[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8zZZCaWb79WjCZFXBI9gpEnqfqu33aXnUXn7j83k6fc":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"d8c5d402-0a62-4153-96fd-0f647db46de9","New GhostShell Hacking Group Targets Ukraine’s Drone Defense Sector","new-ghostshell-hacking-group-targets-ukraine-s-drone-defense-sector-6af236","Researchers warn GhostShell is using fake drone documents to target Ukrainian defence teams, stealing passwords and sensitive data in a new cyber campaign.","Security researchers at Synaptic Systems discovered a new cyberattack campaign by GhostShell (tracked as MB-0009) targeting Ukraine's drone defense sector, including military units and supply chains, active since at least February 2026. The group uses decoy RAR archives containing fake Ukrainian-language drone documentation from real company Besomar to trick victims into executing hidden scripts that persist via Windows Startup folders. Once installed, the malware downloads multiple executables (122.exe, 22.exe, update.exe) that perform reconnaissance, steal credentials and cryptocurrency wallet data via Vidar v2 infostealer, and communicate with command servers at cloudaxiscc and cdnexpress.cc.","GhostShell hacking group targets Ukraine's drone defense sector with fake documents and credential-stealing malware.","Security Cyber AttacksNew GhostShell Hacking Group Targets Ukraine’s Drone Defense Sector Researchers warn GhostShell is using fake drone documents to target Ukrainian defence teams, stealing passwords and sensitive data in a new cyber campaign. byDeeba AhmedJune 24, 20262 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening A new cyberattack campaign has been discovered targeting Ukraine’s drone sector, including military units, supply chains, and volunteer groups. Security researchers at Synaptic Systems recently analysed the activity and named the new group behind it GhostShell and the tracking label MB-0009. Reportedly, it has been active since at least February 2026. How the Attack Works GhostShell uses a trick called a decoy document to trap its targets. They sent a malicious compressed folder named Besomar_documentation.rar. When opened, this archive secretly copies a hidden script into the Windows Startup folder. This step allows the malware to run every time the computer turns on. At the same time, the victim sees harmless-looking PDF documents. These docs are written in Ukrainian and pretend to be from Besomar, a real Ukrainian company that makes defense drones. These fake documents include titles about drone configurations and charging stations to make the trap look believable. Decoy PDF sample (Source: Synaptic Systems) Stealing Information in the Background Once the trap is sprung, the hidden script contacts a website called cloudaxiscc to download more malicious programs. Synaptic Systems found three specific harmful files linked to this setup: 122.exe, 22.exe, and update.exe. These files are listed with their unique digital fingerprints as shown in the image below. Credit: Synaptic Systems The main file, 122.exe, acts as a spy program. It takes screenshots of the victim’s desktop, gathers computer names, and sends this data back to a server named cdnexpress.cc. Another file, update.exe, hides by pretending to be an official Windows security service. It even uses a Telegram page link to find its command server. Alongside this, there’s a third file titled 22.exe. This is the file that drops a well-known data-stealing program called Vidar v2. The malware now starts collecting saved internet passwords, history, and cryptocurrency wallet information from the infected machine. Researchers noted in their technical report that this campaign, although it aims to disrupt Ukrainian defense networks, would exercise caution before blaming a specific country. Using their specialised evaluation method, called the SOLBIT model, Synaptic Systems explained that surface details like language are easy for hackers to fake. For now, GhostShell is being tracked as an independent, highly organised group of cybercriminals, and researchers are continuing to monitor their activities for any new threats. Photo by Yulii Shtel on Unsplash Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityDroneGhostShellRussiaUkraine Leave a Reply Cancel reply View Comments (0) Related Posts Security Google News Gmail “From field” bug makes phishing attacks easier for hackers Gmail, as we know, is a popular and commonly preferred email platform around the world. That’s why any… byWaqas Cyber Crime Hacking News Security Gone: Russian Central Bank hacked; $31 million stolen A couple of weeks ago it was reported that some top Russian banks suffered a series of massive… byAgan Uzunovic Cyber Crime Hacking News Malware Phishing Scam Security Nigerian Man Hacked Thousands of Global Oil & Gas and Energy Firms The IT security researchers at CheckPoint cyber security firm headquartered in Israel and the US has revealed that the… byUzair Amir Cyber Attacks Security Telecom Giant BT Group Hit by Black Basta Ransomware BT Group, a major telecommunications firm, has been hit by a ransomware attack from the Black Basta group. The attack targeted the company's Conferencing division, leading to server shutdowns and potential data theft. byDeeba Ahmed","https:\u002F\u002Fhackread.com\u002Fghostshell-hacking-group-ukraine-drone-defense-sector\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002Fhacking-group-ghostshell-ukraines-defense-drone-networks.jpg","2026-06-24T15:11:28+00:00","2026-06-24T16:00:22.431072+00:00",9,[18,21,24,27,30],{"name":19,"type":20},"GhostShell","threat_actor",{"name":22,"type":23},"MB-0009","campaign",{"name":25,"type":26},"Synaptic Systems","vendor",{"name":28,"type":29},"Besomar","product",{"name":31,"type":32},"Windows Startup folder persistence","technology","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":33,"icon":35,"name":36,"slug":37},null,"Nation-state","nation-state",[39,44,49],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[55,59],{"type":56,"value":57,"context":58},"domain","cdnexpress.cc","Command and control server receiving exfiltrated data (screenshots, system info)",{"type":48,"value":60,"context":61},"Vidar v2","Information stealer targeting saved passwords, browser history, and cryptocurrency wallets"]