VulnHub

Real-time Cybersecurity News

Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike

The Hacker News
Actively Exploited
Phishing

Overview

A Belarus-aligned hacking group known as Ghostwriter has launched new attacks against Ukrainian government organizations. This group, which has been active since at least 2016, is known for both cyber espionage and influence campaigns, primarily targeting Ukraine and its neighboring countries. The latest operations involve phishing attacks using geofenced PDF documents, which aim to trick users into revealing sensitive information. Additionally, the attackers are utilizing Cobalt Strike, a popular tool among cybercriminals for post-exploitation activities. These actions pose significant risks to Ukrainian governmental operations and national security, especially given the ongoing geopolitical tensions in the region.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: Ukrainian government organizations
  • Action Required: Users should be cautious with unsolicited emails and PDF attachments.
  • Timeline: Ongoing since 2016

Original Article Summary

The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It's also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057

Impact

Ukrainian government organizations

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Ongoing since 2016

Remediation

Users should be cautious with unsolicited emails and PDF attachments. Implementing advanced email filtering and security awareness training can help mitigate phishing risks.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Phishing.

Read Original Article

Related Coverage

American Lending Center Data Breach Affects 123,000 Individuals

SecurityWeek

American Lending Center, a non-bank lender, recently confirmed that a ransomware attack it experienced nearly a year ago has impacted the personal data of approximately 123,000 individuals. The company took time to thoroughly investigate the breach before disclosing it to the public. While specific details about how the attackers gained access or the type of data compromised have not been released, the incident raises concerns about the security of sensitive financial information. Affected individuals may face risks such as identity theft or financial fraud as a result of this breach. It serves as a reminder for companies to prioritize cybersecurity measures to protect client data.

May 15, 2026

Bypassing On-Camera Age-Verification Checks

Schneier on Security

Recent findings reveal that some AI-driven video age-verification systems can be easily deceived using simple disguises, like a fake mustache. This raises significant concerns for platforms relying on these systems to prevent underage access to content. Researchers demonstrated that these AI checks, designed to ensure compliance with age restrictions, may not be as secure as intended. The implications of this vulnerability could be serious, as it allows minors to bypass safeguards meant to protect them. Companies that implement age-verification measures need to reassess their systems to ensure they cannot be easily tricked and to better protect their users.

May 15, 2026

Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897)

Help Net Security

Microsoft has issued a warning about a serious cross-site scripting (XSS) vulnerability, identified as CVE-2026-42897, affecting on-premises versions of Microsoft Exchange Server. This vulnerability allows unauthorized attackers to spoof users over a network, posing significant risks to organizations that have not yet applied any fixes. The affected versions include Microsoft Exchange Server Subscription Edition RTM, 2019, and 2016, while Exchange Online remains unaffected. Microsoft is currently working on a permanent fix, but until it is released, they have provided temporary mitigations for users to implement. Organizations using the affected versions should take immediate action to safeguard their systems from potential exploitation.

May 15, 2026

TeamPCP Ups the Game, Releases Shai-Hulud Worm’s Source Code

SecurityWeek

The hacking group TeamPCP has released the source code for a piece of malware called the Shai-Hulud Worm. This release is particularly concerning as the group is actively encouraging other cybercriminals to utilize the code for supply chain attacks, even offering monetary rewards for successful exploits. Such attacks can have serious implications, as they target the software and services that organizations rely on, potentially compromising a wide range of systems. By making this code publicly available, TeamPCP is increasing the risk of these types of attacks, which could affect various sectors that depend on secure supply chains. Organizations should be vigilant and review their security measures to mitigate potential risks associated with this malware.

May 15, 2026

China-Linked Hackers Deploy New TencShell Malware Against Global Manufacturer

Infosecurity Magazine

Hackers believed to be linked to China have targeted the Indian branch of a major global manufacturer using a new type of malware called TencShell. This malware is based on an open-source offensive toolkit, which suggests that the attackers are utilizing publicly available resources to carry out their operations. The implications of this attack are significant, as it not only affects the manufacturer but also raises concerns about the security of global supply chains. Companies operating in similar sectors should be vigilant, as this incident could indicate a broader trend of targeting multinational firms. The incident underscores the need for enhanced cybersecurity measures across industries to protect against sophisticated attacks.

May 15, 2026

Chrome 148 Update Patches Critical Vulnerabilities

SecurityWeek

Google's latest Chrome update, version 148, addresses several critical vulnerabilities, including a serious use-after-free issue affecting various browser components. This type of vulnerability can allow attackers to execute arbitrary code, potentially leading to unauthorized access or data breaches. Users of Chrome should update to the latest version to ensure their browsers are secure. Keeping browsers up to date is crucial, as these vulnerabilities can be exploited if left unpatched. The update underscores the ongoing need for vigilance in cybersecurity, especially given the frequency of browser-based attacks.

May 15, 2026