Welcome to IT-Branschen – The Channel for IT News, Cybersecurity and Digital Trends

For Companies, Suppliers and Decision Makers in the IT Industry

Digital strategy and insights for decision-makers in the IT industry

Subscribe

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
Subscribe
Facebook Twitter Instagram LinkedIn Pinterest
Contact us

Belarusian Hackers Attack Opposition and Ukraine with Malicious Code via Excel

Mateo SandstrombyMateo Sandstrom
March 10, 2025
Belarusian Hackers Attack Opposition and Ukraine with Malicious Code via Excel Belarusian Hackers Attack Opposition and Ukraine with Malicious Code via Excel

Ghostwriter group behind new attacks. Opposition activists in Belarus as well as Ukrainian military and government organizations are the targets of a new campaign using Microsoft Excel-malware documents as bait to deliver a new variant of Picassoloader.

The threat cluster has been assessed to be an extension of a long-term campaign mounted by a Belarus-aligned threat actor known as Ghostwriter (alias Moonscape, TA445, UAC-0057 and UNC1151) since 2016. It is known to align with Russian security interests and promote narratives critical of NATO.

Campaign timeline and activation

“The campaign has been in preparation since July-August 2024 and entered the active phase in November-December 2024,” he said. SentinelOne-the researcher Tom Hegel in a technical report.

Advertisement

New discoveries:

  • Malware samples and command-and-control (C2) infrastructure activity suggests that the operation remains active.
  • The attack chain starts with a shared Google Drive-document, hosting a malicious RARE-archives.
Belarus-linked ghostwriter uses MacroPack obfuscated Excel macros to distribute malware

The technology behind the attacks

Excel macros as tools for infection

The RAR file contains a malicious Excel VBA-workbook, which when opened triggers a obfuscated macro. About the user enables macros to be written a DLLfile to the system, which in turn starts a simplified version of Picassoloader.

Steganography and invisible malware

In the next phase, a Decoy Excel file for the victim, while additional payloads are downloaded in the background. As recently as June 2024, this was used technique to deliver Cobalt Strike-framework.

SentinelOne also identified other armed Excel document who uses Ukraine theme as baitThese documents download malware via steganography, where a seemingly harmless JPG image contains hidden malicious code.

Using Libcmd and .NET downloaders

In some cases, the infected The Excel document to deliver a DLL by name Libcmd, who runs cmd.exe and connects to stdin/stdout. It is loaded directly into memory as a .NET-mounting and running without leaving traces on the disk.

Ghostwriters' continued threats against Ukraine

“In 2024, Ghostwriter repeatedly used a combination of Excel workbooks with MacroPack-obfuscated VBA macros and embedded .NET Downloader, says Hegel.

Despite the fact that Belarus not participating militarily in the war in Ukraine, cyber threat actors linked to the country remain active in cyber espionage operations against Ukrainian targets.

Share
Share
Pin it
Tweet
Share
Share
Mateo SandstrombyMateo Sandstrom
Published

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
convendum banner
Advertisement

READ MORE