Threat Intelligence ESET details new Ghostwriter activity targeting Ukrainian government May 15, 2026 Share By SC Staff (Adobe Stock) ESET researchers have uncovered new activity from the APT group FrostyNeighbor, also known as Ghostwriter, which has been targeting Ukrainian government organizations since at least March 2026. This campaign mirrors previous operations by the threat actor, which is linked to the government of Belarus, based on information published by Security Affairs. The latest FrostyNeighbor campaign begins with a spear-phishing email containing a PDF attachment disguised as an official communication from Ukrtelecom, a major Ukrainian telecommunications provider. The document includes a download button that leads to a delivery server. This server employs geofencing, serving a decoy document about electronic communications regulations to IP addresses outside Ukraine. However, for Ukrainian IP addresses, it delivers a RAR archive containing a JavaScript file. This file executes a JavaScript version of PicassoLoader, the group's payload downloader, which collects system information and sends it to attacker-controlled servers. Operators then manually decide whether to deliver a third-stage payload, typically a Cobalt Strike beacon, to high-value targets. The group's targeting is specific, focusing on military, defense, and governmental entities in Ukraine, while also impacting industrial, healthcare, logistics, and government bodies in Poland and Lithuania. This evolution aligns with broader geopolitical security dynamics in Eastern Europe. Source: Security Affairs SC Staff Related Threat Intelligence Alleged Dream Market administrator indicted on money laundering charges SC Staff May 14, 2026 Owe Martin Andresen, 49, faces six counts each of international concealment money laundering and concealment money laundering, potentially leading to 20 years in prison per charge. Threat Intelligence ShinyHunters claims domain suspension after Canvas LMS attacks SC Staff May 13, 2026 The group's domain, shinyhunte.rs, went offline on Monday, May 11, 2026, leading to rumors of law enforcement seizure, potentially involving the FBI. Threat Intelligence New GhostLock tool abuses Windows API to block file access SC Staff May 12, 2026 The GhostLock tool abuses the dwShareMode parameter within the Windows CreateFileW API. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Account Harvesting Black Hat Deauthentication Attack Denial of Service Dictionary Attack Distributed Scans Domain Hijacking Dumpster Diving Google Hacking Reconnaissance You can skip this ad in 5 seconds