Belarus's Hackers Are Phishing Ukraine's Government Again—This Time the Malicious PDF Checks Your IP Before It Decides Whether to Infect You

The Group Has Ten Names and One Sponsor

The Belarus aligned threat actor publicly disclosed on May 14 by ESET goes by FrostyNeighbor in the firm's own taxonomy. Other vendors call the same operators Ghostwriter, PUSHCHA, Storm-0257, TA445, UAC-0057, Umbral Bison, UNC1151, and White Lynx. The proliferation of code names is partly tribal—every vendor wants its own brand on the threat report—and partly because the group has been hitting Ukraine, Poland, Lithuania, and Latvia since 2016 across enough campaigns that no single dataset captures all of them.

Google's Mandiant assessed with high confidence in 2021 that the operators are connected to the Belarusian government. That assessment has held up across four years of additional campaigns. The latest one started in March 2026 and targets the Ukrainian military, the defense sector, and government agencies—the same operational priority every Ghostwriter cluster has run since the start of the Russian invasion.

The Lure Is Ukrtelecom

The spear phishing emails carry PDF attachments impersonating Ukrtelecom, Ukraine's largest fixed line telecommunications operator. The document looks like a real Ukrtelecom regulatory notice: "regulations in the field of electronic communications from 2024 to 2026." For a Ukrainian government official whose office receives Ukrtelecom correspondence routinely, the cover is plausible enough that opening the file does not feel reckless.

The PDF is not the payload. It is the trigger for the next stage. Inside the document is a link that, when clicked, requests a RAR archive containing a JavaScript file. The link is also where the geofence lives.

The Geofence Is the Operational Discipline

When the link is clicked, the server checks the visitor's IP address. Outside Ukraine, the server returns a clean PDF of the same regulatory document. Inside Ukraine, it returns the RAR archive with the JavaScript dropper. The benign document is, as far as anyone has reverse engineered, a real Ukrtelecom regulation excerpt.

The discipline matters more than the technique. Geofencing is not new—threat actors have used IP filters since at least 2018 to throw off Western researchers who run automated sandboxes from cloud regions outside the target country. What Ghostwriter has done is align the cover document so tightly with the lure that any researcher who pulls the URL from a quarantined email and clicks it from a U.S., German, or Israeli IP address gets a perfectly legitimate Ukrtelecom regulation back. The malicious chain only triggers for the intended target.

For threat intelligence teams, that means stripping the IOC out of the email is not enough to understand the attack. The second stage has to be requested from Ukrainian space, often by tunneling through a Ukrainian VPN endpoint, to reproduce the malicious branch. Anyone running an automated phishing analysis pipeline on Western infrastructure will see a clean document and close the ticket. That is the point.

PicassoLoader and the Ten Minute Heartbeat

If the geofence approves, the RAR archive drops a JavaScript file that displays a decoy document on screen—visual cover so the recipient sees something open—while launching PicassoLoader silently in the background. PicassoLoader has been the Ukrainian cyber defenders' name for this family since 2022. Ghostwriter now ships it in four variants: .NET, PowerShell, JavaScript, and C++. The variant you get depends on what the operator believes will survive the target's endpoint stack.

PicassoLoader beacons home roughly every ten minutes with a small fingerprint of the host: the username, the computer name, the OS version, the system boot time, the current time, and a snapshot of the running processes with their PIDs. The operators read these beacons and decide—manually—whether the target is worth deploying Cobalt Strike against. That step prevents Cobalt Strike beacons from landing on honeypots and sandboxes; it also dramatically limits how many full intrusions an investigator can detect downstream.

Ghostwriter has used CVE-2023-38831, the WinRAR vulnerability from August 2023, in earlier waves of this campaign. The flaw lets a malicious archive launch arbitrary code when the user previews a file. Three years after disclosure, it still works against organizations that have not pushed WinRAR updates to their entire fleet—and Ukrainian government offices have not finished that migration.

Why This Matters Past Ukraine

Belarus is not running this for its own intelligence services alone. The same group has been credited with covert influence operations in Poland, Lithuania, and Latvia, often forging Ukrainian and Polish government documents to inflame regional politics. The intelligence harvested from Ukrainian government inboxes also reaches Moscow through standard inter agency channels. Ghostwriter sits in the same operational tier as Russia's GRU rerouting home routers to steal Outlook tokens and MuddyWater disguising espionage as ransomware—a regional state actor whose target list reflects active conflict more than any specific commercial agenda.

The cross border lesson is the geofence itself. Most malicious phishing campaigns send the same payload to everyone who opens the attachment. When operators bother to gate the second stage by geography, they are usually trying to avoid Western telemetry, which means they are running an operation they consider worth protecting from journalist scrutiny. Journalists, NGO researchers, and intelligence analysts who want to study what Ghostwriter is actually shipping in 2026 will need access to a Ukrainian IP endpoint and a fast disposable Windows VM. Anything less and the campaign you are studying looks no different from a legitimate telecom advisory.

For Western government personnel and journalists covering Ukraine, the more practical takeaway is that the attachment that fingerprinted a defense official last week may have arrived through a relayed Ukrtelecom thread. Forwarded mail loses headers, attachments survive forwarding, and the geofence does not stop the document from being received—it only stops the payload from triggering for the wrong viewer. The right OPSEC posture is the same one it has been since 2022: open Ukrainian themed attachments only in a sandbox, only from accounts with no cached credentials, and assume that anything weaponized by Belarus today will be weaponized by Russia tomorrow.