VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

Ghostwriter: geofencing in PDF phishing and Cobalt Strike deployment against Ukrainian state bodies

Ghostwriter: геофенсинг в PDF‑фишинге и развёртывание Cobalt Strike против госорганов Украины

Colleagues, please note: a new Ghostwriter campaign targeting Ukrainian state bodies has been detected.

- Since March 2026 attackers have sent PDFs impersonating “Ukrtelecom” with a link to an RAR containing PicassoLoader JS malware that loads Cobalt Strike.
- Geofencing is used: recipients outside Ukraine receive a benign file.
- The loader profiles hosts and periodically sends fingerprints; operators manually decide on delivering the final dropper.
- Primary targets are military, defense and government entities.

Why it matters: the multi-stage, geo-targeted chain complicates detection and response.

Should we review attachment-handling rules and geo-blocking in mail gateways?

#cybersecurity #phishing #APT #CobaltStrike

Latest comments

No comments yet.