{
	"id": "3c15ea3c-927f-42d9-a285-b6a5bd3a7e6e",
	"created_at": "2026-04-06T00:19:00.177347Z",
	"updated_at": "2026-04-10T13:11:56.132594Z",
	"deleted_at": null,
	"sha1_hash": "4aaaca96386df235e685e9f9c6629641be0656e2",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 81481,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:36:15 UTC\r\nHome \u003e List all groups \u003e Operation Ghostwriter\r\n APT group: Operation Ghostwriter\r\nNames\r\nOperation Ghostwriter (FireEye)\r\nUNC1151 (FireEye)\r\nTA445 (Proofpoint)\r\nUAC-0051 (CERT-UA)\r\nUAC-0057 (CERT-UA)\r\nPUSHCHA (Google)\r\nDEV-0257 (Microsoft)\r\nStorm-0257 (Microsoft)\r\nWhite Lynx (Palo Alto)\r\nCountry Belarus\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage, Sabotage and destruction\r\nFirst seen 2017\r\nDescription\r\n(FireEye) Mandiant Threat Intelligence has tied together several information\r\noperations that we assess with moderate confidence comprise part of a broader\r\ninfluence campaign—ongoing since at least March 2017—aligned with Russian\r\nsecurity interests. The operations have primarily targeted audiences in Lithuania,\r\nLatvia, and Poland with narratives critical of the North Atlantic Treaty\r\nOrganization’s (NATO) presence in Eastern Europe, occasionally leveraging other\r\nthemes such as anti-U.S. and COVID-19-related narratives as part of this broader\r\nanti-NATO agenda. We have dubbed this campaign “Ghostwriter.”\r\nMany, though not all of the incidents we suspect to be part of the Ghostwriter\r\ncampaign, appear to have leveraged website compromises or spoofed email accounts\r\nto disseminate fabricated content, including falsified news articles, quotes,\r\ncorrespondence and other documents designed to appear as coming from military\r\nofficials and political figures in the target countries.\r\nObserved Sectors: Defense, Education, Government, Media.\r\nCountries: Belarus, Colombia, Estonia, France, Germany, Ireland, Kuwait, Latvia,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=163127e3-2716-4f45-b24e-49dc8987d9e2\r\nPage 1 of 4\n\nLithuania, Poland, Switzerland, Ukraine.\nTools used Cobalt Strike, HALFSHELL, Impacket, RADIOSTAR, VIDEOKILLER.\nOperations performed\n2021\nGhostwriter Update: Cyber Espionage Group UNC1151 Likely\nConducts Ghostwriter Influence Activity\nMar 2021\nGerman Parliament targeted again by Russian state hackers\nJan 2022\nUkraine suspects group linked to Belarus intelligence over\ncyberattack\nFeb 2022\nUkraine links Belarusian hackers to phishing targeting its military\nFeb 2022\nIn the past several days, we’ve seen increased targeting of people in\nUkraine, including Ukrainian military and public figures\nFeb 2022\nOperation “Asylum Ambuscade”\nState Actor Uses Compromised Private Ukrainian Military Emails to\nTarget European Governments and Refugee Movement\nFeb 2022\nGhostwriter/UNC1151, a Belarusian threat actor, has conducted\ncredential phishing campaigns over the past week against Polish and\nUkrainian government and military organizations.\nMar 2022\nGhostWriter APT targets state entities of Ukraine with Cobalt Strike\nBeacon\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=163127e3-2716-4f45-b24e-49dc8987d9e2\nPage 2 of 4\n\nMar 2022\nGhostwriter, a Belarusian threat actor, recently introduced a new\ncapability into their credential phishing campaigns. In mid-March, a\nsecurity researcher released a blog post detailing a 'Browser in the\nBrowser' phishing technique.\nApr 2022\nGhostwriter, a Belarusian threat actor, has remained active during the\ncourse of the war and recently resumed targeting of Gmail accounts\nvia credential phishing.\nApr 2022\nMalicious campaigns target government, military and civilian entities\nin Ukraine, Poland\nApr 2024\nUNC1151 Strikes Again: Unveiling Their Tactics Against Ukraine’s\nMinistry of Defence\nJan 2025\nGhostwriter | New Campaign Targets Ukrainian Government and\nBelarusian Opposition\nCounter operations Early 2022\nWe’ve seen a further spike in compromise attempts aimed at\nmembers of the Ukrainian military by Ghostwriter, a threat actor\ntracked by the security community.\nInformation\nLast change to this card: 27 June 2025\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=163127e3-2716-4f45-b24e-49dc8987d9e2\nPage 3 of 4\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=163127e3-2716-4f45-b24e-49dc8987d9e2\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=163127e3-2716-4f45-b24e-49dc8987d9e2\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=163127e3-2716-4f45-b24e-49dc8987d9e2"
	],
	"report_names": [
		"showcard.cgi?u=163127e3-2716-4f45-b24e-49dc8987d9e2"
	],
	"threat_actors": [
		{
			"id": "f29188d8-2750-4099-9199-09a516c58314",
			"created_at": "2025-08-07T02:03:25.068489Z",
			"updated_at": "2026-04-10T02:00:03.827361Z",
			"deleted_at": null,
			"main_name": "MOONSCAPE",
			"aliases": [
				"TA445 ",
				"UAC-0051 ",
				"UNC1151 "
			],
			"source_name": "Secureworks:MOONSCAPE",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "119c8bea-816e-4799-942b-ff375026671e",
			"created_at": "2022-10-25T16:07:23.957309Z",
			"updated_at": "2026-04-10T02:00:04.807212Z",
			"deleted_at": null,
			"main_name": "Operation Ghostwriter",
			"aliases": [
				"DEV-0257",
				"Operation Asylum Ambuscade",
				"PUSHCHA",
				"Storm-0257",
				"TA445",
				"UAC-0051",
				"UAC-0057",
				"UNC1151",
				"White Lynx"
			],
			"source_name": "ETDA:Operation Ghostwriter",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"HALFSHELL",
				"Impacket",
				"RADIOSTAR",
				"VIDEOKILLER",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73",
			"created_at": "2023-01-06T13:46:39.195689Z",
			"updated_at": "2026-04-10T02:00:03.243054Z",
			"deleted_at": null,
			"main_name": "Ghostwriter",
			"aliases": [
				"UAC-0057",
				"UNC1151",
				"TA445",
				"PUSHCHA",
				"Storm-0257",
				"DEV-0257"
			],
			"source_name": "MISPGALAXY:Ghostwriter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434740,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4aaaca96386df235e685e9f9c6629641be0656e2.pdf",
		"text": "https://archive.orkl.eu/4aaaca96386df235e685e9f9c6629641be0656e2.txt",
		"img": "https://archive.orkl.eu/4aaaca96386df235e685e9f9c6629641be0656e2.jpg"
	}
}