The Ghostwriter group has struck again against the Ukrainian government, using a geolocalized phishing campaign. Attackers send PDF files that, when opened, deploy the Cobalt Strike malware. This geofencing tactic activates the attack only if the victim is in a specific location, making analysis from outside Ukraine difficult.
How geofencing works in malware distribution πΊοΈ
Geofencing is a technique that verifies the victim's location through IP coordinates or GPS before executing the payload. In this campaign, malicious PDFs contain links that only download Cobalt Strike if the user is within Ukraine. This prevents analysts in other countries from detecting the malicious code when opening the file in controlled environments. Cobalt Strike allows attackers to execute commands, steal data, and move laterally within the compromised network, all from a remote server.
The attack that only works if you are in the right place π―
Ghostwriter has perfected the art of exclusivity: its phishing only opens the door if you are in Ukraine. If you are an analyst in Spain or the United States, the PDF behaves like a harmless document. It is as if the malware says: sorry, you are not on the guest list. Meanwhile, Ukrainian officials open the file and receive a digital surprise they did not ask for. Geolocation as a reverse security filter: a trick that would make any concert ticket seller smile.