Belarus-Linked Hackers Launch Cyberespionage Campaign Against Ukraine

Belarusian state-sponsored hackers have launched a new cyberespionage operation targeting Ukraine’s Ministry of Defence and a military base, according to cybersecurity researchers. The attacks, carried out by the Belarus-linked group Ghostwriter, involved phishing emails with malicious attachments designed to steal data and gain unauthorized access to systems. Cybersecurity firm Cyble, which observed the campaign in April, noted that the emails contained drone image files and a malicious Microsoft Excel spreadsheet. When the recipients opened the .xls file and clicked “Enable Content,” it triggered an embedded VBA Macro to execute, potentially delivering malware such as AgentTesla, Cobalt Strike beacons, and njRAT.
Ghostwriter, also known as UNC1151 and Storm-0257, has been active since at least 2017 and is notorious for its attacks on Ukraine, Lithuania, Latvia, and Poland, mainly through phishing operations. Cyble’s report highlighted the group’s persistent efforts to target Ukraine and evolve its techniques to evade detection. The group’s primary goal appears to be information theft and gaining remote access to infected systems.
In a related development, Ukraine’s Computer Emergency Response Team (CERT-UA) issued a warning about cyberattacks against Ukrainian military personnel and defense services using DarkCrystal malware, delivered via the Signal messaging app by a threat actor tracked as UAC-0200. These attacks aim to gain remote access to victims’ devices by posing as familiar contacts and urging them to open malicious files on their computers.
CERT-UA has observed a steady increase in cyber incidents targeting Ukraine over the past two years, with hackers exploiting vulnerabilities and aligning their attacks with current events to target the Ukrainian military and critical infrastructure more effectively.