A suspected Belarusian state-backed hacking group is behind a cyber espionage campaign targeting opposition activists in the country, as well as Ukrainian military and government entities, according to a new report.
The operation, which researchers from cybersecurity firm SentinelOne linked to the long-running GhostWriter hacking group, has been in development since mid-2024 and is likely ongoing. The report, published Tuesday, doesn’t specify the goal of the campaign, but GhostWriter is primarily known for cyber espionage.
GhostWriter is closely tied to Belarusian state intelligence and has previously targeted government, military and civilian entities in Ukraine and Europe. It is known for deploying a relatively unchanged set of tools in its campaigns — like PicassoLoader, AgentTesla, Cobalt Strike Beacon and njRAT.
The attacks are the first documented case of the group directly targeting Belarus’s opposition. The timing may be linked to the country’s presidential election earlier in January, in which President Alexander Lukashenko secured his seventh consecutive term, according to the report.
The decoy document used in the attacks against the Belarusian opposition contains the names of political prisoners — information that was already publicly available.
In Ukraine, the hackers distributed phishing documents disguised as an anti-corruption initiative action plan for government organizations and a report template related to military supply logistics.
As part of the recent campaign, the hackers infected their targets with a modified version of PicassoLoader malware. Researchers said the latest variant features significant code alterations, potentially making it more cost-effective and easily replaceable.
GhostWriter has repeatedly targeted Ukrainian entities. In 2023, it deployed PicassoLoader against Ukraine’s government organizations, including an attack on Ukraine’s National Defense University. Last June, the group attacked Ukraine’s Ministry of Defense and a military base.
“While Belarus doesn’t actively participate in military campaigns in the war in Ukraine, cyber threat actors associated with it appear to have no reservations about conducting cyber espionage operations against Ukrainian targets,” the researchers said.
The group’s latest attacks also serve as confirmation that GhostWriter is closely aligned with the interests of the Belarusian government, “waging an aggressive pursuit of its opposition and organizations associated with it.”
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
