{ "id": "e95f3c86-7379-4900-aae3-019e1db4693f", "created_at": "2026-04-06T00:07:37.422551Z", "updated_at": "2026-04-10T13:12:58.708395Z", "deleted_at": null, "sha1_hash": "a0208af54f70c0f3178ebf76ed8cf4491a49f9ea", "title": "GhostWriter APT targets state entities of Ukraine with Cobalt Strike Beacon", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1342237, "plain_text": "GhostWriter APT targets state entities of Ukraine with Cobalt\r\nStrike Beacon\r\nBy Pierluigi Paganini\r\nPublished: 2022-03-28 · Archived: 2026-04-05 19:51:22 UTC\r\nUkraine CERT-UA warns that the Belarus-linked GhostWriter APT group is\r\ntargeting state entities of Ukraine with Cobalt Strike Beacon.\r\nUkraine CERT-UA uncovered a spear-phishing campaign conducted by Belarus-linked GhostWriter APT group\r\ntargeting Ukrainian state entities with Cobalt Strike Beacon.\r\nThe phishing messages use a RAR-archive named “Saboteurs.rar”, which contains RAR-archive “Saboteurs\r\n21.03.rar.” This second archive contains SFX-archive “Saboteurs filercs.rar,” experts reported that the file name\r\ncontains the right-to-left override (RTLO) character to mask the real extension.\r\n“The archive contains documents and images of the bait, as well as VBScript code (Thumbs.db), which will create\r\nand run the .NET program “dhdhk0k34.com.” reads the advisory published by CERT-UA.\r\n The attack chain ends with the delivery of a malicious program Cobalt Strike Beacon. The date of compilation for\r\nthe “injector” (“inject.exe”) is March 15, 2022.\r\nhttps://securityaffairs.co/wordpress/129527/apt/ghostwriter-apt-targets-state-entities-of-ukraine-with-cobalt-strike-beacon.html\r\nPage 1 of 3\n\nThe attribution of the campaign to the GhostWriter APT (aka UAC-0051, UNC1151) is based on the code of the\r\nVBScript used in the attack.\r\nIn November 2021, Mandiant Threat Intelligence researchers linked the Ghostwriter disinformation\r\ncampaign (aka UNC1151) to the government of Belarus.\r\nIn August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO\r\nby spreading fake news content on compromised news websites.\r\nAccording to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is\r\naligned with Russian security interests.\r\nUnlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors\r\nbehind this campaign abused compromised content management systems (CMS) of news websites or spoofed\r\nemail accounts to disseminate fake news.\r\nhttps://securityaffairs.co/wordpress/129527/apt/ghostwriter-apt-targets-state-entities-of-ukraine-with-cobalt-strike-beacon.html\r\nPage 2 of 3\n\nThe operators behind Ghostwriter targeted Belarusian entities before the 2020 elections, some of the individuals\r\n(representatives of the Belarusian opposition) targeted by the nation-state actor were later arrested by the\r\nBelarusian government.\r\nSensitive technical information gathered by the researchers suggests the threat actors were operating from Minsk,\r\nBelarus under the control of the Belarusian Military.\r\nCERT-UA also published Indicators of Compromise for the recent campaign.\r\nFollow me on Twitter: @securityaffairs and Facebook\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, GhostWriter)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/129527/apt/ghostwriter-apt-targets-state-entities-of-ukraine-with-cobalt-strike-beacon.html\r\nhttps://securityaffairs.co/wordpress/129527/apt/ghostwriter-apt-targets-state-entities-of-ukraine-with-cobalt-strike-beacon.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securityaffairs.co/wordpress/129527/apt/ghostwriter-apt-targets-state-entities-of-ukraine-with-cobalt-strike-beacon.html" ], "report_names": [ "ghostwriter-apt-targets-state-entities-of-ukraine-with-cobalt-strike-beacon.html" ], "threat_actors": [ { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434057, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a0208af54f70c0f3178ebf76ed8cf4491a49f9ea.pdf", "text": "https://archive.orkl.eu/a0208af54f70c0f3178ebf76ed8cf4491a49f9ea.txt", "img": "https://archive.orkl.eu/a0208af54f70c0f3178ebf76ed8cf4491a49f9ea.jpg" } }