Belarus-linked hackers target Ukrainian orgs with PicassoLoader malware

Avatar

A suspected Belarusian state-sponsored hacker group targeted Ukrainian organizations and local government agencies with PicassoLoader malware, according to a new report.

In a campaign earlier this month, a hacker group known as GhostWriter — tracked as UAC-0057 — used their typical toolset of PicassoLoader and a backdoor called Cobalt Strike Beacon to infect Ukrainian victims.

Researchers at Ukraine’s computer emergency response team (CERT-UA) suspect the likely targets of these attacks were local government offices, as well as representatives of the U.S. Agency for International Development, which is responsible for administering civilian foreign aid and development assistance.

The content of some of the phishing emails sent by the hackers was related to USAID’s Hoverla project, which aims to reform the local governance system in Ukraine, CERT-UA said.

The report doesn’t specify the goal of the campaign, but GhostWriter is mostly known for being involved in cyber espionage. Researchers said the group could be interested in Ukraine’s financial and economic indicators, taxation, as well as the reform of local self-government bodies.

GhostWriter has repeatedly gone after Ukrainian entities. Last July, it deployed PicassoLoader against Ukraine’s government organizations, and in August 2023 it used the same tool to target Ukraine’s National Defense University. This June, the hackers attacked Ukraine’s Ministry of Defence and a military base.

In a 2021 report, Google-owned Mandiant said that GhostWriter is linked to the Belarusian state, and its campaigns align with Belarusian government interests. Researchers also believe Russia could have some influence over the group’s activity.

In addition to Ukraine, GhostWriter has also attacked Kyiv’s allies, including Lithuania, Latvia, and Poland. It is known for deploying a relatively unchanged set of tools in its campaigns — like the PicassoLoader, AgentTesla, Cobalt Strike Beacon, and njRAT.

NewsGovernmentMalwareNation-state
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

US indicts alleged North Korean state hacker for ransomware attacks on hospitals

Next Post

North Korean hacking group targeted weapons blueprints, nuclear facilities in cyber campaigns

Related Posts

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up. "While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ
Avatar
Read More

Protecting Tomorrow’s World: Shaping the Cyber-Physical Future

The lines between digital and physical realms increasingly blur. While this opens countless opportunities for businesses, it also brings numerous challenges. In our recent webinar, Shaping the Cyber-Physical Future: Trends, Challenges, and Opportunities for 2025, we explored the different factors shaping the cyber-physical future. In an insightful conversation with industry experts, we discussed
Avatar
Read More