A new Ghostwriter malware campaign is actively targeting Ukrainian government and military institutions, along with Belarusian opposition activists, in a renewed wave of cyber espionage.
The campaign uses weaponized Excel documents embedded with obfuscated macros. As revealed by cybersecurity firm SentinelOne, these documents act as entry points for delivering stealthy payloads, including a new version of PicassoLoader.
Ghostwriter, also known by aliases like Moonscape, TA445, UAC-0057, and UNC1151, has been active since 2016 and has consistently aligned itself with Russian state interests, spreading disinformation and launching targeted cyber operations across Europe.
Ghostwriter Malware Campaign Origins and Targets
Prepping Since Mid-2024, Going Live by Year’s End
The current activity has begun as early as July 2024, with full activation observed in November and December. It primarily targets:
- Ukrainian military and government offices
- Political opposition activists in Belarus
- Entities and individuals viewed as opponents of pro-Russian narratives
According to researcher Tom Hegel at SentinelOne, recent activity involving malware samples and command-and-control (C2) infrastructure suggests the campaign will still be active in early 2025.
Also Read:
Infection Chain: From Shared Docs to Stealthy Loaders
The Entry Point: Google Drive and a Familiar Name
The Ghostwriter malware campaign begins with a RAR archive hosted on Google Drive, shared by a user posing as Vladimir Nikiforech. The archive contains a malicious Microsoft Excel file.
Once opened, users are prompted to enable macros — a long-standing method used to trick unsuspecting victims. When enabled, the macro:
- Writes a DLL file to the victim’s system
- Executes the DLL to deploy a streamlined version of PicassoLoader
- Displays a decoy Excel document to avoid suspicion
- Proceeds to download additional malware payloads
This approach has been consistent throughout 2024, with some payloads being used to deliver Cobalt Strike, a popular post-exploitation framework among state-sponsored hackers and cybercriminals.
Technical Details: Macropack and PicassoLoader in Action
Macros Obfuscated with Macropack
The Ghostwriter malware campaign continues using Macropack, a tool that obscures Visual Basic for Applications (VBA) macros in Excel files, making static analysis and detection more difficult.
Once triggered, the macro leverages embedded logic to drop or inject additional malware components. In this campaign:
- The main Excel file drops PicassoLoader
- PicassoLoader handles staging, downloading, and executing second-stage payloads
Example: LibCMD DLL Deployment
In one variant, a specially crafted Excel macro is used to deploy a DLL called LibCMD. This file:
- Executes cmd.exe, Windows’ native command-line tool
- Connects to stdin/stdout streams to establish control
- Loads in-memory as a .NET assembly, avoiding disk artefacts
Steganography and Covert C2
Using JPG Files to Hide Malware
One of the more novel aspects of the Ghostwriter malware campaign is the use of steganography — the practice of hiding data within image files.
SentinelOne observed an Excel lure designed to fetch a seemingly harmless JPG file from the domain sciencealert[.]shop.
Although the domain has since gone offline, this behaviour highlights Ghostwriter’s use of creative obfuscation tactics to deliver malware payloads through nontraditional channels.
When decoded, these images revealed embedded malware that activated post-download, ensuring minimal visibility to endpoint security solutions.
Persistent Use of ConfuserEx Obfuscation
Making Analysis Difficult for Researchers
Most of the .NET downloaders used in the campaign are obfuscated using ConfuserEx. This popular open-source tool scrambles code to hinder reverse engineering.
By employing ConfuserEx, Ghostwriter increases:
- Resilience against antivirus detection
- Difficulty in unpacking malware logic
- The time needed for analysts to deconstruct behaviour
The combination of Macropack for VBA macros and ConfuserEx for .NET binaries demonstrates a clear strategy: layered obfuscation for maximum stealth.
Strategic Intent: Espionage Over Destruction
Not Military, But Politically Aligned
While Belarus is not actively involved in direct military combat in the Russia-Ukraine conflict, this campaign indicates the country’s cyber operators are firmly supporting Russia’s political and intelligence goals.
The Ghostwriter malware campaign`s targets and tactics show a clear preference for:
- Long-term access to sensitive systems
- Data theft and surveillance over destruction
- Influence operations, including spreading false narratives about NATO and Ukraine
Why Excel Macros Still Work in 2025
Despite repeated warnings from security firms and years of public advisories, macros in Microsoft Office files remain a common attack vector — mainly because:
- Many users still enable macros for compatibility reasons
- Macros are deeply embedded in enterprise workflows
- Legacy defences focus on known patterns, while obfuscation techniques keep evolving
This highlights the need for stronger email filtering, endpoint detection, and user training to combat socially engineered lures.
What to Do Now: Recommendations
Defending Against Macro-Based Malware
Organizations, especially those in Eastern Europe, should take proactive steps to prevent the Ghostwriter malware campaign`s based attacks:
- Disable macros by default across Microsoft Office tools
- Enable Microsoft Defender for Office to scan email attachments
- Use network-based anomaly detection to monitor unusual downloads
- Implement filetype restrictions for incoming email attachments (e.g., block RAR/Excel)
- Educate staff on the dangers of enabling macros from unknown sources
- Deploy sandbox environments to inspect suspicious documents safely
FAQs
Who is a Ghostwriter?
Ghostwriter is a Belarus-aligned cyber espionage group known for targeting Ukraine and promoting Russian political agendas through hacking and disinformation.
How does the malware infect victims?
Victims are lured via Excel files hosted on Google Drive. Once macros are enabled, the file drops a DLL to deliver further malware like PicassoLoader.
What is PicassoLoader?
PicassoLoader is a malware staging tool for downloading and executing additional payloads, such as Cobalt Strike, on compromised machines.
What is Macropack?
Macropack is a framework for obfuscating Excel VBA macros, making them difficult for security software to analyze and detect.
What role does steganography play in this attack?
The Ghostwriter hides malware inside image files (JPGs) using steganography. The images are downloaded during the attack and decoded to extract malware.
Is this campaign ongoing?
Yes. As of early 2025, infrastructure and sample activity suggest the campaign is still active and evolving.
