New publication. Ghostwriter (UNC1151).
Ghostwriter (UNC1151) has become one of the most closely tracked threat actors operating against Ukraine, NATO members, and Eastern European governments.
Over nearly a decade of activity, the group has combined credential harvesting, malware deployment, website compromises, cyber espionage, and coordinated influence operations targeting government institutions, military personnel, journalists, media organizations, and political actors. Public reporting has linked Ghostwriter to Belarusian military intelligence, while multiple government assessments and threat intelligence investigations have also pointed to coordination with Russian military structures and broader geopolitical objectives.
This report presents a comprehensive OSINT-based analysis of Ghostwriter, covering its attribution, organizational structure, operational evolution, targeting patterns, infrastructure, malware ecosystem, and technical tradecraft. It examines how the group gains initial access, establishes persistence, manages command-and-control infrastructure, and integrates cyber operations with information operations as part of a long-term hybrid campaign.
The report also reviews publicly identified infrastructure operators, operational timelines, malware families, and the group’s most recent campaigns targeting Ukrainian government institutions and other strategic organizations across Europe.
By combining open-source reporting, government assessments, technical research, and publicly available intelligence, the report provides a structured overview of one of the most persistent hybrid threat actors operating in the European cyber landscape.