GhostShell Espionage Campaign Targets Ukraine’s UAV Sector with RAR Exploit
A newly uncovered cyberespionage campaign, attributed to an emerging threat actor dubbed GhostShell (Malwarebox ID MB-0009), is targeting Ukraine’s unmanned aerial vehicle (UAV) ecosystem. The operation leverages a malicious RAR archive Besomar_documentation.rar containing decoy PDFs mimicking documents from Besomar, a Ukrainian fixed-wing drone developer.
The attack exploits two vulnerabilities, CVE-2025-8088 and CVE-2025-6218, during archive extraction to deploy a VBS loader in the Windows Startup folder, ensuring persistence regardless of the archive’s working directory. The sample (SHA-256: 28f58061348a1c54fa6e7ff6618630259618d4afdf78514d5fccfc993797cdff) was initially misattributed to another cluster (UAC-0226) but exhibits distinct tradecraft and infrastructure.
The decoy PDFs identical in size and timestamped June 6, 2026 reference UAV hardware, charging stations, and procurement documents, suggesting a tailored social engineering approach targeting military units, technical staff, procurement personnel, and defense-sector partners. According to a report by Synaptic, the campaign has been active since at least February 2026.
The VBS loader acts as a bootstrapper, decoding a Base64-encoded payload in-memory and fetching two executables from cloudaxis[.]cc (/gsmft/yueu/fkvqld/tvqqwh/ushu/122.exe and update.exe). The domain, registered in February 2026, hosts a decoy public site while concealing malicious endpoints behind 404-style responses.
Analysis of the executables 122.exe (SHA-256: ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3) and 22.exe (SHA-256: 8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25) reveals sophisticated encryption. 122.exe contains an encrypted overlay decrypted via a fixed XOR key (d0cd4cb8d4673e28), exposing an embedded PE. The malware employs a custom decryption routine with AVX2 and scalar code paths, using a per-byte key calculation ((i7 – 0x58) & 0xFF*) to decrypt payloads.
Network telemetry shows the loader contacting cdnexpress[.]cc and posting data to an /analytics endpoint, with the server requiring client certificate authentication. GhostShell’s infrastructure avoids uniform registration patterns, complicating tracking.
The campaign’s focus on Ukraine’s UAV sector combining zero-click RAR exploits, tailored decoys, robust persistence, and multi-stage encrypted payloads indicates a targeted intelligence-gathering operation rather than opportunistic cybercrime.
Source: https://gbhackers.com/vbs-in-ukraine-uav-malware/
IRON Cluster cybersecurity rating report: https://www.rankiteo.com/company/iron-cluster
"id": "IRO1782289540",
"linkid": "iron-cluster",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Military units, technical '
'staff, procurement personnel, '
'and defense-sector partners',
'industry': 'Unmanned Aerial Vehicles (UAV)',
'location': 'Ukraine',
'name': 'Besomar',
'type': 'Defense contractor'}],
'attack_vector': 'Malicious RAR archive with decoy PDFs',
'data_breach': {'data_encryption': 'Custom encryption with XOR and '
'AVX2/scalar routines',
'data_exfiltration': 'Likely (malware contacts C2 servers)',
'file_types_exposed': ['PDF', 'PE executables'],
'sensitivity_of_data': 'High (military/defense-related)',
'type_of_data_compromised': 'UAV hardware, charging stations, '
'and procurement documents'},
'date_detected': '2026-06-06',
'description': 'A newly uncovered cyberespionage campaign, attributed to an '
'emerging threat actor dubbed *GhostShell*, is targeting '
'Ukraine’s unmanned aerial vehicle (UAV) ecosystem. The '
'operation leverages a malicious RAR archive '
'*Besomar_documentation.rar* containing decoy PDFs mimicking '
'documents from *Besomar*, a Ukrainian fixed-wing drone '
'developer. The attack exploits two vulnerabilities, '
'CVE-2025-8088 and CVE-2025-6218, during archive extraction to '
'deploy a VBS loader in the Windows Startup folder, ensuring '
'persistence. The campaign has been active since at least '
'February 2026 and focuses on intelligence-gathering in '
"Ukraine's UAV sector.",
'impact': {'operational_impact': 'Potential compromise of UAV-related '
'intellectual property and procurement data',
'systems_affected': 'Windows systems with Startup folder '
'persistence'},
'initial_access_broker': {'backdoors_established': 'VBS loader in Windows '
'Startup folder',
'entry_point': 'Malicious RAR archive with decoy '
'PDFs',
'high_value_targets': 'Ukraine’s UAV sector '
'(military/defense)'},
'investigation_status': 'Ongoing',
'motivation': 'Intelligence-gathering',
'post_incident_analysis': {'root_causes': 'Exploitation of CVE-2025-8088 and '
'CVE-2025-6218 via malicious RAR '
'archive'},
'references': [{'source': 'Synaptic'}],
'response': {'third_party_assistance': 'Synaptic (reporting)'},
'threat_actor': 'GhostShell (Malwarebox ID MB-0009)',
'title': 'GhostShell Espionage Campaign Targets Ukraine’s UAV Sector with RAR '
'Exploit',
'type': 'Cyberespionage',
'vulnerability_exploited': ['CVE-2025-8088', 'CVE-2025-6218']}