Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
UNC1151 (Ghostwriter) APT runs a geofenced-PDF phishing campaign against Ukrainian government and law enforcement agencies, delivering Cobalt Strike payloads.
What’s new: The threat actor known as UNC1151 (also referred to as Ghostwriter) has launched a phishing campaign targeting Ukrainian government and law enforcement agencies. The campaign uses geofenced PDF files to deliver Cobalt Strike payloads, focusing on entities involved in counterintelligence efforts against Belarusian and Russian operations.
Who’s affected
Ukrainian government and law enforcement organizations are the primary targets, along with related entities such as charitable funds and law firms.
What to do
- Implement robust email filtering to detect and block phishing attempts, especially those originating from suspicious sources.
- Educate employees about the risks of opening unsolicited attachments and links, particularly those that may seem legitimate but contain malicious payloads.
- Utilize endpoint protection solutions to detect and respond to Cobalt Strike and other related threats.
- Regularly update and patch systems to mitigate vulnerabilities that could be exploited by such campaigns.
