GhostWriter APT targets state entities of Ukraine with Cobalt Strike Beacon 

Pierluigi Paganini March 28, 2022

Ukraine CERT-UA warns that the Belarus-linked GhostWriter APT group is targeting state entities of Ukraine with Cobalt Strike Beacon.

Ukraine CERT-UA uncovered a spear-phishing campaign conducted by Belarus-linked GhostWriter APT group targeting Ukrainian state entities with Cobalt Strike Beacon.

The phishing messages use a RAR-archive named “Saboteurs.rar”, which contains RAR-archive “Saboteurs 21.03.rar.” This second archive contains SFX-archive “Saboteurs filercs.rar,” experts reported that the file name contains the right-to-left override (RTLO) character to mask the real extension.

“The archive contains documents and images of the bait, as well as VBScript code (Thumbs.db), which will create and run the .NET program “” reads the advisory published by CERT-UA.

 The attack chain ends with the delivery of a malicious program Cobalt Strike Beacon. The date of compilation for the “injector” (“inject.exe”) is March 15, 2022.


The attribution of the campaign to the GhostWriter APT (aka UAC-0051, UNC1151) is based on the code of the VBScript used in the attack.

In November 2021, Mandiant Threat Intelligence researchers linked the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus.

In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.

According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.

Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

The operators behind Ghostwriter targeted Belarusian entities before the 2020 elections, some of the individuals (representatives of the Belarusian opposition) targeted by the nation-state actor were later arrested by the Belarusian government.

Sensitive technical information gathered by the researchers suggests the threat actors were operating from Minsk, Belarus under the control of the Belarusian Military.

CERT-UA also published Indicators of Compromise for the recent campaign.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GhostWriter)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment