Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
Campaign
Summary
Hide ▲
Show ▼
The Ghostwriter / FrostyNeighbor group is running a geofenced spear-phishing campaign against government entities in Ukraine, and the operation matters because it delivers a loader chain that can culminate in Cobalt Strike access. The current wave has been observed since March 2026 and uses malicious PDFs that impersonate Ukrtelecom. Victims outside Ukraine are served benign content, while Ukrainian targets are routed into the attack chain.
Related Happenings
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
Campaign
First: 22.05.2026 19:20
Last: 22.05.2026 19:20
Sources 1
About this happening:
A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
CampaignAbout this happening: A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
Campaign
First: 20.04.2026 23:02
Last: 20.04.2026 23:02
Sources 1
About this happening:
The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
CampaignAbout this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
APT28 long-term espionage campaign targeting Ukrainian military personnel
Campaign
First: 10.03.2026 12:55
Last: 10.03.2026 12:55
Sources 1
About this happening:
A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
APT28 long-term espionage campaign targeting Ukrainian military personnel
CampaignAbout this happening: A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
Silver Dragon intrusion and phishing campaign targeting Europe, Southeast Asia, and Uzbekistan
Campaign
First: 04.03.2026 10:14
Last: 04.03.2026 10:14
Sources 1
About this happening:
The **Silver Dragon** campaign is actively using **public-facing internet servers** and **phishing emails with malicious attachments** to gain initial access, expanding risk acros...
Silver Dragon intrusion and phishing campaign targeting Europe, Southeast Asia, and Uzbekistan
CampaignAbout this happening: The **Silver Dragon** campaign is actively using **public-facing internet servers** and **phishing emails with malicious attachments** to gain initial access, expanding risk acros...
Dust Specter Iraq Foreign Affairs AI impersonation campaign
Campaign
First: 03.03.2026 12:30
Last: 03.03.2026 12:30
Sources 1
About this happening:
**Dust Specter** targeted **Iraqi government officials** in a **January 2026** campaign that used **impersonation**, **AI tools**, and compromised infrastructure to deliver malici...
Dust Specter Iraq Foreign Affairs AI impersonation campaign
CampaignAbout this happening: **Dust Specter** targeted **Iraqi government officials** in a **January 2026** campaign that used **impersonation**, **AI tools**, and compromised infrastructure to deliver malici...
Timeline
-
14.05.2026 17:00 1 articles · 13d ago
Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities
Initial DisclosureThe campaign's current phase began **since March 2026** with **malicious PDFs** delivered through spear phishing and disguised as **Ukrtelecom** content. The initial delivery is **geofenced**, serving benign material outside Ukraine while steering Ukrainian victims into a loader chain.
Show sources
- Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike — thehackernews.com — 14.05.2026 17:00