Your email security sandbox pulls an email, follows the link, lands at the delivery URL. It gets back a clean PDF. No malware. Passes inspection. The email reaches the inbox. The actual target opens the same link from their government IP in Kyiv, and gets a malicious RAR archive with a JavaScript payload that profiles tools, delivers Cobalt Strike Beacon, and begins credential harvesting.
This is what Ghostwriter's campaign against Ukrainian government bodies has looked like since March 2026.
Who is Ghostwriter
Ghostwriter, also tracked as UAC-0057, Storm-0257, and FrostyNeighbor, is a Belarus-aligned threat group that runs both cyber espionage and influence operations against Ukraine and neighboring countries. The group has been active for several years. This campaign is their latest operational cycle: targeted spearphishing of Ukrainian government entities, with the lure impersonating Ukrtelecom.
The attack chain
The delivery document is a PDF. The PDF contains a link. When the recipient clicks the link, the server checks the source IP address.
If the IP is outside Ukraine, the server serves a clean, benign PDF document. A sandbox, a threat researcher's VPN exit node, an email security gateway pulling from any cloud datacenter: all of them get the clean file. The campaign looks like zero threat.
If the IP resolves to Ukraine, the server serves a RAR archive containing a JavaScript payload. The payload performs two actions in parallel: it displays a legitimate-looking lure document to keep the cover story running, and it launches PicassoLoader in the background.
PicassoLoader's job is to profile the host and report back to the operators. Based on what comes back, the Ghostwriter operators manually decide whether to push a third-stage payload. If the machine looks interesting, they deliver a JavaScript dropper for Cobalt Strike Beacon.
The manual review step is important. It means the operators are not burning Cobalt Strike on every click. They are selecting targets within the already-targeted Ukrainian government recipients.
Why this matters outside Ukraine
Geofencing as a delivery control is not new. Nation-state operators have been using IP-based filtering to protect payloads for years. What has changed is that it is now appearing in documented, mid-scale campaigns as a routine technique, not a rare sophistication signal.
Every automated email security product that follows links from a cloud-hosted infrastructure will fail this check. The geofence is not trying to hide from humans. It is hiding from the automated inspection pipeline.
If your organization has a cloud-hosted sandboxing layer for email link inspection, and most large organizations do, this technique defeats it. The same applies to any URL-detonation system operating from a fixed commercial IP range.
What detection actually looks like
Cloud sandbox evasion by geofencing is detectable, but not by the sandbox itself.
Multi-region detonation is the most direct fix: some enterprise email security vendors route URL detonation through geographically diverse IP ranges including country-specific egress. If your vendor does not, ask whether they support this.
PDF link extraction with separate resolution is another approach: extract all links from received PDFs and resolve them from multiple origins. A URL that serves different content depending on the requester's country is a detection signal worth alerting on.
PicassoLoader and JavaScript dropper IOCs from documented CERT-UA and vendor disclosures should be in your EDR coverage. Email header analysis will show that these lure emails originate from compromised government accounts, passing SPF and DKIM, where the sender country and domain age are the actual signals.
The broader context
Geofencing is now baseline APT tradecraft for payload delivery. APT28 used similar geographic filtering in documented campaigns. The Ghostwriter campaign is not technically novel. What it is, is a confirmation that this technique is deployed at operational scale by mid-tier nation-state operators, not just top-tier ones.
Any organization that relies on a single-origin cloud sandbox as its primary URL detonation defense has a gap. This campaign makes that gap explicit.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to talk through detection architecture for geofenced delivery.