014

Opposition activists in Belarus and Ukrainian military and government organizations were targeted by a Ghostwriter (UNC1151) campaign that used weaponized Microsoft Excel documents containing obfuscated VBA macros and steganographic payload delivery to install a new PicassoLoader variant, Cobalt Strike, and a LibCMD DLL; the operation was active from mid-2024 into late 2024 and exhibited ongoing C2 activity.