Press play to start listening
A new cyberattack campaign has been discovered targeting Ukraine’s drone sector, including military units, supply chains, and volunteer groups. Security researchers at Synaptic Systems recently analysed the activity and named the new group behind it GhostShell and the tracking label MB-0009. Reportedly, it has been active since at least February 2026.
How the Attack Works
GhostShell uses a trick called a decoy document to trap its targets. They sent a malicious compressed folder named Besomar_documentation.rar. When opened, this archive secretly copies a hidden script into the Windows Startup folder. This step allows the malware to run every time the computer turns on.
At the same time, the victim sees harmless-looking PDF documents. These docs are written in Ukrainian and pretend to be from Besomar, a real Ukrainian company that makes defense drones. These fake documents include titles about drone configurations and charging stations to make the trap look believable.
Stealing Information in the Background
Once the trap is sprung, the hidden script contacts a website called cloudaxiscc to download more malicious programs. Synaptic Systems found three specific harmful files linked to this setup: 122.exe, 22.exe, and update.exe.
These files are listed with their unique digital fingerprints as shown in the image below.
The main file, 122.exe, acts as a spy program. It takes screenshots of the victim’s desktop, gathers computer names, and sends this data back to a server named cdnexpress.cc. Another file, update.exe, hides by pretending to be an official Windows security service. It even uses a Telegram page link to find its command server.
Alongside this, there’s a third file titled 22.exe. This is the file that drops a well-known data-stealing program called Vidar v2. The malware now starts collecting saved internet passwords, history, and cryptocurrency wallet information from the infected machine.
Researchers noted in their technical report that this campaign, although it aims to disrupt Ukrainian defense networks, would exercise caution before blaming a specific country. Using their specialised evaluation method, called the SOLBIT model, Synaptic Systems explained that surface details like language are easy for hackers to fake.
For now, GhostShell is being tracked as an independent, highly organised group of cybercriminals, and researchers are continuing to monitor their activities for any new threats.
Photo by Yulii Shtel on Unsplash
