CyberWire Daily Excel-lerating cyberattacks. [Research Saturday]
15 snips
Dec 27, 2025 Tom Hagel, a Principal Threat Researcher at SentinelLabs, dives deep into the recent Ghostwriter campaign targeting Ukraine and Belarusian opposition. He discusses how attackers utilize weaponized Excel documents and sophisticated obfuscation techniques to deliver malware. Hagel outlines the campaign's espionage objectives, emphasizing its ties to the Belarusian government. He also shares defensive measures like strict email filtering and disabling macros to combat such threats. Tune in for insights on evolving cyberattack strategies and their implications!
AI Snips
Chapters
Transcript
Episode notes
State-Aligned, Region-Focused Operations
- Ghostwriter operates as a state-aligned group focused on Belarus and nearby regions.
- Their campaigns blend espionage and information operations to serve political objectives.
Propaganda Plus Malware For Domestic Goals
- Ghostwriter pairs domestic propaganda with targeted malware to influence local politics.
- The domestic focus on Belarusian opposition shows combining information operations with intrusions.
Excel Macros Deliver Persistent DLL Loaders
- The campaign uses Google Drive-hosted Excel lures containing heavily obfuscated VBA macros.
- Macros write and load a DLL to temp folders, then establish persistent downloader functionality.