Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike

Ghostwriter, a Belarus-aligned threat group also known as FrostyNeighbor, PUSHCHA, Storm-0257, TA445, and UAC-0057, has launched fresh attacks against Ukrainian government organizations using geofenced PDF phishing and Cobalt Strike infrastructure.

The group, active since at least 2016, combines cyber espionage with influence operations targeting Ukraine and neighboring countries. The current campaign deploys geofenced PDF attachments, a technique that restricts document access to specific geographic locations. This method allows attackers to evade detection by security researchers and sandboxed analysis systems outside Ukraine while delivering malicious content to targeted victims within the country.

Once victims open the geofenced PDFs, the attack chain deploys Cobalt Strike, a commercial penetration testing framework frequently repurposed for post-compromise activities. Cobalt Strike enables attackers to establish persistent access, move laterally across networks, and exfiltrate sensitive data.

The targeting of Ukrainian government infrastructure reflects Ghostwriter's consistent operational focus. The group maintains ties to Belarusian intelligence interests and coordinates objectives with broader regional espionage campaigns. Ukrainian government networks represent high-value targets for state-sponsored reconnaissance and intelligence collection.

Organizations defending against Ghostwriter should implement email filtering rules that block or quarantine PDF attachments from untrusted sources. User awareness training addressing geofenced and location-restricted content remains essential, as these techniques exploit legitimate functionality to bypass traditional email security. Network defenders should monitor for Cobalt Strike indicators of compromise, including characteristic beacon traffic patterns and command infrastructure communications.

The geofencing technique demonstrates threat actors refining evasion tactics against security research and threat intelligence collection. As automated analysis platforms expand globally, adversaries develop geographic restrictions to prevent detection. Ukrainian organizations face heightened risk and should prioritize endpoint detection and response capabilities alongside network segmentation to limit