GhostShell Malware Targets Ukraine's UAV and Defense Supply Chain

The GhostShell malware cluster is actively targeting Ukraine’s UAV operations and defense supply chain. Utilizing advanced techniques such as mTLS-authenticated implants and Telegram-based loaders, the attackers gain initial access through decoy documents impersonating a Ukrainian drone company. The campaign employs a multi-stage intrusion chain involving VBS scripts and custom malware like 122.exe. The operation has been linked to Vidar infostealer activity within the same infrastructure. Security teams are advised to implement strict mTLS certificate validation and monitor for unauthorized client certificate use. Immediate isolation of affected systems and memory forensics are recommended to identify in-memory implants. Organizations should also review network logs for traffic to specific domains associated with the attack.

Key Points: • GhostShell targets Ukraine's UAV and defense supply chain using advanced malware. • Attack methods include mTLS implants and Telegram-based loaders for persistence. • Immediate isolation and forensic analysis of affected systems are critical for mitigation.