A new cyber campaign is targeting opposition activists in Belarus as well as Ukrainian military and government organizations, using malware-laden Microsoft Excel documents to distribute a new variant of the PicassoLoader malware. This attack is believed to be an extension of a long-standing operation by the Belarus-aligned threat actor Ghostwriter (also known as Moonscape, TA445, UAC-0057, and UNC1151), active since 2016, which is suspected to support Russian security interests and promote anti-NATO narratives.
The campaign has been under development since mid-2024, entering its active phase in November-December of the same year. Recent analysis of malware samples and command-and-control (C2) activity confirms that the operation remains active.
The attack begins with a shared Google Drive document originating from an account under the name Vladimir Nikiforech, containing a RAR archive. Inside the archive is a malicious Excel file that, once opened, triggers the execution of an obfuscated macro. The macro proceeds to create a DLL file, which then facilitates the execution of a simplified version of the PicassoLoader malware.
In the subsequent phase, the victim sees a decoy Excel file, while additional payloads are downloaded silently in the background. This method was also used in June 2024 to distribute the Cobalt Strike post-exploitation framework.
Other weaponized Excel documents have been found, some with Ukraine-themed lures designed to retrieve a second-stage malware via a remote URL (“sciencealert[.]shop”) using a seemingly innocent JPG image in a technique known as steganography. The URLs, however, are no longer operational.
In another variation, the infected Excel file is used to deploy a DLL named LibCMD, which executes cmd.exe and connects to stdin/stdout. The DLL is loaded into memory as a .NET assembly and executed directly.
Throughout 2024, Ghostwriter has consistently utilized Excel workbooks containing Macropack-obfuscated VBA macros, alongside embedded .NET downloaders obfuscated with ConfuserEx.
Although Belarus is not directly involved in the ongoing war in Ukraine, cyber actors associated with the country continue to conduct cyber espionage operations targeting Ukrainian organizations.
