French cybersecurity company HarfangLab has uncovered new cyberattacks targeting Ukraine and Poland, carried out by a group known as UAC-0057 (also called UNC1151, Ghostwriter, or FrostyNeighbor), which is believed to be linked to the Belarusian government.
Researchers found two separate campaigns, one focused on Ukraine, the other on Poland. The campaigns, active since at least April 2025, involve malicious Excel spreadsheets embedded in archive files, likely distributed via spearphishing emails. Once opened, the spreadsheets deploy VBA macros that drop and load DLL implants designed to collect system information and communicate with command-and-control (C2) servers to fetch further malware. Some documents mimic official communications, such as those from Ukraine's Ministry of Digital Transformation or Poland’s Union of Rural Municipalities.
While the malware toolsets vary slightly, both operations share technical similarities, including the use of obfuscated VBA macros, consistent DLL execution chains, and common profiling techniques for identifying compromised systems.
In the Ukrainian campaign, attackers used C#-based downloaders obfuscated with ConfuserEx, while the Polish campaign relied on C++ -based tools and included bait documents such as fake PDF invitations and service information.
The campaigns employ persistent implants that harvest detailed host data such as OS platform identifier and version; hostname; CPU name; current user name; operating system install date; date at which the system was booted; installed antivirus product name and installation date; information about the IP address which is used to browse on the Internet; and send updates to C2 servers every 10 minutes.