Tracking Adversaries: Ghostwriter APT Infrastructure - #Ghostwriter
The Belarus-linked advanced persistent threat group GhostWriter (UAC-0057) has been conducting sophisticated cyber campaigns targeting Ukraine and its allies from 2022 to 2025. Their attacks have evolved, using phishing emails with malicious Excel documents to deploy PicassoLoader, which subsequently installs malware like Cobalt Strike Beacon and njRAT. The group has exploited various vulnerabilities, including a WinRAR zero-day, and has shown adaptability in their tactics, transitioning from JPG to encrypted SVG files for payload delivery. Their targets have expanded from Ukrainian military and government entities to include Poland, Lithuania, and Latvia, with a focus on gathering sensitive information and gaining persistent remote access. The continuous evolution of their techniques, including improved obfuscation methods, highlights the critical need for enhanced cybersecurity measures and international cooperation to counter such state-sponsored threats.