Freely subscribe to our NEWSLETTER

Ghostwriter background
Ghostwriter is a long-running campaign likely active since 2016 and subsequently described in various public reports throughout 2020 to 2024. The actor behind Ghostwriter campaigns is closely linked with Belarusian government espionage efforts, while most commonly reported under the APT names UNC1151 (Mandiant) or UAC-0057 (CERT-UA). Some public reports may use the term "Ghostwriter APT" interchangeably to refer to both the threat actor and its associated campaigns.

Previous research on the evolution of Ghostwriter noted how it operated successfully across a range of platforms, blending information manipulation with hacking to target a number of European countries. Reporting throughout 2022 to 2024 described activity in which malicious Excel documents were used to deliver PicassoLoader and Cobalt Strike payloads. Observed document lures were themed around issues pertaining to the Ukraine military and the likely targeting of the Ministry of Defence.

SentinelLABS has observed new activity with multiple weaponised Excel documents containing lures pertaining to the interests of the Ukraine government, Ukraine military and domestic Belarusian opposition. While some of the TTPs observed overlap with previous reporting, others are new, including adaptations of previously observed payloads such as PicassoLoader.
Although attribution for the 2021 Ghostwriter campaign pointed to the Belarus state, this is the first time lures directly aimed at Belarus government opposition have been observed. The timing of the attack could have been motivated by the presidential election that took place shortly after on Jan 26, 2025.

Conclusion
The Ghostwriter threat actor has been consistently active in the past years and continues its attempts to compromise targets aligned with the interests of Belarus and its closest ally, Russia. It has mounted multiple attacks reported by CERT UA and other security researchers throughout 2024.