Anatomy of a Geofenced PDF Phishing Campaign: How Ghostwriter Targets Government Networks

Introduction

In early 2025, the Belarus-aligned threat group known as Ghostwriter (also tracked as FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC-0057) launched a highly targeted campaign against Ukrainian government organizations. Active since at least 2016, Ghostwriter is infamous for cyber-espionage and influence operations. This how-to guide breaks down the step-by-step methodology behind their geofenced PDF phishing combined with Cobalt Strike — a technique that uses location-restricted malicious documents to evade detection. Security teams can use this guide to understand the attack flow, identify indicators, and build stronger defenses.

What You Need (Knowledge Prerequisites)

• Basic understanding of phishing and social engineering tactics
• Familiarity with PDF reader vulnerabilities and macro-enabled documents
• Knowledge of Cobalt Strike’s beacon and command & control (C2) mechanics
• Awareness of geofencing and IP geolocation services
• Access to threat intelligence feeds (optional, for deeper analysis)

Step-by-Step Guide: Ghostwriter’s Attack Chain

Step 1: Target Reconnaissance and Weaponization

The attackers begin by identifying high-value targets within Ukrainian government ministries — defense, foreign affairs, and internal affairs. They gather email addresses from public sources, data leaks, and social media. Next, they craft a compelling lure: a PDF document disguised as an official government notice (e.g., a decree or security warning). The PDF contains either a malicious link or an embedded script that triggers only when the victim’s IP falls within a predefined geographic area — usually Ukraine.
Key tool: JavaScript in PDF to check IP geolocation via external services (e.g., ip-api.com).

Step 2: Geofencing the Payload

Ghostwriter implements geofencing by embedding JavaScript that queries a geolocation API. If the IP address is not from Ukraine, the PDF displays benign content or a blank page. If it is Ukrainian, the malicious payload activates — either by opening a URL to a phishing page or by exploiting a PDF reader vulnerability to download a dropper. This technique helps the attackers avoid analysis by security researchers outside the target region.
Tip: This step often uses obfuscated JavaScript to bypass static antivirus scanning.

Step 3: Spear-Phishing Delivery

The weaponized PDF is sent via email with a spoofed sender address that mimics a trusted government entity. The email subject line references urgent policy changes or pending sanctions to create panic. Ghostwriter uses compromised legitimate email accounts or lookalike domains (e.g., gov-ua.org instead of gov.ua).
Delivery chain: Email → attachment → user opens PDF → geolocation check → malicious action.

Step 4: Initial Access via Exploit or Credential Theft

Once the PDF executes within Ukraine, two primary vectors are used:

1. Malicious link: The PDF redirects the user to a fake login page that harvests credentials (e.g., Office 365 or government portal).
2. PDF exploit: An older vulnerability in Adobe Reader or built-in PDF viewers triggers a memory corruption, dropping a first-stage payload (e.g., HTA or VBS script).

In Ghostwriter’s case, the initial payload is often a PowerShell script that downloads a Cobalt Strike beacon.

Step 5: Cobalt Strike Beacon Deployment

The downloaded beacon executes in memory (fileless) to avoid disk-based antivirus. It establishes a secure HTTPS connection to Ghostwriter’s C2 server, often using domain fronting through legitimate cloud services (e.g., Microsoft Azure, Cloudflare). The beacon sends system information and waits for commands. C2 infrastructure is frequently rotated and may use fast-flux DNS or bulletproof hosting.
Observable IOCs: Unusual outbound connections to non-standard ports (e.g., 443, 8080, 8443) with long intervals.

Step 6: Lateral Movement and Data Exfiltration

With a foothold, Ghostwriter uses Cobalt Strike’s built-in tools to move laterally — dumping credentials via Mimikatz, abusing SMB or WinRM, and deploying additional beacons to domain controllers. The final goal is to exfiltrate sensitive documents, emails, and databases. Data is encrypted, compressed, and sent out over encrypted channels, sometimes splitting it across multiple C2 servers to evade detection.
Duration: Lateral movement can take days to weeks, with careful low-and-slow activity to avoid alerting defenders.

Tips for Defending Against This Attack

Proactive Measures

• Disable JavaScript in PDF readers — Geofencing relies on embedded scripting. Configure PDF viewers (Adobe Acrobat, browsers) to block JavaScript by default.
• Implement email authentication — Use SPF, DKIM, and DMARC to reduce spoofed emails. Train staff to verify sender addresses carefully.
• Deploy endpoint detection and response (EDR) — EDR can spot memory-only Cobalt Strike beacons via behavioural anomalies (e.g., suspicious process injection).
• Monitor outbound DNS and HTTP(S) traffic — Look for connections to geolocation APIs (e.g., ip-api.com, freegeoip.app) as a potential early warning.
• Conduct regular phishing simulations — Familiarize users with geofenced PDF lures and credential harvesting pages.

Incident Response Steps

1. Isolate affected systems immediately to prevent lateral movement.
2. Collect the PDF sample — preserve the geolocation JavaScript for forensic analysis.
3. Review C2 communication logs — identify and block the domains/IPs used.
4. Reset credentials for all potentially compromised accounts.
5. Engage with national CERT (e.g., CERT-UA) and share IOCs.

Understanding the Ghostwriter playbook is the first step in building a resilient defense. By knowing how geofenced PDF phishing and Cobalt Strike work together, organizations can prioritize detection controls and train users to spot even the most targeted threats.