Full Report
Opposition activists in Belarus as well as Ukrainian military and government organizations are the target of a new campaign that employs malware-laced Microsoft Excel documents as lures to deliver a new variant of PicassoLoader. The threat cluster has been assessed to be an extension of a long-running campaign mounted by a Belarus-aligned threat actor dubbed Ghostwriter (aka Moonscape,
Analysis Summary
# Threat Actor: Ghostwriter (TA445/UAC-0057/UNC1151)
## Attribution & Identity
Attributed to a Belarus-aligned threat actor. Known aliases include Moonscape and TA445. The group has been active since 2016 and is known to align with Russian security interests and promote anti-NATO narratives.
## Activity Summary
The actor is conducting a recent cyber espionage campaign active since November-December 2024, following preparation starting in July-August 2024. This campaign involves using malicious Microsoft Excel documents distributed via Google Drive shared links to deliver malware payloads. The activity suggests sustained operations against specific targets despite Belarus not actively participating in the war in Ukraine militarily.
## Tactics, Techniques & Procedures
- Spearphishing via documents hosted on Google Drive (RAR archive containing a malicious Excel workbook).
- Execution of obfuscated VBA macros upon user enablement.
- Dropping and executing a DLL file.
- Use of PicassoLoader (a simplified variant) for initial access/payload delivery.
- Use of Cobalt Strike (observed in use in prior similar attacks as recently as June 2024).
- Delivery of a `.NET` downloader obfuscated with ConfuserEx.
- Steganography: Hiding second-stage malware within seemingly harmless JPG images downloaded from remote URLs.
- Known to drop `LibCMD`, a DLL that runs `cmd.exe` and connects to stdin/stdout, loaded as a `.NET` assembly directly into memory.
## Targeting
- Sectors: Military, Government.
- Geography: Belarus (Opposition activists), Ukraine (Military and government organizations).
- Victims: Ukrainian Ministry of Defence (explicitly mentioned in reference to past activity).
## Tools & Infrastructure
- Malware families used: PicassoLoader (new variant), Cobalt Strike (post-exploitation framework), LibCMD.
- Infrastructure: Remote URL `sciencealert[.]shop` (URLs/domains mentioned are noted as no longer available).
## Implications
Ghostwriter remains a potent cyber espionage threat, focusing on intelligence gathering against Ukrainian state entities and Belarusian opposition groups, aligning with broader geopolitical objectives. Their continued reliance on socially engineered document lures suggests targeted, persistent operations that bypass standard email filtering.
## Mitigations
- User training emphasizing extreme caution when enabling macros in received/downloaded Microsoft Office documents.
- Network monitoring for connections to known C2 infrastructure or unusual outbound traffic following macro execution.
- Implementing Application Control to restrict the execution of suspicious code from Office documents (e.g., VBA/macros).
- Analyzing downloaded payloads for obfuscation techniques like ConfuserEx.