GhostShell Espionage Campaign Targets Ukrainian UAV Ecosystem via RAR Exploitation

A sophisticated espionage campaign has been identified targeting the unmanned aerial vehicle (UAV) infrastructure in Ukraine. This operation, attributed to an emergent threat actor dubbed GhostShell (Malwarebox ID MB-0009), utilizes a multi-stage infection chain that begins with the exploitation of RAR archive vulnerabilities to establish long-term persistence on target systems.

The attack vector relies on highly targeted social engineering. Threat actors distribute a malicious archive, Besomar_documentation.rar, alongside a collection of decoy PDF documents. These lures are meticulously crafted to mimic the documentation of Besomar, a prominent Ukrainian developer of fixed-wing drones. The decoy files are not generic; they are precision-engineered to appeal to specific roles within the defense sector, referencing UAV hardware, catapult systems, charging stations, and procurement workflows. Notably, the identical file sizes and timestamps (2026-06-06 16:39:42+02:00) across the decoy set suggest a single-build dropper optimized for various personas, including military units, technical staff, and defense procurement personnel.

Upon extraction, the archive leverages CVE-2025-8088 and CVE-2025-6218 to manipulate the file system. By utilizing complex relative path traversal, the exploit successfully copies a Visual Basic Script (VBS) loader into the Windows Startup folder, ensuring the malware executes automatically upon user login, regardless of the directory from which the archive was opened.

Technical analysis of the primary VBS loader (SHA-256: 28f58061348a1c54fa6e7ff6618630259618d4afdf78514d5fccfc993797cdff) reveals a compact, stealthy bootstrapper. The script employs Base64 encoding to hide its primary logic, which is then decoded in-memory and executed via the ExecuteGlobal method. Once active, the loader reaches out to the domain cloudaxis[.]cc to fetch two secondary Windows executables: 122.exe and update.exe.

Figure 1: A decoy hosting website used to camouflage malicious infrastructure (Source: Synaptic).

Technical Breakdown of the Payload: 122.exe

Detailed sandboxing via Kraken and MANTIS environments has provided a window into the core functionality of the GhostShell payload. The primary binary, 122.exe (SHA-256: ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3), is a PE32+ x86-64 GUI binary that utilizes advanced obfuscation techniques to evade detection.

The binary contains a significant 190 KB overlay starting at offset 0x19C64. Within the .rdata section, researchers identified a high-entropy encrypted blob accompanied by a sophisticated lookup table used for substitution. Through frequency analysis of repeating eight-byte blocks, the team successfully derived a fixed XOR key (d0cd4cb8d4673e28), which, when applied, reveals an embedded Portable Executable (PE) file.

Reverse engineering further uncovered a dual-path decryption routine implemented using both AVX2 and scalar code. The scalar loop utilizes a custom algorithm where the per-byte key is dynamically computed as (i * 7 – 0x58) & 0xFF, which is then XORed against the ciphertext. This indicates a high level of developmental maturity aimed at bypassing standard heuristic scanners.

Figure 2: Visualizing the VBS loader logic (Source: Synaptic).

Command and Control (C2) Mechanics

The network telemetry indicates that the malware communicates with cdnexpress[.]cc, specifically targeting an /analytics endpoint. Interestingly, requests to this endpoint often result in a “Bad Request” response; this is not a server error, but rather a calculated defense mechanism. The malware requires a specific client certificate to establish authenticated communication with the C2, effectively filtering out unauthorized researchers or automated sandbox noise.

Figure 3: Overview of the global content delivery infrastructure (Source: Synaptic).

Takeaways and Mitigation

The GhostShell campaign distinguishes itself from commodity malware through its surgical precision. The combination of zero-click/one-click RAR exploitation, highly tailored social engineering, and robust, multi-stage encrypted payloads points toward a dedicated intelligence-gathering mission aimed at the Ukrainian defense supply chain.

To mitigate this threat, security teams should:

• Patch Immediately: Prioritize the remediation of vulnerabilities CVE-2025-8088 and CVE-2025-6218 in all RAR extraction utilities.
• Monitor File System Activity: Implement EDR rules to detect VBS scripts attempting to write to the Windows Startup directory via relative path traversal.
• Network Filtering: Block or strictly inspect all traffic directed toward cloudaxis[.]cc and cdnexpress[.]cc.
• Email & Web Security: Enhance filtering for archives containing decoy PDF documents that exhibit identical timestamps or file sizes, a known indicator of this campaign’s dropper.

For more detailed technical intelligence, refer to the original research by Synaptic Systems.