Ghostwriter Malware Targets Government Organizations with Weaponized XLS File

A new wave of cyberattacks attributed to the Ghostwriter Advanced Persistent Threat (APT) group has been detected, targeting government and military entities in Ukraine and opposition groups in Belarus.

The campaign, active since late 2024, employs weaponized Excel (XLS) files embedded with malicious macros to deliver malware payloads, underscoring the evolving sophistication of state-sponsored cyber-espionage operations.

Ghostwriter, also known as UNC1151 or UAC-0057, has been linked to Belarusian government interests and has a history of blending disinformation campaigns with hacking.

The latest attacks use Excel documents disguised as legitimate files, such as reports on political prisoners or anti-corruption initiatives.

These documents lure victims into enabling macros, triggering the execution of obfuscated Visual Basic for Applications (VBA) scripts.

Upon activation, the scripts deploy a downloader malware variant known as PicassoLoader, which has been adapted for this campaign.

Technical Details of the Attack

The malicious XLS files are typically delivered via phishing emails containing links to Google Drive-hosted archives.

Once downloaded and opened, the embedded macros execute commands to drop a DLL file into the system’s temporary directory.

According to SentinelOne Report, the DLL is then loaded using Windows’ regsvr32.exe, initiating further stages of the infection chain.

The malware employs advanced obfuscation techniques using tools like ConfuserEx and Macropack to evade detection by security software.

One notable tactic involves creating decoy Excel files that appear legitimate, such as lists of criminal charges or government initiatives.

These decoys are displayed to victims while the malware operates in the background, downloading additional payloads from command-and-control (C2) servers hosted on domains mimicking legitimate websites.

For example, attackers have reused publicly available JPEG images from authentic blogs but altered their URLs to point to malicious servers.

The payload delivery is highly targeted, with attackers verifying client profiles such as IP addresses and user-agent strings before delivering the final stage malware.

This selective approach ensures that only intended victims receive the harmful payloads, reducing the likelihood of detection by researchers or automated defenses.

Broader Implications and Attribution

The Ghostwriter campaign aligns with Belarusian geopolitical interests, particularly in undermining Ukrainian governmental stability and suppressing domestic opposition.

The use of PicassoLoader a malware toolkit exclusively associated with Ghostwriter—further solidifies attribution to this APT group.

The campaign’s timing coincides with critical events, including Belarus’ presidential election in January 2025 and ongoing tensions in Ukraine.

This operation highlights the persistent threat posed by state-aligned actors leveraging advanced techniques to infiltrate high-value targets.

Organizations in affected regions are urged to bolster their cybersecurity defenses by disabling macros in Office documents and implementing robust email filtering solutions.

While Belarus officially denies involvement in such activities, Ghostwriter’s continued operations reveal a coordinated effort to conduct cyber-espionage in support of its strategic objectives.

Security researchers emphasize vigilance against similar attacks as geopolitical conflicts increasingly spill into cyberspace.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free