Friday, June 13, 2025
HomeAPTGhostwriter Malware Targets Government Organizations with Weaponized XLS File

Ghostwriter Malware Targets Government Organizations with Weaponized XLS File

Published on

SIEM as a Service

Follow Us on Google News

A new wave of cyberattacks attributed to the Ghostwriter Advanced Persistent Threat (APT) group has been detected, targeting government and military entities in Ukraine and opposition groups in Belarus.

The campaign, active since late 2024, employs weaponized Excel (XLS) files embedded with malicious macros to deliver malware payloads, underscoring the evolving sophistication of state-sponsored cyber-espionage operations.

Overview of the malware stages for Weaponized XLS 1

Ghostwriter, also known as UNC1151 or UAC-0057, has been linked to Belarusian government interests and has a history of blending disinformation campaigns with hacking.

- Advertisement - Google News

The latest attacks use Excel documents disguised as legitimate files, such as reports on political prisoners or anti-corruption initiatives.

These documents lure victims into enabling macros, triggering the execution of obfuscated Visual Basic for Applications (VBA) scripts.

Upon activation, the scripts deploy a downloader malware variant known as PicassoLoader, which has been adapted for this campaign.

Image file fetched from the malicious URL

Technical Details of the Attack

The malicious XLS files are typically delivered via phishing emails containing links to Google Drive-hosted archives.

Once downloaded and opened, the embedded macros execute commands to drop a DLL file into the system’s temporary directory.

According to SentinelOne Report, the DLL is then loaded using Windows’ regsvr32.exe, initiating further stages of the infection chain.

The malware employs advanced obfuscation techniques using tools like ConfuserEx and Macropack to evade detection by security software.

Overview of the malware stages for Weaponized XLS 2

One notable tactic involves creating decoy Excel files that appear legitimate, such as lists of criminal charges or government initiatives.

These decoys are displayed to victims while the malware operates in the background, downloading additional payloads from command-and-control (C2) servers hosted on domains mimicking legitimate websites.

For example, attackers have reused publicly available JPEG images from authentic blogs but altered their URLs to point to malicious servers.

The payload delivery is highly targeted, with attackers verifying client profiles such as IP addresses and user-agent strings before delivering the final stage malware.

This selective approach ensures that only intended victims receive the harmful payloads, reducing the likelihood of detection by researchers or automated defenses.

Broader Implications and Attribution

The Ghostwriter campaign aligns with Belarusian geopolitical interests, particularly in undermining Ukrainian governmental stability and suppressing domestic opposition.

The use of PicassoLoader a malware toolkit exclusively associated with Ghostwriter—further solidifies attribution to this APT group.

The campaign’s timing coincides with critical events, including Belarus’ presidential election in January 2025 and ongoing tensions in Ukraine.

This operation highlights the persistent threat posed by state-aligned actors leveraging advanced techniques to infiltrate high-value targets.

Organizations in affected regions are urged to bolster their cybersecurity defenses by disabling macros in Office documents and implementing robust email filtering solutions.

While Belarus officially denies involvement in such activities, Ghostwriter’s continued operations reveal a coordinated effort to conduct cyber-espionage in support of its strategic objectives.

Security researchers emphasize vigilance against similar attacks as geopolitical conflicts increasingly spill into cyberspace.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

TokenBreak Exploit Tricks AI Models Using Minimal Input Changes

HiddenLayer’s security research team has uncovered TokenBreak, a novel attack technique that bypasses AI...

WebDAV Remote Code Execution 0-Day Actively Exploited — PoC Released

A critical zero-day vulnerability in Microsoft’s Web Distributed Authoring and Versioning (WebDAV) protocol, tracked...

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...

Threat Actors Exploit DeepSeek-R1 Popularity to Target Windows Device Users

A new, highly sophisticated cyberattack campaign is targeting users seeking to download the popular...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

TokenBreak Exploit Tricks AI Models Using Minimal Input Changes

HiddenLayer’s security research team has uncovered TokenBreak, a novel attack technique that bypasses AI...

WebDAV Remote Code Execution 0-Day Actively Exploited — PoC Released

A critical zero-day vulnerability in Microsoft’s Web Distributed Authoring and Versioning (WebDAV) protocol, tracked...

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...