SentinelLABS, a cybersecurity laboratory, has detected a new Ghostwriter campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations.
The hack-and-leak Ghostwriter misinformation campaign, believed to contain a mixture of Belarusian and Russian peddlers and active since 2016, has been striking its targets again.
This time, SentinelLABS says, the Ghostwriter operatives have been directing their efforts against opposition activists in Belarus and Ukrainian government and military organizations. The campaign allegedly entered the active phase in November-December 2024.
“SentinelLABS has observed new activity with multiple weaponized Excel documents containing lures pertaining to the interests of the Ukraine government, the Ukraine military and domestic Belarusian opposition,” the laboratory said in a report.
For example, it analyzed an attack this past January that began with a Google Drive shared document landing in the target’s inbox. The link pointed to a downloadable RAR archive, containing a malicious Excel workbook with the file name “Political prisoners (across courts of Minsk).xls”).
According to SentinelLABS, this is the first time we have seen lures directly aimed at Belarus government opposition. The timing of the attack could have been motivated by the presidential election that took place shortly after on January 26th.
Another attack targeted Ukrainian institutions with decoy documents about an action plan for an anti-corruption initiative across government organizations, or a report about supplies for the Ukrainian army.
“This campaign poses a significant threat to targeted individuals, particularly those in the Ukrainian government and Belarusian opposition, as it could enable data theft and persistent access for further operations,” said Tom Hegel, Principal Threat Researcher at SentinelOne.
“While final payloads are not analyzed here, they are likely designed to establish remote access, facilitating intelligence collection in support of Belarusian and Russian interests.”
Ghostwriter, the state-backed hacking group, was thought to be supported by Russia until November 2021, when cybersecurity firm Mandiant linked it to Belarus, itself a key ally of the Vladimir Putin regime.
And in 2020, a Cybernews reporter had his own details hijacked by Ghostwriter and his name put to fake news stories declaring a NATO pullout from the Baltic region as a result of “COVID concerns.”
Your email address will not be published. Required fields are markedmarked