Belarus-Linked Ghostwriter Uses Macropack-Obfuscated Excel Macros to Deploy Malware

Belarusian opposition activists and military and governmental organizations in Ukraine are being targeted by a new variant of the PicassoLoader malware family. This new variant of PicassoLoader uses Excel documents that have malware embedded in them to be used as lures. This threat is associated with and is an extension of a threat acotr known as Ghostwriter. Ghostwriter is known to support Russian security interests and is critical of NATO. This variant of PicassoLoader was developed from July 2024 and became active in November 2024. As of the writing of this article, the attack seems to be active based on recent malware samples and command control infrastructure activity. The attack chain starts by a shared Google document which also hosted a RAR archive. The RAT file contains the malware infested Excel workbook which then executes a macro which writes a DLL file that allows PicassoLoader to run. After this a normal decoy Excel file is shown to the user while more malware is being installed into the system. Pictures have also been used in these Excel documents to get malware from a URL by encouraging people to click on the images, which is steagonagraphy. These Excel spreadsheets allow Belarus to conduct cyber espionage without actively engaging militarily.