of Defense.\r\nSentinelLABS has observed new activity with multiple weaponized Excel documents containing lures pertaining\r\nto the interests of the Ukraine government, the Ukraine military and domestic Belarusian opposition. While some\r\nof the TTPs we have observed overlap with previous reporting, others are new, including adaptations of previously\r\nobserved payloads such as PicassoLoader.\r\nWeaponized XLS 1 | “Political Prisoners in Minsk Courts”\r\nSentinelLABS analyzed an attack that started with a Google Drive shared document landing in the target’s inbox.\r\nThe email originated from an account using the name “Vladimir Nikiforech”\r\n( vladimir.nikiforeach@gmail[.]com ). The email link pointed to a downloadable RAR archive, which according\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 1 of 14\n\nto the internal timestamps was created on 2025-01-14 00:47:54, containing a malicious Excel workbook\r\n( ebb30fd99c2e6cbae392c337df5876759e53730d ) with the file name политзаключенные(по судам\r\nминска).xls (“Political prisoners (across courts of Minsk).xls”).\r\nThe title of the lure indicates an interesting shift in Ghostwriter targeting. Although attribution for the 2021\r\nGhostwriter campaign pointed to the Belarus state, this is the first time we have seen lures directly aimed at\r\nBelarus government opposition. The timing of the attack could have been motivated by the presidential election\r\nthat took place shortly after on Jan 26, 2025.\r\nThe XLS document contains an obfuscated VBA macro which is activated when the document is opened and the\r\nuser allows Office macros to run.\r\nObfuscated macro inside the XLS spreadsheet\r\nOn execution, the macro writes a file to %Temp%\\Realtek(r)Audio.dll .\r\nThe DLL file is loaded with the following command line invocation:\r\nC:\\Windows\\System32\\regsvr32.exe /u /s \"C:\\Temp\\Realtek(r)Audio.dll”\r\nThis starts the standard Windows process regsvr32.exe , which calls the DllUnregisterServer function\r\nimplemented inside the DLL; the function then loads and executes the .NET assembly described next.\r\nAnalysis of Dwnldr.dll shows that it is a DLL file with a .NET assembly embedded inside. The file is protected\r\nwith ConfuserEx – a publicly available tool that helps to obfuscate .NET programs and observed in previous\r\nGhostwriter campaigns.\r\nThe DLL file hosts a payload that appears to be a simplified variant of PicassoDownloader, a malware family also\r\nlinked to Ghostwriter activity. The internal filename ( Dwnldr.dll ) was previously used by the Ghostwriter threat\r\nactor; however, this variant bears only high-level similarities to previous versions, with significant changes to the\r\nunderlying code, possibly to make it a cheaper and more expendable tool.\r\nAs a part of application protection provided by the obfuscator, the Downloader creates a copy of itself in memory,\r\nand then modifies it. It does so by decrypting additional code of the assembly. It also uses a clever evasion\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 2 of 14\n\ntechnique, altering its own PE header in memory and breaking internal links to the .NET assembly. This makes it\r\nimpossible for security products to parse it as a .NET module.\r\nDuring code execution, after the protection layer passes control to core functionality, the Downloader writes a\r\ndecoy Excel workbook file to %AppData%\\Roaming\\Microsoft\\temp.xlsx and downloads additional file(s) from\r\nthe Web.\r\nThe temp.xlsx decoy file ( 18151b3801bd716b5a33cfc85dbdc4ba84a00314 ) is immediately opened in Excel in an\r\nattempt to make the victim believe that it contains the original content of the политзаключенные (по судам\r\nминска).xls file.\r\nDecoy document containing lists of people with criminal charges, prosecutors’ and judges’ names\r\nThe spreadsheet contains the names of people with criminal charges along with the names of prosecutors and\r\njudges: content that invites the reader to believe it could be leaked from a government source. However, the\r\ninformation was already in the public domain and can be found on the website of a proscribed Belarusian human\r\nrights organization, Spring96.\r\nOnce the decoy Excel file is opened, the Downloader attempts to fetch the next stage from the following URL:\r\nhttps://everythingandthedog[.]shop/petsblog/2020/2/25/tips-for-taking-difficult-dogs-on-a-walk.jpg\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 3 of 14\n\nThe JPG image file fetched from the C2\r\nWe note that the .shop top level domain was also reported in other Ghostwriter activity seen in 2024.\r\nWhen the malware issues the HTTP request, it uses a hardcoded User-Agent string:\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/555.36 (KHTML, like Gecko) Chrome/97.0.46\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 4 of 14\n\nThe fetched file ( 8d2bb96e69df059f279d97989690ce3e556a8318 ) is a benign JPEG file, originating from publicly\r\navailable photo stock, with no extra payload or any hidden cave where code could be embedded. We confirmed\r\nthat an identical file can be found online, located on a web site that is nearly identical to the one used by attackers.\r\nIt would seem the attackers not only reused the JPG file contents from a legitimate website but also copied its\r\noriginal URL, changing only the top level domain:\r\nhttps://www.everythingandthedog.com/petsblog/2020/2/25/tips-for-taking-difficult-dogs-on-a-walk.\r\nOnce the file is downloaded, it is renamed and then saved to\r\n%APPDATA%\\Roaming\\Microsoft\\SystemCertificates\\CertificateCenter.dll .\r\nLater, it is registered to load during autostart by leveraging the Registry Run key:\r\nHKCU\\System\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Certificate Center\r\nwith its value pointing to expanded environment variable string:\r\nrundll32.exe C:\\Users\\\\AppData\\Roaming\\Microsoft\\SystemCertificates\\CertificateCenter.dll,#1\r\nThis Registry entry makes rundll32.exe load the DLL and execute its exported function with ordinal 1\r\nwhenever a user logs on.\r\nOverview of the malware stages for Weaponized XLS 1\r\nDuring our analysis we only observed the benign JPG file being downloaded. However, based on the code\r\nanalysis, we believe that the real targets receive an actual DLL. We assume that such a targeted payload delivery\r\nprocess is carefully controlled by the attackers and that they deliver the payload only after confirming the\r\nrequesting client’s profile (browser user agent, IP address of the client, and matching time of the operation\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 5 of 14\n\nwindow). Research in a previous campaign found that a Cobalt Strike payload was delivered to targets only if the\r\nhost IP was located in Ukraine.\r\nGiven the timing and targeting of the attack, we hypothesized that it may not have been an isolated incident.\r\nFurther research led us to discover other samples closely resembling Weaponized XLS 1, suggesting that multiple\r\nattacks using the same techniques had been planned or executed. The samples used in these suspected attacks are\r\ndescribed below.\r\nWeaponized XLS 2 | Ukraine Gov “Anti-Corruption Initiative”\r\nA file bearing the Ukrainian name Zrazok.xls (“Sample.xls”) is an XLS file\r\n( 301ffdf0c7b67e01fd2119c321e7ae09b7835afc ) with an obfuscated VBA macro embedded. However, the script\r\ncode and obfuscation technique are different from the case we discussed earlier.\r\nFor this script, the attackers used a popular obfuscator tool called Macropack, an open-source but seemingly\r\nabandoned project originally developed for red-teaming and penetration testing exercises.\r\nMacropack-obfuscated VBA macro found inside the spreadsheet\r\nAs in the previous case, once the macro code is executed, the .NET ConfuserEx-obfuscated Downloader DLL\r\n(written to %AppData%\\Roaming\\Microsoft\\bruhdll32.dll ) is loaded with rundll32.exe and respective\r\ncommandline arguments to run an exported function. After this, the new module drops a decoy XLS file and opens\r\nit with Excel.\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 6 of 14\n\nThe decoy document prepared for a Ukrainian reader (an action plan for anti-corruption initiative in\r\ngovernment organisations in Ukraine)\r\nThis module attempts to download the next stage from the following URL (unavailable at the time of writing):\r\nhttps://sciencealert[.]shop/images/2024/11/black-hole-coronaxx.jpg\r\nWhen the malware issues the HTTP request it uses a hardcoded User-Agent string that differs slightly from the\r\nprevious case:\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.46\r\nNotably, this file ( 52e894acf0e14d27f8997d2174c1f40d6d87bba9 ) was previously uploaded to VirusTotal on\r\nDecember 19, 2024.\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 7 of 14\n\nImage file fetched from the malicious URL\nAs with the previous case, the image file and its URL path appear to be copied from a public blog, published on\nNov 16, 2024:\nhttps:\nAgain, the file name and the path on the malicious server were nearly identical to the legitimate one, with the actor\nchanging only the top level domain from .com to .shop .\nhttps://www.sciencealert.com/images/2024/11/black-hole-coronaxx.jpg\nIn this case, the downloaded file is expected to be an archive in a GZIP format. Once downloaded, the malware\ndecompresses it and saves it to the following location:\n%APPDATA%\\Roaming\\Microsoft\\SystemCertificates\\CertificateCenter.dll\nIt also creates an additional text config file at:\n%APPDATA%\\Roaming\\Microsoft\\SystemCertificates\\config\nThe config file contains the following data:\nCertificateBin\\ https://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\nPage 8 of 14\n\nThe config file is used by the Downloader to execute MSBuild.exe , instructing it to build a new application:\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe %AppData%\\Roaming\\Microsoft\\SystemCertifica\nThis suggests that the CertificateCenter.dll file is not a binary as the file extension would suggest but rather\ncontains program source code. The command, if successful, produces an executable file in the following location:\n%AppData%\\Roaming\\Microsoft\\SystemCertificates\\Bin\\Certificate.exe\nand likely contains the next stage of the infection chain.\nOverview of the malware stages for Weaponized XLS 2\nWeaponized XLS 3 | “Supplies for Ukraine Armed Forces”\nA file bearing the Ukrainian name Донесення 5 реч - зразок.xls (“Report 5 items – sample.xls”) is an XLS\nfile ( 9d110879d101bcaec7accc3001295a53dc33371f ) hosting another VBA payload obfuscated with Macropack.\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\nPage 9 of 14\n\nAs in the previous cases, once the macro code is executed, the .NET ConfuserEx-obfuscated Downloader DLL\r\n(written to %AppData%\\Roaming\\Microsoft\\bruhdll32.dll ) is loaded with rundll32.exe and respective\r\ncommandline arguments to run an exported function. After this, the new module drops a decoy XLS file on disk\r\nand opens it with Excel.\r\nThe decoy document prepared for a Ukrainian reader (a report template for the Ukrainian armed\r\nforces supplies)\r\nAgain, the malware uses the same payload retrieval technique and downloads a JPG file from yet another .shop\r\ndomain:\r\nhttps:\r\nThe URL is unavailable at the time of writing, but data from VirusTotal indicates that the downloaded file is\r\nidentical to the black hole image described above in the Weaponized XLS 2 section. The malware logic is also\r\nidentical with Weaponized XLS 2.\r\nWeaponized XLS 4 \u0026 5 | Variations on a Theme\r\nIn addition to the previous findings, we discovered further related XLS files that were similarly weaponized. The\r\nfiles Донесення 5 реч фонд зборів- зразок.xls (“Report 5 items collection fund- sample.xls”;\r\n2c06c01f9261fe80b627695a0ed746aa8f1f3744 ) and Додаток 8 реч новий.xls (“Addition 8 items new –\r\nsample.xls”; 853da593d2a489c2bd72a284a362d7c68c3a4d4c ) were first uploaded from Ukraine in Feb 2025.\r\nBoth files contain a Macropack-obfuscated VBA macro; however, they differ in structure. Functionally, both drop\r\na DLL to the previously noted path %AppData%\\Roaming\\Microsoft\\bruhdll32.dll .\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 10 of 14\n\nAgain, the DLL is loaded with rundll32.exe and respective command line arguments to execute an exported\r\nfunction. Next, the victim sees a decoy workbook open in Excel.\r\nThe decoy documents prepared for a Ukrainian reader (a report template for the Ukrainian armed\r\nforces supplies)\r\nThe decoys are similar and the obfuscation technique, code structure, and the embedded URL are common to\r\nboth:\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 11 of 14\n\nhttps:\r\nThe User-Agent string in the HTTP request, however, is different, with the operating system and architectures\r\nspecified as “Windows NT 10.0; Win64; x64”.\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/9\r\nThese variants of the malware also contain another embedded .NET DLL, internally referred to as LibCMD from\r\nthe original filename LibCMD.dll ( 4ae6b8adc980ba8a212b838f3ca6a9718d9a3757 ). This is a small file, whose\r\npurpose is simply to start cmd.exe and connect to stdin/stdout.\r\nThe file contains a tampered PE link timestamp. It is never saved to disk; instead, it is loaded dynamically in\r\nmemory as a .NET assembly and executed.\r\nOverview of the malware stages for Weaponized XLS 4 \u0026 5\r\nAttribution\r\nAnalysis of techniques used by threat actors can often be helpful in establishing the origin of the attack and the\r\nmalware it uses. In this case, the obfuscation techniques are quite specific across all the samples we analyzed,\r\nallowing us to establish a medium confidence link between them and a malware cluster known as PicassoLoader,\r\na downloader toolkit.\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 12 of 14\n\nPicassoLoader has been used in cyber attacks targeting government, military, and civilian entities in Ukraine and\r\nPoland and is exclusively associated with the Ghostwriter threat actor (aka UNC1151, UAC-0057, Blue Dev 4,\r\nMoonscape, TA445).\r\nThroughout 2024, Ghostwriter has repeatedly used a combination of Excel workbooks containing Macropack-obfuscated VBA macros and dropped embedded .NET downloaders obfuscated with ConfuserEx. In our case, the\r\nDownloader malware appears to be a simplified implementation of the PicassoLoader.\r\nConclusion\r\nThe Ghostwriter threat actor has been consistently active in the past years and continues its attempts to\r\ncompromise targets aligned with the interests of Belarus and its closest ally, Russia. It has mounted multiple\r\nattacks reported by CERT UA and other security researchers throughout 2024.\r\nWhile Belarus doesn’t actively participate in military campaigns in the war in Ukraine, cyber threat actors\r\nassociated with it appear to have no reservation about conducting cyberespionage operations against Ukrainian\r\ntargets.\r\nThe campaign described in this publication also serves as confirmation that Ghostwriter is closely tied with the\r\ninterests of the Belarusian government waging an aggressive pursuit of its opposition and organizations associated\r\nwith it.\r\nWe would like to express our thanks to partners in the region, including RESIDENT.NGO and others who remain\r\nunnamed, for their invaluable collaboration.\r\nOrganizations that believe they may have been targeted by threat actors involved in this campaign are invited to\r\nreach out to the SentinelLABS team via ThreatTips@sentinelone.com.\r\nIndicators of Compromise\r\nWeaponized Excel Workbooks and Decoys\r\nSHA-1 File Name\r\n18151b3801bd716b5a33cfc85dbdc4ba84a00314 temp.xlsx\r\n2c06c01f9261fe80b627695a0ed746aa8f1f3744 Донесення 5 реч фонд зборів- зразок.xls\r\n301ffdf0c7b67e01fd2119c321e7ae09b7835afc Zrazok.xls\r\n853da593d2a489c2bd72a284a362d7c68c3a4d4c Додаток 8 реч новий.xls\r\n9d110879d101bcaec7accc3001295a53dc33371f Донесення 5 реч – зразок.xls\r\nebb30fd99c2e6cbae392c337df5876759e53730d политзаключенные (по судам минска).xls\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 13 of 14\n\nDownloaders\r\n18bcc91ad3eed529d44926f4ae65acf44480f39d\r\n64fca582cb69d9dc2afb1b432df58fb32ac18ca1\r\n7261ad5d4e760aa88df94b734bc44598a090852a\r\n9fa00a4ee4e95bc50a3919d2d3c0be2a567d8845\r\ne5ebc7deca1ff1f0a4b1462d37ef813dad8413a6\r\nLibCMD helper file\r\n4ae6b8adc980ba8a212b838f3ca6a9718d9a3757\r\nC2 Domains\r\namericandeliriumsociety[.]shop\r\ncookingwithbooks[.]shop\r\neverythingandthedog[.]shop\r\npigglywigglystores[.]shop\r\nsciencealert[.]shop\r\nSource: https://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nhttps://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/" ], "report_names": [ "ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition" ], "threat_actors": [ { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434749, "ts_updated_at": 1775826788, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/20e756348ab1001b08a049d046bfa64d572b6368.pdf", "text": "https://archive.orkl.eu/20e756348ab1001b08a049d046bfa64d572b6368.txt", "img": "https://archive.orkl.eu/20e756348ab1001b08a049d046bfa64d572b6368.jpg" } }