Weaponized Excel Documents: Ghostwriter’s New Tool of Cyber Espionage

A new Ghostwriter campaign has been uncovered by SentinelLABS, targeting Ukrainian military, government entities, and Belarusian opposition activists. The latest wave of attacks, observed between July 2024 and early 2025, employs weaponized Excel documents to deploy malware, marking an evolution in the group’s tactics.

The Ghostwriter campaign has been active since 2016, with strong links to Belarusian government espionage efforts. It is commonly associated with UNC1151 (Mandiant) and UAC-0057 (CERT-UA).

The group is known for combining cyber espionage with information manipulation, often targeting Eastern European countries. Past attacks have utilized malicious Excel files to deliver payloads like PicassoLoader and Cobalt Strike, both of which were observed in previous operations against Ukrainian targets.

The newly uncovered campaign primarily relies on weaponized Excel files, often disguised as documents of political or governmental interest. These documents contain malicious VBA macros, which execute once macros are enabled, ultimately delivering malware to the victim’s machine.

The attacks involve a multi-stage infection chain, including:

1. Malicious Excel document executes VBA macro.
2. VBA macro drops an obfuscated DLL to the system.
3. DLL loads additional malware via rundll32.exe.
4. Persistence is achieved using Windows Registry modifications, ensuring the malware runs at startup.

Notably, Ghostwriter’s latest campaign includes advanced evasion techniques, such as:

• Memory-only execution to bypass disk-based detection.
• Obfuscated .NET assemblies with dynamically generated encryption keys.
• Modified PE headers to prevent signature-based detection.

SentinelLABS assesses with high confidence that this campaign is part of the broader Ghostwriter operation, likely controlled by Belarus-linked threat actors.

The Ghostwriter APT continues to evolve, employing weaponized documents, advanced obfuscation, and information warfare tactics to target Ukraine and Belarusian opposition groups.

With geopolitical tensions rising, cybersecurity defenses must adapt to counter these state-sponsored cyber threats. Organizations in the region must remain vigilant and proactive in defending against these sophisticated espionage campaigns.

Related Posts:

• Three Ukrainian hackers arrested for stealing 15 million credit card records in the US
• Microsoft Announces to Support JavaScript for Excel
• Microsoft reveals some details of the Russian hacking group’s attack on Ukraine
• Lazarus Group Deploys Electron-Based Malware to Target Cryptocurrency Enthusiasts
• Excel File Unleashes Sophisticated Cobalt Strike Cyberattack