unc1151-ghostwriter

UNC1151 / Ghostwriter

also tracked as: UAC-0057 (CERT-UA) PUSHCHA (Google TAG) Blue Dev 4 Moonscape TA445 (Proofpoint)

A rare publicly documented hybrid of cyber espionage and coordinated influence operations — UNC1151 provides the technical access layer (credential theft, malware, website compromise) while the Ghostwriter campaign uses those stolen assets to publish fabricated narratives on hacked news sites and government portals. Mandiant assessed with high confidence that UNC1151 is linked to the Belarusian government and with moderate confidence to the Belarusian military. Active since at least 2016, the operation dramatically expanded targeting following Russia's February 2022 invasion of Ukraine, with phishing efforts increasing by over 300% compared to the 2020 baseline. SentinelLabs confirmed continued activity through early 2025, targeting Ukrainian government entities, military personnel, and domestic Belarusian opposition.

attributed sponsorBelarusian Government (Mandiant, high confidence)

military linkBelarusian Military (Mandiant, moderate confidence)

first observed2016 (retroactive); formal designation 2020–2021

primary motivationState espionage + Information Operations

primary targetsUkraine, Poland, Lithuania, Latvia, Germany

russian involvementCannot be ruled out; no direct evidence confirmed

mandiant tracking since2017

german attributionGRU (German gov Sep 2021 — later disputed)

phishing increase (2022)+300% vs 2020 baseline (Google TAG/Mandiant)

Overview

UNC1151 and the Ghostwriter influence campaign represent one of the most extensively documented examples of a state-coordinated hybrid operation combining technical cyber intrusion with information warfare. The two are distinct but closely linked: UNC1151 is the cyber espionage actor — conducting phishing, credential theft, malware deployment, and website compromise — while Ghostwriter is the influence campaign that weaponizes the access and stolen materials UNC1151 generates. Mandiant first named the Ghostwriter campaign in July 2020, identified UNC1151 as providing technical support to it in April 2021, and formally attributed both to the Belarusian government in November 2021.

The attribution evidence Mandiant cited included: technical indicators locating UNC1151 operators in Minsk, Belarus; separate technical evidence linking the group to the Belarusian military; the specific targeting profile matching Belarusian government interests rather than any other state's (particularly the targeting of Belarusian opposition figures, journalists, and dissidents — parties of uniquely Belarusian concern); and the post-2020 alignment of Ghostwriter narratives with overt Belarusian government actions against Lithuania and Poland. Multiple individuals targeted by UNC1151 before the disputed August 2020 Belarusian election were subsequently arrested by the Belarusian government — a pattern strongly suggesting intelligence collection was feeding into domestic repression operations.

The Russian dimension is the most contested element of the attribution picture. Germany's government attributed Ghostwriter to Russia's GRU in September 2021, and the EU's High Representative issued a declaration calling on Russia to stop Ghostwriter operations. Mandiant's position — reflecting more granular technical analysis — was that the evidence pointed primarily to Belarus, with Russian involvement possible but unconfirmed. Recorded Future's subsequent research suggested a likely collaborative structure, noting documented high-level meetings between Russian and Belarusian security services and the likelihood that Russian GRU-related actors may have operated from, supported, or trained Belarusian personnel. The practical operational reality may be that the distinction between Belarusian and Russian operation matters less than the shared strategic alignment — the content of Ghostwriter campaigns has consistently served both Belarusian government interests and broader Russian strategic narratives.

UNC1151's activity expanded dramatically following Russia's February 2022 invasion of Ukraine. Google TAG, which tracks the actor as PUSHCHA, and Mandiant jointly reported in February 2023 that phishing operations had increased by more than 300% compared to the 2020 baseline. From 2022 onward, the group's technical evolution included the introduction of PicassoLoader — a multi-stage downloader delivering Cobalt Strike beacons and njRAT — alongside its existing HIDDENVALUE and HALFSHELL custom malware. SentinelLabs documented continued activity in January 2025, with campaigns targeting Ukrainian government entities, military personnel, and Belarusian opposition figures ahead of the January 26, 2025 Belarusian presidential election.

Two-Layer Operation Architecture

The UNC1151 / Ghostwriter hybrid operates across two distinct but interdependent layers. Understanding the architecture is essential for appropriate defensive posture — the technical access layer and the influence operations layer require different detection and response approaches.

Layer 1: UNC1151 — Technical Access

Credential phishing via spoofed login pages (Facebook, Google, Twitter, regional email providers)
Spearphishing with malware-laden Office documents (Excel, PowerPoint with VBA macros)
HIDDENVALUE and HALFSHELL custom .NET backdoors
PicassoLoader multi-stage downloader (→ Cobalt Strike, njRAT, AgentTesla)
Website compromise of news portals and government platforms
Email account compromise for hack-and-leak operations

Layer 2: Ghostwriter — Influence Operations

Publication of fabricated articles on compromised news sites posing as genuine reporting
Hack-and-leak of stolen emails and documents (e.g., Dworczyk hack, Polish official communications)
False-persona Telegram channels disseminating anti-NATO and anti-Western narratives
Ghostwriter narratives amplified on Belarusian state television as fact
Fabricated stories of nuclear accidents, migrant crimes, corruption scandals in target countries
Targeted dissemination to Belarusian opposition and diaspora audiences

Target Profile

UNC1151's targeting is geographically concentrated and strategically coherent — the five primary target countries represent a specific mix that most closely aligns with Belarusian foreign policy concerns rather than either Russian or any other state's interest profile.

Ukraine: The largest volume of UNC1151 technical intrusion activity. Ukrainian government ministries, military personnel, defense infrastructure entities, and civil society organizations are targeted for credential theft, malware deployment, and intelligence collection. From 2022 onward, targeting of Ukrainian military personnel and Ministry of Defense significantly intensified alongside the Russian invasion, with lures referencing military organizational documents and operational subjects. CERT-UA tracks this as UAC-0057 and has issued multiple advisories about ongoing campaigns.
Poland: A primary Ghostwriter target alongside Lithuania, reflecting Belarus's hostile posture toward both countries for their support of Belarusian opposition and their condemnation of the Lukashenko government. Polish government officials' email accounts and social media accounts have been compromised for hack-and-leak operations. The most significant individual case was Michał Dworczyk, Poland's Chief of the Government Chancellery, whose personal email account (also used for government communications) was compromised, with leaked correspondence creating a prolonged political scandal in Poland from 2021 to 2022 and contributing to his resignation.
Lithuania: Targeted for its particularly strong opposition to the Lukashenko government and its hosting of Belarusian opposition figures. The Lithuanian news portal Kas Vyksta Kaune was compromised at least seven times between 2018 and 2020 for the purpose of publishing fabricated Ghostwriter narratives. Ghostwriter operations in Lithuania have specifically promoted false claims about accidents at nuclear facilities — directly reflecting Lithuania's active political opposition to Belarus's Astravyets nuclear power plant located near the Lithuanian border.
Germany: UNC1151 expanded credential theft targeting to German politicians beginning in early 2021 — reported publicly by German media outlet Tagesschau. Germany became a Ghostwriter target in the context of its federal parliamentary elections in September 2021, with operations attempting to influence the electoral environment. Germany's government attributed Ghostwriter to Russia's GRU in September 2021, though Mandiant's assessment placed primary responsibility with Belarus.
Belarusian Opposition, Media, and Dissidents: A targeting category uniquely consistent with Belarusian government interests and distinct from Russian espionage patterns. UNC1151 targeted Belarusian opposition figures, journalists, and media entities — particularly in the year preceding the disputed August 2020 election. Several individuals targeted by UNC1151 before the election were subsequently arrested by Belarusian authorities, indicating the intelligence collection directly supported domestic repression rather than any recognizable Russian priority.
Intergovernmental Organizations: UNC1151 has spearphished intergovernmental organizations dealing with former-Soviet states — though notably not their member governments directly, consistent with intelligence collection on policy formation and diplomatic communications rather than direct government penetration.

Tactics, Techniques & Procedures

UNC1151 TTPs as documented by Mandiant (2021), Cisco Talos (2023), SentinelLabs (2025), and AttackIQ. The actor has evolved its technical toolset while maintaining consistent phishing-first initial access across the tracking period.

mitre id	technique	description
T1566.001 / T1566.002	Spearphishing — Attachment / Link	Phishing emails are UNC1151's primary initial access method. Credential phishing uses spoofed login pages impersonating Facebook, Google, Twitter, regional email providers (ukr.net), and government portals. Malware-delivery phishing uses Office documents with embedded VBA macros (Excel and PowerPoint are the primary formats). From 2024–2025, Macropack-obfuscated VBA macros with embedded .NET downloaders were documented by SentinelLabs. Google Drive shared documents have also been used as phishing delivery mechanisms, with malicious RAR archives containing weaponized Excel workbooks delivered via email link.
T1583.001 / T1586.002	Credential Theft Domains / Compromised Accounts	Since at least 2016, UNC1151 has registered spoof domains impersonating legitimate websites to capture credentials. Beyond major platforms (Facebook, Google, Twitter), spoof domains target regional email services, local and national government agencies, and private businesses specifically in the five primary target countries. Stolen credentials are used both for intelligence collection (accessing victims' email accounts) and for Ghostwriter operations (publishing fabricated content on compromised accounts and social media profiles of real officials).
T1505 / T1190	Website Compromise for Influence Operations	Ghostwriter's unique technical signature is the compromise of legitimate news sites and government portals to publish fabricated articles — content that appears to originate from trusted media sources rather than obviously propaganda channels. Lithuanian news portal Kas Vyksta Kaune was compromised at least seven times between 2018 and 2020. Compromised website content is then screenshot and shared on Telegram channels and cited on Belarusian state television as evidence of the fabricated event.
T1059.005 / T1059.001	VBA Macros / PowerShell Execution	Malicious Office documents use VBA macros as the primary execution mechanism. Early campaigns delivered HIDDENVALUE and HALFSHELL directly. From 2022, macro execution deploys PicassoLoader as a first-stage downloader. SentinelLabs documented Macropack-obfuscated VBA macros in 2024–2025 campaigns, with ConfuserEx-obfuscated .NET downloaders as the second stage. PowerShell is used alongside VBA for payload execution and defense evasion steps.
T1027 / T1140	Obfuscation / Payload Concealment	PicassoLoader conceals its payload within image files to complicate detection — the payload is embedded in what appears to be a benign JPEG from publicly available photo stock. SentinelLabs documented TA2541 using .shop TLD domains to mirror legitimate website URLs exactly, changing only the top-level domain (e.g., copying sciencealert.com/images/... to sciencealert.shop/images/...) to host payload-embedded images. Base64 encoding via certutil.exe is also used for payload decoding. ConfuserEx applies additional obfuscation to .NET downloader stages.
T1547.001 / T1053.005	Persistence — Registry Run Keys / Scheduled Tasks	UNC1151 uses both Windows Registry Run keys and startup directory shortcut files for persistence. Scheduled task creation has also been observed as an alternative persistence mechanism. The group abuses the Regasm utility to bypass application controls as part of its defense evasion approach, alongside binary masquerading as legitimate software.
T1567 / T1041	Hack-and-Leak / Exfiltration for IO	Stolen documents and email communications are selectively published as part of Ghostwriter operations to damage the reputations of targeted governments and officials. The Dworczyk operation is the most high-profile example: a personal email account used for government communications was compromised, with leaked messages revealing politically sensitive correspondence that became a prolonged Polish political scandal. Ghostwriter hack-and-leak operations specifically select content that reinforces pre-existing narrative themes rather than dumping data indiscriminately.
T1592 / T1591	Target Reconnaissance (Pre-Election Targeting)	UNC1151's targeting of Belarusian opposition figures, journalists, and civil society actors before the disputed 2020 presidential election — with subsequent arrests of several targeted individuals by Belarusian authorities — indicates systematic pre-election intelligence collection directly supporting the Lukashenko government's repression of domestic opposition. Similar pre-election intensification was observed ahead of the January 2025 Belarusian presidential election, with SentinelLabs documenting campaigns targeting Belarusian opposition using lures about political prisoners.

Known Campaigns

Ghostwriter is a continuous campaign rather than a series of discrete operations. The following entries represent the major documented clusters across UNC1151's operational history.

Initial Ghostwriter / Fake NATO Narratives 2016–2020

Mandiant's retroactive analysis traced Ghostwriter activity back to at least 2016, though the campaign was not formally identified until July 2020. Early operations targeted Lithuanian, Latvian, and Polish audiences with fabricated narratives critical of NATO's presence in Eastern Europe — promoting fictional accounts of NATO soldier misconduct, anti-US material, and false claims of nuclear facility incidents in Lithuania. The Lithuanian news portal Kas Vyksta Kaune was compromised at least seven times between 2018 and 2020 to publish fabricated stories as apparently legitimate local news. These narratives aligned with both Belarusian and Russian strategic interests in undermining NATO cohesion.

Belarusian Election Operations — Targeting Opposition and Dissidents 2019–2020

In the year preceding the disputed August 2020 Belarusian presidential election, UNC1151 specifically targeted Belarusian media entities, opposition political figures, and journalists. Several individuals targeted by UNC1151 in this period were subsequently arrested by the Belarusian government following the election — a pattern that Mandiant identified as providing strong circumstantial evidence that UNC1151's intelligence collection was feeding directly into the Lukashenko government's domestic security apparatus. Post-election Ghostwriter operations promoted narratives discrediting the Belarusian opposition and Belarusian diaspora figures as Western-backed agitators.

Dworczyk Hack-and-Leak — Poland Jun 2021–Sep 2022

Ghostwriter members are suspected of compromising the personal email account of Michał Dworczyk, the Chief of Poland's Government Chancellery, who was also using the account for official government correspondence. Leaked messages were published beginning in June 2021 and continued through September 2022, with selected content released through Russian-language Telegram channels attributed to Ghostwriter — which Belarusian state television then cited as evidence of political scandals. Published messages included politically sensitive correspondence between government representatives and judicial officials. Dworczyk resigned, linking his decision to the damage the leak scandal caused to his ability to administer his duties. The operation was a textbook Ghostwriter hack-and-leak: targeted compromise, selective content release, Belarusian state media amplification.

German Bundestag Election Operations 2021

Beginning in early 2021, UNC1151 expanded credential theft operations to specifically target German politicians — an expansion publicly reported by German media outlet Tagesschau. The German government attributed Ghostwriter activity to Russia's GRU in September 2021, citing the timing and content of operations targeting German federal parliamentary elections. The EU High Representative issued a formal declaration calling on Russia to cease Ghostwriter operations. Mandiant's independent assessment attributed the activity primarily to Belarus rather than directly to Russia's GRU, leaving the German government's attribution as the most prominent published assessment and a source of ongoing academic debate about the Belarus-Russia boundary within the operation.

Ukraine Invasion — Military Targeting Intensification Feb 2022–Present

Following Russia's February 2022 invasion of Ukraine, UNC1151 dramatically intensified phishing operations against Ukrainian targets. Google TAG and Mandiant reported a 300%+ increase in phishing volume versus the 2020 baseline. The actor introduced PicassoLoader as its primary malware delivery vehicle, with lures themed around Ukrainian military organizational documents, Ministry of Defense subjects, and refugee movement. Proofpoint documented a February 2022 campaign (Asylum Ambuscade) using compromised Ukrainian military email accounts to target European governments and organizations managing refugee movement. Cisco Talos documented a sustained campaign from April 2022 to July 2023 delivering PicassoLoader → Cobalt Strike + njRAT chains to Ukrainian and Polish government and military targets.

2025 Pre-Election Opposition Targeting — Belarus Jan 2025

SentinelLabs documented a January 2025 campaign immediately preceding the January 26, 2025 Belarusian presidential election, targeting Ukrainian government entities, Ukrainian military personnel, and — for the first time in documented Ghostwriter activity — domestic Belarusian opposition figures as explicit primary targets rather than incidental to broader EU/NATO-focused campaigns. Lures used included spreadsheets referencing political prisoners from Minsk courts, with content sourced from the proscribed Belarusian human rights organization Spring96. The campaign used Google Drive email delivery of RAR archives containing malicious Excel workbooks using simplified PicassoLoader implementations with .shop TLD infrastructure. The direct targeting of Belarusian opposition represents an evolution in scope — from external-facing influence operations to direct suppression of domestic political opposition.

Tools & Malware

HIDDENVALUE (custom .NET backdoor): UNC1151's primary custom malware, used in multiple operations targeting Ukraine and Poland. A .NET application with basic command-and-control functionality. Mandiant documented multiple variants supporting slightly different command sets. No code overlap has been observed between HIDDENVALUE and other known malware families. The malware represents UNC1151's core proprietary capability alongside HALFSHELL.
HALFSHELL (custom .NET malware): An earlier-phase custom malware used by UNC1151 before HIDDENVALUE became the primary tool. Like HIDDENVALUE, it is a .NET application providing basic remote command functionality. AttackIQ noted that prior to Russia's Ukraine invasion, HALFSHELL was the primary delivery tool, with UNC1151 then leveraging MicroBackdoor (open-source) for C2 operations in early 2022.
PicassoLoader (custom downloader — 2022+): A multi-stage downloader introduced in the 2022+ operational phase, used exclusively by Ghostwriter / UNC1151 — no other threat actor has been documented using PicassoLoader. Delivered via malicious Excel and PowerPoint documents with VBA macros. Downloads a next-stage payload embedded in a JPEG image file to complicate detection. PicassoLoader stages Cobalt Strike beacons, njRAT, and AgentTesla as final payloads. SentinelLabs documented simplified PicassoLoader implementations in the January 2025 campaign using ConfuserEx-obfuscated .NET downloaders.
Cobalt Strike: Commercial penetration testing framework used as a final payload delivered through PicassoLoader, providing interactive C2, lateral movement, and post-compromise capability beyond the initial malware foothold.
MicroBackdoor (open-source — early 2022): A lightweight open-source C2 tool used by UNC1151 in early 2022 prior to Russia's invasion, documented by Cluster25 as the group began preparing for the invasion-era campaign intensification.
Credential Phishing Infrastructure: UNC1151 registers spoof domains impersonating Facebook, Google, Twitter, regional email providers (ukr.net), and government portals in target countries. Since approximately 2022, the group migrated phishing page hosting to Cloudflare, providing HTTPS certificates and DDoS protection for credential collection pages. The spoofed domains are precisely targeted to the specific webmail and social media platforms used in target countries.

Indicators of Compromise

Key technical indicators from Mandiant (2021), Cisco Talos (2023), and SentinelLabs (February 2025). PicassoLoader-based IOCs are the most current and operationally relevant for detection in active campaigns.

detection note

UNC1151 uses Cloudflare for credential phishing page hosting and .shop TLD domains mirroring legitimate website URLs to host payload-embedded JPEG files. Static domain blocklists are limited in effectiveness — behavioral detection of VBA macro execution chaining to .NET downloader activity and outbound JPEG file fetches with hardcoded User-Agent strings provides higher-fidelity detection. CERT-UA advisories (UAC-0057 designation) should be monitored continuously for current campaign IOCs, particularly for Ukrainian-focused defenders.

indicators of compromise — technical identifiers

excel hash sha1 (jan 2025) ebb30fd99c2e6cbae392c337df5876759e53730d — "политзаключенные(по судам минска).xls" (SentinelLabs Jan 2025)

downloader hash (2025) 8d2bb96e69df059f279d97989690ce3e556a8318 — benign JPEG delivery vehicle (everythingandthedog[.]shop campaign)

payload host (2024) everythingandthedog[.]shop — mirrors everythingandthedog.com; changed only TLD

payload host (2024) sciencealert[.]shop — mirrors sciencealert.com/images/...; VT upload Dec 19, 2024

user-agent (hardcoded) Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/555.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

c2 tld pattern .shop TLD used consistently for payload hosting in 2024–2025 campaigns; domain mirrors legitimate .com sites with only TLD changed

malware (exclusive) PicassoLoader — downloader exclusively associated with Ghostwriter / UNC1151 / UAC-0057 (no other actor documented using this tool)

obfuscation tools Macropack (VBA macro obfuscation); ConfuserEx (.NET downloader obfuscation) — documented in 2024 campaigns

certutil lolbin certutil.exe -decode — used to decode base64-encoded payload files during installation

cert-ua designator UAC-0057 — CERT-UA tracking designation; CERT-UA advisories are primary source for current IOCs targeting Ukrainian organizations

Mitigation & Defense

Macro Execution Controls for Defense and Government Environments: UNC1151's primary delivery vector for malware remains malicious Office documents with VBA macros. Organizations in Ukraine, Poland, Lithuania, Latvia, and Germany — particularly government ministries, defense contractors, and media organizations — should enforce macro disablement through Group Policy for all users who do not have a documented business requirement for macro execution. Attack Surface Reduction rules in Microsoft Defender should specifically block Office applications from creating child processes and from injecting code into other processes.
Multi-Factor Authentication on All Email and Government Accounts: Credential theft through spoofed login pages is UNC1151's most consistent and long-running access vector. Strong MFA — preferably hardware security keys rather than SMS codes — on all government email, social media, and webmail accounts significantly limits the damage from successful credential phishing. The Dworczyk operation succeeded in part because a personal email account without adequate protection was being used for government communications — a practice that should be explicitly prohibited through policy.
PicassoLoader Detection — Image File Payload Fetches: PicassoLoader's signature behavior is fetching a payload-embedded JPEG from an external URL with a hardcoded User-Agent string. Monitor for processes (particularly Office applications, wscript.exe, or PowerShell) making HTTP GET requests to .shop TLD domains for JPEG files. The hardcoded User-Agent (Chrome/97.0.4692.71 on macOS, sent from Windows processes) is an anomalous behavioral signal that SIEM rules can target. PicassoLoader is exclusively associated with UNC1151 — any confirmed PicassoLoader detection is a high-confidence UNC1151 attribution indicator.
Monitor certutil.exe for Payload Decoding: UNC1151 uses certutil.exe -decode to decode base64-encoded payload files as part of its installation chain. Certutil executing with decode parameters alongside executable file targets is a well-documented living-off-the-land indicator. Alert on certutil.exe spawned from Office applications, wscript.exe, or PowerShell with -decode parameters targeting .exe or .dll output files.
Media Integrity Monitoring for Ghostwriter Detection: Ghostwriter's influence operations are detectable through systematic monitoring of news site content for unexpected articles, particularly those promoting anti-NATO narratives, false nuclear facility incidents, fabricated corruption scandals, or unverified document leaks. Organizations in the target regions — particularly national cybersecurity authorities, media organizations, and election integrity bodies — should implement content integrity monitoring for domestic news sites, flagging articles that appear without bylines, cite unverifiable source documents, or promote narratives rapidly amplified across known Ghostwriter-linked Telegram channels.
Spear-Phishing Awareness Specific to UNC1151 Themes: UNC1151 phishing lures in the 2022–2025 period have focused on Ukrainian military organization documents, political prisoner lists, and opposition-themed content. Train targeted personnel to verify the origin of Google Drive shared document links before downloading any attachment. For Ukrainian government and military personnel specifically, treat any unsolicited email with a Google Drive or cloud file link as requiring verification through out-of-band channels before opening.

analyst note

The Belarus-Russia attribution question, while academically significant, may be operationally less important than the observed effect: Ghostwriter narratives consistently advance goals shared by both Belarus and Russia, have been amplified by Belarusian state television and Russian-language Telegram channels simultaneously, and have been formally condemned by Germany, the EU, and other Western governments. Whether the operational authority rests in Minsk, is partly delegated from Moscow, or reflects a genuinely collaborative structure, the effect is a persistent influence operation targeting NATO cohesion, European democratic processes, and Ukrainian morale — all objectives shared by the Russia-Belarus alignment. Defenders should note that UNC1151's technical infrastructure and the Ghostwriter influence campaign were designed with plausible deniability in mind — the use of compromised legitimate news sites rather than fake sites, selective use of real (stolen) documents rather than purely fabricated ones, and the ambiguity about Russian versus Belarusian attribution are all deliberate design choices that complicate both attribution and public response. PicassoLoader remains the most reliable technical indicator uniquely linking cyber activity to this actor — any confirmed detection warrants immediate escalation.

Sources & Further Reading

— end of profile