VulnHub

Real-time Cybersecurity News

Ghostwriter group resumes attacks on Ukrainian Government targets

Security Affairs
Actively Exploited
APTCritical

Overview

ESET has reported that the Ghostwriter group, also known as FrostyNeighbor, has resumed its cyberattacks on Ukrainian government organizations. This activity has been ongoing since at least March 2026 and follows a pattern similar to their previous campaigns. The group appears to be targeting sensitive government systems, which raises concerns about the security of critical infrastructure in Ukraine. As the conflict in the region continues, these attacks could have serious implications for government operations and national security. Researchers emphasize the need for heightened vigilance and improved cybersecurity measures within affected organizations.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: Ukrainian government organizations
  • Action Required: Organizations should enhance their cybersecurity protocols and monitor for suspicious activity.
  • Timeline: Ongoing since March 2026

Original Article Summary

ESET uncovered new Ghostwriter (aka FrostyNeighbor) activity targeting Ukrainian government organizations in a campaign active since March 2026. ESET researchers published a new report documenting fresh activity attributed to the APT group FrostyNeighbor, aka Ghostwriter, active since at least March 2026, targeting Ukrainian governmental organizations. The campaign is similar to previous FrostyNeighbor’s campaigns. The threat […]

Impact

Ukrainian government organizations

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Ongoing since March 2026

Remediation

Organizations should enhance their cybersecurity protocols and monitor for suspicious activity.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to APT, Critical.

Read Original Article

Related Coverage

Here’s how the FTC plans to enforce the Take It Down Act

CyberScoop

The Federal Trade Commission (FTC) is stepping up its enforcement of the Take It Down Act, which aims to combat the online sharing of explicit images without consent. The agency plans to impose significant fines on those who violate the law and has promised to initiate investigations against offenders. While this move is a strong statement against non-consensual sharing, experts have raised concerns about the FTC's resources and priorities in handling such cases. The effectiveness of these measures will depend on how the agency allocates its resources in the face of ongoing challenges in online safety. This law is particularly important as it seeks to protect individuals from harmful digital practices that can have lasting emotional and social consequences.

May 15, 2026

Popular node-ipc npm package compromised to steal credentials

BleepingComputer

Hackers have compromised the popular node-ipc npm package, adding malware designed to steal user credentials in recent versions. This supply chain attack specifically targets developers who rely on node-ipc for inter-process communication in their applications. Users of the affected package are at risk of having their sensitive information, such as passwords and tokens, captured by the malicious code. This incident serves as a reminder of the vulnerabilities that can arise in the software supply chain, affecting not just individual developers but also the larger ecosystem that relies on these packages. Developers are urged to review their dependencies and ensure they are using safe versions of node-ipc to protect their credentials.

May 15, 2026

CVE-2026-42897: Microsoft confirms active exploitation of Exchange Server zero-day

Security Affairs

Microsoft has confirmed that a new zero-day vulnerability in Exchange Server, identified as CVE-2026-42897, is being actively exploited by attackers. This vulnerability has a CVSS score of 8.1, indicating a high level of severity. It stems from improper handling of user input during web page generation, which can lead to cross-site scripting (XSS) attacks. Organizations using affected versions of Exchange Server are at risk, as attackers could exploit this flaw to execute malicious scripts in the context of users' browsers. Microsoft urges users to take immediate action to protect their systems and data from potential breaches.

May 15, 2026

Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution

BleepingComputer

The REMUS infostealer is a malware that focuses on stealing browser sessions and authentication tokens, which are now considered more valuable than traditional passwords. Researchers from Flare have observed its rapid evolution, emphasizing its capability for session theft and operational scalability. This malware allows attackers to hijack users' online accounts without needing to crack passwords, posing a significant risk to individuals and organizations alike. As cybercriminals increasingly adopt this method, users must be vigilant about their online security practices. The shift towards session theft indicates a growing trend in cyberattacks that could affect a wide range of online services and platforms.

May 15, 2026

Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence

The Hacker News

Researchers have identified four vulnerabilities in OpenClaw, a software framework that could be exploited by attackers to steal data, gain higher privileges, and maintain persistent access to systems. These vulnerabilities, referred to as Claw Chain, allow cybercriminals to infiltrate systems, extract sensitive information, and install backdoors for ongoing access. The flaws pose a significant risk to organizations using OpenClaw, as they can lead to serious data breaches and unauthorized control over affected systems. Companies that rely on this software should take immediate action to address these vulnerabilities to protect their data and systems from potential exploitation.

May 15, 2026

The Hidden Risk For IT Subcontractors: When Insurance, Not Security, Costs You The Contract

Cyber Defense Magazine

IT subcontractors are facing a new challenge that goes beyond traditional cybersecurity threats like data breaches and ransomware. Starting in 2026, the costs associated with cyber insurance are becoming a significant factor in contract negotiations. Many firms are finding that their insurance premiums or coverage limits are impacting their ability to secure contracts, as clients increasingly prioritize the financial stability provided by insurance over the actual cybersecurity measures in place. This shift may force subcontractors to rethink their approaches to both security and insurance, as the balance between risk management and contract acquisition becomes more complex. As the industry evolves, understanding the implications of insurance on contract viability will be crucial for IT firms moving forward.

May 15, 2026