The Ghostwriter group is behind a new wave of attacks. Opposition activists in Belarus, as well as Ukrainian military and government organizations, are being targeted by a campaign that uses Microsoft Excel documents as bait to deliver a new variant of the Picassoloader malware.
This threat cluster is assessed to be an extension of a long-running campaign conducted by a Belarus-aligned threat actor tracked as Ghostwriter (also known as Moonscape, TA445, UAC-0057 and UNC1151) since 2016. The actor has been observed tailoring narratives to Russian security interests and promoting content critical of NATO.
Campaign timeline and activation
“The campaign was prepared during July–August 2024 and entered an active phase in November–December 2024,” said SentinelOne researcher Tom Hegel in a technical report.
Key findings:
- Malware samples and command-and-control (C2) infrastructure activity indicate the operation remains active.
- The attack chain begins with a shared Google Drive link hosting a malicious RAR archive.
Techniques used in the attacks
Excel macros as the infection vector
The RAR archive contains a malicious Excel VBA workbook that, when opened, triggers an obfuscated macro. If the user enables macros, the workbook writes a DLL to the system, which in turn launches a streamlined variant of the Picassoloader.
Steganography and hidden payloads
Next, the victim is shown a decoy Excel file while additional payloads download silently in the background. As recently as June 2024, this method was used to deliver the Cobalt Strike framework.
SentinelOne also identified other weaponized Excel documents using Ukraine-themed lures. Those files retrieve malicious code via steganography, embedding hidden malware inside an apparently benign JPG image.
Use of Libcmd and .NET downloaders
In some variants, the infected Excel document drops a DLL named Libcmd, which spawns cmd.exe and communicates over stdin/stdout. Libcmd is loaded directly into memory as a .NET assembly and executed without writing artifacts to disk.
Ghostwriter’s continued threat to Ukraine
“Throughout 2024, Ghostwriter repeatedly used Excel workbooks with MacroPack-obfuscated VBA macros and embedded .NET downloaders,” Hegel noted.
Although Belarus is not militarily engaged in the war in Ukraine, cyber threat actors linked to the country remain active in cyber espionage operations targeting Ukrainian organizations.
Organizations and individuals should treat unsolicited documents—especially those delivered via shared cloud links—with suspicion. Disabling macros by default, using updated endpoint protection, and verifying shared files with senders through separate channels can reduce the risk of becoming a victim of similar campaigns.