Ghostwriter: geofencing in PDF phishing and Cobalt Strike deployment against Ukrainian state bodies

Colleagues, please note: a new Ghostwriter campaign targeting Ukrainian state bodies has been detected.
- Since March 2026 attackers have sent PDFs impersonating “Ukrtelecom” with a link to an RAR containing PicassoLoader JS malware that loads Cobalt Strike.
- Geofencing is used: recipients outside Ukraine receive a benign file.
- The loader profiles hosts and periodically sends fingerprints; operators manually decide on delivering the final dropper.
- Primary targets are military, defense and government entities.
Why it matters: the multi-stage, geo-targeted chain complicates detection and response.
Should we review attachment-handling rules and geo-blocking in mail gateways?
#cybersecurity #phishing #APT #CobaltStrike


Latest comments
No comments yet.