A newly identified malware cluster known as GhostShell has been found actively targeting Ukraine’s drone operations and its broader defense supply chain.
The campaign uses a sophisticated combination of techniques, including a mutual TLS implant and a Telegram-based dead-drop resolver, to quietly establish persistence inside targeted networks.
The threat actor behind this operation has been active since at least February 2026 and its methods suggest a deliberate focus on organizations connected to Ukrainian UAV technology.
The malware arrives through a booby-trapped archive named Besomar_documentation.rar, which exploits two archive-handling vulnerabilities, CVE-2025-8088 and CVE-2025-6218.
Once opened, the archive silently drops a malicious script into the Windows Startup folder, ensuring the malware runs every time the system starts.
The archive also carries a set of decoy PDF files designed to impersonate Besomar, a Ukrainian company known for building high-precision fixed-wing drones used in defense applications.
Researchers at Synaptic Security, who published a detailed report shared with Cyber Security News (CSN), tracked the cluster and named it GhostShell, assigning it the identifier MB-0009.
The decoy documents were tailored to cover military units, technical staff, procurement personnel, and volunteer organizations inside Ukraine’s drone ecosystem.
This broad targeting pattern strongly suggests the actor is interested not just in individual operators, but in the full supply chain supporting UAV deployments.
The malware delivers three distinct payloads after the initial script runs, each taking a different path to reach back to the attacker.
One payload establishes a persistent implant, another uses a Telegram channel as a live resolver to retrieve the attacker’s server address, and a third tunnels stolen data through an encrypted proxy.
The use of separate communication channels makes it harder for defenders to cut off all access at once, pointing to a carefully planned operation.
GhostShell Malware Uses mTLS Implant and Telegram Dead-Drop
The first payload, named 122.exe, acts as a loader that decrypts and runs a Stage-2 implant directly in memory without writing anything visible to disk.
The implant communicates with the command server over HTTPS and authenticates using a custom client certificate issued by a private authority labeled “GhostShell Implant CA.”
This mutual TLS approach means the server will only respond to connections that carry the correct certificate, blocking outside attempts to probe or intercept the traffic.
The second payload, update.exe, disguises itself as the Windows Security Health Service and uses a Telegram channel at t.me/flufff6262 as a dead-drop resolver.
It fetches an encoded value from that channel, decodes it to get the attacker’s live server address, and then injects a shellcode payload that connects back over HTTPS. By storing the server address on Telegram, the actor can rotate the destination without rebuilding or redeploying anything.
The third component, 22.exe, is a Go-based launcher that wraps a full tunneling client inside itself. It sets up an encrypted proxy connection and delivers Vidar v2, a known infostealer, entirely in memory.
Vidar can harvest browser passwords, cookies, cryptocurrency wallet data, messaging app files, and screenshots, sending everything out through the encrypted tunnel in a way that is difficult to detect on the network.
Attack Chain and Defense Recommendations
The full attack chain starts with the malicious RAR archive, which exploits a known vulnerability to plant a startup script without requiring any special interaction beyond opening the file.
The script then downloads the three payloads from a delivery domain registered in February 2026. Each payload uses a different registrar and hosting provider, a deliberate choice to avoid a single point of disruption.
Organizations working within or alongside Ukraine’s defense sector should treat unexpected compressed archives with caution, especially those referencing drone hardware or procurement materials.
Blocking access to newly registered domains at the network perimeter can reduce exposure to this type of staged delivery.
Security teams should also look for mTLS client certificates with the issuer string “GhostShell Implant CA” in captured traffic, as this value serves as a reliable detection anchor across all future samples tied to this cluster.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 28f58061348a1c54fa6e7ff6618630259618d4afdf78514d5fccfc993797cdff | Besomar_documentation.rar – initial delivery archive |
| SHA-256 | ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3 | 122.exe – XOR-overlay loader (Stage-1) |
| SHA-256 | 8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25 | 22.exe – Go-based Xray/Vidar v2 launcher |
| SHA-256 | b1834634820ae696f0514ca2b6723061f115857232306e573f4d115bc6ead012 | update.exe – in-memory HTTPS stager |
| SHA-256 | 423c98b9a8ad09bbb0aa24e86c23095ef6a26e30b3db07358927929d2fb2ecb3 | client.key.pem – implant private key |
| SHA-256 | 1d6f3e8583ce84b892097a03b0d4525850f8d3c59dea56482f17e5c44422dc89 | client.cert.pem – mTLS client certificate |
| SHA-256 | c91874dc34e991e614060d6f16da7d4680e5eb7d36fba489644863f4c6c8cf66 | config.pfx – PKCS#12 container extracted from implant |
| SHA-256 | c83272741d42a7aa738fbad85e21d0565e50cbf3b72f32b835c225965b3cc207 | 122_stage2_unpacked.bin – unpacked Stage-2 implant binary |
| SHA-256 | cff6007dbb9826d0a08865f47a71b31e90c5067c637ac863e360315da984f107 | MicrosoftUpdate-1.302.1609.vbs – Startup persistence script |
| SHA-256 | a938b7291dbdcdcadb67d560b94bfee366e7f97f06d6f666b25e298c442d8542 | БпЛА Besomar 3210.pdf – decoy drone product document |
| SHA-256 | c5c458a7b1bdfa3cbffdbcd0791912ff19267ad2808a5266a9975b22a53e73e0 | Зарядна станція.pdf – decoy charging station document |
| SHA-256 | e4d377b339f96c69c3001b854b22decae41883bd31f2f5a8c20f57d931ae0b44 | Катапульта.pdf – decoy catapult document |
| SHA-256 | 59842745dafd1537c3e2187f82fae7791e646a74251fe20d6c8ebaadf5720880 | Комплектація БпЛА Besomar.pdf – decoy UAV configuration document |
| SHA-256 | 54218a8f2d1acc5d1beb576b970bb5333a4b78b05493754d2d1457ebf22a0ac1 | Модифікація Besomar 3210-N.pdf – decoy modification document |
| SHA-256 | 3ec6c91d68b416381ac9f6310a9e011f4060369c63416021864a6d5b91e97dc4 | Переваги співпраці.pdf – decoy collaboration benefits document |
| SHA-256 | a8dfa5a35f30c1789ce08b7e16660423bb1545fc8ec7411d24cfd41d1439bb45 | Про компанію.pdf – decoy about the company document |
| Domain | cloudaxis[.]cc | Stage-1 payload delivery domain (registered February 2026) |
| Domain | cdnexpress[.]cc | Stage-2 mTLS C2 domain |
| IP Address | 154.58.204[.]149 | cloudaxis.cc hosting IP (Madrid/Cogent, AS214036 Ultahost) |
| IP Address | 5.252.177[.]88 | cdnexpress.cc C2 IP (MivoCloud, AS39798) |
| IP Address | 5.181.156[.]168 | Xray VLESS tunnel endpoint, port 25475 (MivoCloud, AS39798) |
| IP Address | 86.54.25[.]2 | Runtime Metasploit C2 IP resolved via Telegram dead-drop |
| URL | https://cloudaxis[.]cc/gsmft/yueu/fkvqld/tvqqwh/ushu/122.exe | Download URL for 122.exe loader |
| URL | https://cloudaxis[.]cc/gsmft/yueu/fkvqld/tvqqwh/ushu/22.exe | Download URL for 22.exe launcher |
| URL | https://cloudaxis[.]cc/gsmft/yueu/fkvqld/tvqqwh/ushu/update.exe | Download URL for update.exe stager |
| URL | https://cdnexpress[.]cc/analytics | Stage-2 implant C2 beacon endpoint |
| URL | https://t[.]me/flufff6262 | Telegram dead-drop channel used to resolve live C2 address |
| File Name | Besomar_documentation.rar | Initial lure archive exploiting CVE-2025-8088/CVE-2025-6218 |
| File Name | 122.exe | Stage-1 XOR-overlay loader |
| File Name | update.exe | In-memory HTTPS stager masquerading as Windows Security Health Service |
| File Name | 22.exe | Go-based Xray-Core launcher delivering Vidar v2 |
| File Name | MicrosoftUpdate-1.302.1609.vbs | Startup persistence VBS script |
| Certificate Issuer | CN=GhostShell Implant CA | Self-named private CA issuer hardcoded in the C2 builder – primary cluster pivot |
| Certificate Subject | CN=ed6e62814295701f | Per-implant identifier embedded in the mTLS client certificate |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
