The new hacker group UNC1151 has stepped up its activities by launching a series of cyberattacks on government agencies, military institutions and ordinary users in Ukraine and Poland.

According to latest report Cisco Talos, the group’s malicious activities began in April 2022 and are still ongoing. The main goal of attackers is to steal confidential information and establish permanent remote access to computer systems.

Ukrainian service CERT-UA (Computer Emergency Response Team) links the cyberattacks to the UNC1151 group and its campaign called GhostWriter, allegedly linked to the Belarusian government, according to Cisco Talos.

The methods used in the attacks represent a complex multi-stage chain of infection. It is initiated by malicious Excel and PowerPoint documents that contain hidden executable file loaders and malware embedded in images, making them difficult to detect.

Chain of attack: the lure prompts the user to activate macros that infect the system

The main target of cyberattacks are the state and military institutions of Ukraine and Poland. Hackers use social engineering techniques to disguise their actions as authentic images and texts.

The purpose of social engineering is to convince victims to activate macros, which allows attackers to launch a chain of malicious actions. Ukrainian and Polish businesses, as well as ordinary users, have reportedly fallen victim to these campaigns when they opened Excel spreadsheets that mimic VAT refund forms.

An analysis of the attacks carried out revealed the use of a variety of malicious programs by hackers, including the AgentTesla RAT Trojan, Cobalt Strike beacons, and njRAT. Malware allows attackers to steal information and gain remote control over compromised systems.

To minimize the risk of cyber attacks, Cisco Talos strongly recommends the adoption of comprehensive security measures. In its report, the company also provided a complete list of indicators of compromise (IoC) associated with these threats.

In April, the Ministry of National Defense of Poland reported about a recent disinformation campaign called Ghostwriter that was linked to the alleged Belarusian hacker group UNC1151.

Campaign originally ghostwriter was directed against Poland , Lithuania and Latvia, as well as Ukraine. According to experts, the hackers left clear digital footprints. Then the Mandiant experts linked this campaign to UNC1151 . UNC1151 also attacked a number of Belarusian media outlets and several members of the political opposition in Belarus a year before the 2020 elections. In several cases, individuals attacked by UNC1151 ahead of the 2020 Belarusian elections were subsequently arrested by the Belarusian authorities.