A Belarus-aligned cyber threat actor known as Ghostwriter has been linked to a new malware campaign targeting opposition activists in Belarus and Ukrainian military and government entities. The attack, which started in July-August 2024 and became active in November-December 2024, uses malicious Excel documents to deploy a new variant of PicassoLoader. The attack chain begins with a Google Drive-shared RAR archive, leading victims to execute a macro that writes a DLL file and downloads additional payloads, including Cobalt Strike.

The campaign also employs steganography to hide second-stage malware in JPG images and uses LibCMD DLL for executing system commands. Ghostwriter continues using Excel workbooks with Macropack-obfuscated VBA macros and .NET downloaders obfuscated with ConfuserEx to conduct cyber espionage against Ukraine. Despite Belarus not engaging militarily in the Russia-Ukraine conflict, its cyber actors remain actively involved in intelligence-gathering operations.

‍