**Ghostwriter** (also tracked as FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison, UNC1151, and White Lynx), a threat group with suspected ties to Belarus, has been linked to a new wave of attacks targeting governmental organizations in Ukraine. This APT has been active since at least 2016, known for both cyber espionage and influence operations, primarily targeting neighboring countries, especially Ukraine. **Ghostwriter's** Tactics and Toolset **ESET** researchers have noted that FrostyNeighbor consistently updates its toolset and compromise methods to evade detection. Previous attacks have involved the **PicassoLoader** malware family, which serves as a conduit for **Cobalt Strike Beacon** and **njRAT**. In late 2023, the group exploited a **WinRAR** vulnerability (**CVE-2023-38831**) to deploy **PicassoLoader** and **Cobalt Strike**. In 2025, Polish entities were targeted via a phishing campaign exploiting a cross-site scripting (XSS) flaw in **Roundcube** (**CVE-2024-42009**) to capture email login credentials. Compromised accounts were then used to analyze mailbox contents, download contact lists, and propagate further phishing messages, according to a report from **CERT Polska**. By late 2025, the group incorporated anti-analysis techniques, using dynamic CAPTCHA checks in lure documents to trigger the attack chain. Latest Campaign Details Since March 2026, **Ghostwriter** has been using spear-phishing attacks with malicious PDFs to target Ukrainian government entities. These attacks ultimately deploy a JavaScript version of **PicassoLoader** to drop **Cobalt Strike**. The PDF decoys impersonate the Ukrainian telecommunications company **Ukrtelecom**. The infection sequence includes a geofencing check, delivering a benign PDF if the victim's IP address is not in Ukraine. The embedded link in the PDF delivers a RAR archive containing a JavaScript payload, displaying a lure document while launching **PicassoLoader** in the background. The downloader profiles the compromised host, and operators manually decide whether to send a third-stage JavaScript dropper for **Cobalt Strike Beacon**. The system fingerprint is transmitted to attacker-controlled infrastructure every 10 minutes, allowing the threat actor to assess the victim's value.  Targeted Sectors The primary focus appears to be military, defense, and governmental organizations in Ukraine. In Poland and Lithuania, the victimology is broader, including industrial, manufacturing, healthcare, pharmaceuticals, logistics, and government sectors. **Gamaredon's** GammaDrop and GammaLoad Attacks The Russia-affiliated **Gamaredon** hacking group has been conducting spear-phishing campaigns against Ukrainian state institutions since September 2025. These campaigns aim to deliver **GammaDrop** and **GammaLoad** downloader malware via RAR archives exploiting **CVE-2025-8088**. According to **HarfangLab**, these emails, often spoofed or sent from compromised government accounts, deliver persistent, multi-stage VBScript downloaders that profile the infected system. While the tactics are not technically novel, **Gamaredon's** strength lies in its relentless operational tempo and scale. BO Team and Hive0117 Target Russia **Kaspersky** reports that the pro-Ukraine hacktivist group **BO Team** (aka Black Owl) may be collaborating with **Head Mare** (aka PhantomCore) in attacks against Russian organizations, citing overlapping infrastructure and tools. **BO Team** attacks in 2026 have used spear-phishing to deliver BrockenDoor and ZeronetKit, with the latter capable of compromising Linux systems. These attacks also feature ZeroSSH, a previously undocumented Go-based backdoor that can execute arbitrary commands and establish a reverse SSH channel. The **BO Team** has targeted approximately 20 organizations in the first quarter of 2026. **Kaspersky** notes that the nature of the interaction between the groups is unclear, but the recorded intersections of tools and infrastructure suggest potential coordination against Russian organizations. **Hive0117**, a financially motivated group, has also targeted Russian enterprises, stealing over 14 million rubles by breaking into accountants' computers via phishing campaigns and disguising transfers as salary payments. These emails were sent to over 3,000 Russian organizations between February and March 2026, according to **F6**. **Hive0117's** operations have also targeted users in Lithuania, Estonia, Belarus, and Kazakhstan. The attacks use invoice-themed lures to distribute RAR archives containing malicious files that drop DarkWatchman, a remote access trojan attributed to the group. **F6** reports that the attackers use remote access to online banking systems via compromised accountants' computers to initiate payments to mule accounts. If these transactions bypass anti-fraud systems, the attackers can withdraw significant amounts from the companies' accounts.