Belarus-linked hackers target Ukrainian orgs with PicassoLoader malware

A suspected Belarusian state-sponsored hacker group targeted Ukrainian organizations and local government agencies with PicassoLoader malware, according to a new report.

In a campaign earlier this month, a hacker group known as GhostWriter — tracked as UAC-0057 — used their typical toolset of PicassoLoader and a backdoor called Cobalt Strike Beacon to infect Ukrainian victims.

Researchers at Ukraine’s computer emergency response team (CERT-UA) suspect the likely targets of these attacks were local government offices, as well as representatives of the U.S. Agency for International Development, which is responsible for administering civilian foreign aid and development assistance.

The content of some of the phishing emails sent by the hackers was related to USAID’s Hoverla project, which aims to reform the local governance system in Ukraine, CERT-UA said.

The report doesn’t specify the goal of the campaign, but GhostWriter is mostly known for being involved in cyber espionage. Researchers said the group could be interested in Ukraine’s financial and economic indicators, taxation, as well as the reform of local self-government bodies.

GhostWriter has repeatedly gone after Ukrainian entities. Last July, it deployed PicassoLoader against Ukraine’s government organizations, and in August 2023 it used the same tool to target Ukraine’s National Defense University. This June, the hackers attacked Ukraine’s Ministry of Defence and a military base.

In a 2021 report, Google-owned Mandiant said that GhostWriter is linked to the Belarusian state, and its campaigns align with Belarusian government interests. Researchers also believe Russia could have some influence over the group’s activity.

In addition to Ukraine, GhostWriter has also attacked Kyiv’s allies, including Lithuania, Latvia, and Poland. It is known for deploying a relatively unchanged set of tools in its campaigns — like the PicassoLoader, AgentTesla, Cobalt Strike Beacon, and njRAT.