Ghostwriter Cyber Attacks Use Obfuscated Excel Macros to Target Ukraine and Belarusian Opposition

A new Ghostwriter malware campaign is actively targeting Ukrainian government and military institutions, along with Belarusian opposition activists, in a renewed wave of cyber espionage.

The campaign uses weaponized Excel documents embedded with obfuscated macros. As revealed by cybersecurity firm SentinelOne, these documents act as entry points for delivering stealthy payloads, including a new version of PicassoLoader.

Ghostwriter, also known by aliases like Moonscape, TA445, UAC-0057, and UNC1151, has been active since 2016 and has consistently aligned itself with Russian state interests, spreading disinformation and launching targeted cyber operations across Europe.

Ghostwriter Malware Campaign Origins and Targets

Prepping Since Mid-2024, Going Live by Year’s End

The current activity has begun as early as July 2024, with full activation observed in November and December. It primarily targets:

• Ukrainian military and government offices
• Political opposition activists in Belarus
• Entities and individuals viewed as opponents of pro-Russian narratives

According to researcher Tom Hegel at SentinelOne, recent activity involving malware samples and command-and-control (C2) infrastructure suggests that the campaign will remain active in early 2025.

Also Read: E.U. Sanctions Russian Hackers for Cyber Attacks on Estonia’s Government

Infection Chain: From Shared Docs to Stealthy Loaders

The Entry Point: Google Drive and a Familiar Name

The Ghostwriter malware campaign begins with a RAR archive hosted on Google Drive, shared by a user posing as Vladimir Nikiforech. The archive contains a malicious Microsoft Excel file.

Once opened, users are prompted to enable macros — a long-standing method used to trick unsuspecting victims. When enabled, the macro:

1. Writes a DLL file to the victim’s system
2. Executes the DLL to deploy a streamlined version of PicassoLoader
3. Displays a decoy Excel document to avoid suspicion
4. Proceeds to download additional malware payloads

This approach has been consistent throughout 2024, with some payloads being used to deliver Cobalt Strike, a popular post-exploitation framework among state-sponsored hackers and cybercriminals.

Technical Details: Macropack and PicassoLoader in Action

Macros Obfuscated with Macropack

The Ghostwriter malware campaign continues using Macropack, a tool that obscures Visual Basic for Applications (VBA) macros in Excel files, making static analysis and detection more difficult.

Once triggered, the macro leverages embedded logic to drop or inject additional malware components. In this campaign:

• The main Excel file drops PicassoLoader
• PicassoLoader handles staging, downloading, and executing second-stage payloads

Example: LibCMD DLL Deployment

In one variant, a specially crafted Excel macro is used to deploy a DLL called LibCMD. This file:

• Executes cmd.exe, Windows’ native command-line tool
• Connects to stdin/stdout streams to establish control
• Loads in-memory as a .NET assembly, avoiding disk artefacts

Steganography and Covert C2

Using JPG Files to Hide Malware

One of the more novel aspects of the Ghostwriter malware campaign is the use of steganography — the practice of hiding data within image files.

SentinelOne observed an Excel lure designed to fetch a seemingly harmless JPG file from the domain sciencealert[.]shop.

Although the domain has since gone offline, this behaviour highlights Ghostwriter’s use of creative obfuscation tactics to deliver malware payloads through nontraditional channels.

When decoded, these images revealed embedded malware that activated post-download, ensuring minimal visibility to endpoint security solutions.

Persistent Use of ConfuserEx Obfuscation

Making Analysis Difficult for Researchers

Most of the .NET downloaders used in the campaign are obfuscated using ConfuserEx. This popular open-source tool scrambles code to hinder reverse engineering.

By employing ConfuserEx, Ghostwriter increases:

• Resilience against antivirus detection
• Difficulty in unpacking malware logic
• The time needed for analysts to deconstruct behaviour

The combination of Macropack for VBA macros and ConfuserEx for .NET binaries demonstrates a clear strategy: layered obfuscation for maximum stealth.

Strategic Intent: Espionage Over Destruction

Not Military, But Politically Aligned

While Belarus is not actively involved in direct military combat in the Russia-Ukraine conflict, this campaign indicates the country’s cyber operators are firmly supporting Russia’s political and intelligence goals.

The Ghostwriter malware campaign`s targets and tactics show a clear preference for:

• Long-term access to sensitive systems
• Data theft and surveillance over destruction
• Influence operations, including spreading false narratives about NATO and Ukraine

Why Excel Macros Still Work in 2025

Despite repeated warnings from security firms and years of public advisories, macros in Microsoft Office files remain a common attack vector — mainly because:

• Many users still enable macros for compatibility reasons
• Macros are deeply embedded in enterprise workflows
• Legacy defences focus on known patterns, while obfuscation techniques keep evolving

This highlights the need for stronger email filtering, endpoint detection, and user training to combat socially engineered lures.

What to Do Now: Recommendations

Defending Against Macro-Based Malware

Organizations, especially those in Eastern Europe, should take proactive steps to prevent the Ghostwriter malware campaign`s based attacks:

• Disable macros by default across Microsoft Office tools
• Enable Microsoft Defender for Office to scan email attachments
• Use network-based anomaly detection to monitor unusual downloads
• Implement filetype restrictions for incoming email attachments (e.g., block RAR/Excel)
• Educate staff on the dangers of enabling macros from unknown sources
• Deploy sandbox environments to inspect suspicious documents safely

FAQs

Who is a Ghostwriter?

Ghostwriter is a Belarus-aligned cyber espionage group known for targeting Ukraine and promoting Russian political agendas through hacking and disinformation.

How does the malware infect victims?

Victims are lured via Excel files hosted on Google Drive. Once macros are enabled, the file drops a DLL to deliver further malware like PicassoLoader.

What is PicassoLoader?

PicassoLoader is a malware staging tool for downloading and executing additional payloads, such as Cobalt Strike, on compromised machines.

What is Macropack?

Macropack is a framework for obfuscating Excel VBA macros, making them difficult for security software to analyze and detect.

What role does steganography play in this attack?

The Ghostwriter hides malware inside image files (JPGs) using steganography. The images are downloaded during the attack and decoded to extract malware.

Is this campaign ongoing?

Yes. As of early 2025, infrastructure and sample activity suggest the campaign is still active and evolving.