Ghostwriter Malware Targets Government Organizations with Weaponized XLS File - #Ghostwriter
The Ghostwriter APT group, linked to Belarusian intelligence, has been conducting sophisticated cyber campaigns targeting Ukrainian government entities and Belarusian opposition groups from 2024 to early 2025. These attacks utilize weaponized Excel documents with obfuscated VBA macros to deploy malware like PicassoLoader and Cobalt Strike Beacon. The group's tactics have evolved, now using encrypted SVG files and multi-stage infection processes to evade detection. Their targets include Ukrainian military, local government agencies, and Belarusian activists, with themes revolving around political reforms, taxation, and military affairs. Cybersecurity experts have identified new infrastructure and techniques used by Ghostwriter, emphasizing the need for enhanced threat detection and mitigation strategies. The timing and focus of these campaigns suggest alignment with Belarusian state interests and ongoing geopolitical tensions in the region.