GhostShell Malware Targets Ukrainian Drone Operations With mTLS Implant and Telegram Dead-Drop
7 min. read 
Published on
A new malware cluster called GhostShell is targeting Ukraine’s drone operations and defense supply chain with a highly tailored attack chain built around malicious RAR archives, decoy UAV documents, encrypted command channels, and credential theft.
The campaign was detailed in a Synaptic Security report, which tracks the activity as GhostShell, or MB-0009. The researcher behind the analysis says the cluster has been active since at least February 2026 and does not clearly match previously known Ukrainian threat actor labels.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The attack starts with an archive named Besomar_documentation.rar. According to the analysis, the archive abuses CVE-2025-8088 and CVE-2025-6218, two WinRAR-related path traversal issues that can help attackers place files outside the expected extraction folder.
GhostShell uses drone-themed lures aimed at Ukraine’s UAV ecosystem
The lure is designed to look relevant to people working with Ukrainian drone systems. The archive contains decoy PDF files impersonating Besomar, a Ukrainian company associated with fixed-wing drones for defense and security use.
The decoy files cover topics such as UAV models, charging stations, catapults, configuration details, product modifications, company information, and cooperation benefits. That mix points to a campaign aimed not only at drone operators, but also at procurement staff, technicians, volunteers, and defense-sector partners.
This targeting matters because Ukraine’s drone supply chain has become a major part of the country’s battlefield capability. A campaign that reaches suppliers, volunteer groups, or support teams can expose logistics, procurement plans, credentials, internal documents, and operational communications.
| Attack stage | What GhostShell does | Why it matters |
|---|---|---|
| Initial lure | Uses Besomar-themed RAR archive and decoy PDFs | Makes the file look relevant to Ukrainian drone work |
| Persistence | Drops a VBS script into the Windows Startup folder | Runs the malware again when the user logs in |
| Command access | Uses mTLS and a Telegram dead-drop resolver | Makes blocking and tracking harder for defenders |
| Data theft | Delivers Vidar v2 through an encrypted proxy chain | Can steal browser data, cookies, wallets, app files, and screenshots |
The malware splits activity across three payloads
After execution, the Startup script retrieves multiple payloads from attacker-controlled infrastructure. The first payload, 122.exe, works as a loader. It decrypts an overlay and runs a second-stage implant directly in memory, reducing the number of obvious files defenders can inspect on disk.
The implant communicates over HTTPS and uses mutual TLS authentication. In simple terms, the server expects the implant to present a valid client certificate before it responds. The certificate issuer string, GhostShell Implant CA, gives defenders a valuable hunting clue because it appears tied to the actor’s implant infrastructure.
The second payload, update.exe, poses as the Windows Security Health Service. It fetches a value from a Telegram channel, decodes it, and uses it to resolve a live command server. This dead-drop technique lets the attacker rotate infrastructure without changing the original malware payload.
- 122.exe loads the mTLS-backed Stage-2 implant in memory.
- update.exe acts as an in-memory HTTPS stager using a Telegram dead-drop.
- 22.exe launches a Go-based Xray/VLESS tunnel and delivers Vidar v2.
- The malware uses separate communication paths to reduce the chance that one blocklist entry stops the whole campaign.
The third payload, 22.exe, is a Go-based launcher that uses an embedded Xray Core client as a covert transport layer. The GhostShell analysis says the final payload was identified with high confidence as Vidar v2, an infostealer known for collecting browser passwords, cookies, browser history, cryptocurrency wallet data, messaging app artifacts, FileZilla configurations, Outlook data, system information, screenshots, and files defined by the attacker’s configuration.
WinRAR flaws remain useful for targeted intrusion campaigns
The archive delivery method fits a broader pattern seen since 2025. The Google Threat Intelligence Group previously warned that multiple state-linked and financially motivated actors were exploiting WinRAR path traversal behavior to establish initial access and place payloads in the Windows Startup folder.
The risk comes from simple user interaction. A victim does not need to run a traditional installer. Opening or extracting a malicious archive with a vulnerable WinRAR build can allow the archive to place a payload where Windows will execute it later.
For GhostShell, that technique gives the actor a practical entry point into organizations that handle drone documentation, supply-chain coordination, logistics, or procurement. The archive format also helps the campaign blend into normal document exchange workflows.
| Indicator type | Indicator | Use for defenders |
|---|---|---|
| Archive name | Besomar_documentation.rar | Search email gateways, downloads, and endpoint telemetry |
| Startup script | MicrosoftUpdate-1.302.1609.vbs | Check Windows Startup folders for suspicious VBS files |
| Certificate issuer | CN=GhostShell Implant CA | Hunt for suspicious mTLS client certificate use |
| Delivery domain | cloudaxis[.]cc | Block and investigate recent connections |
| C2 domain | cdnexpress[.]cc | Review proxy, DNS, and TLS logs |
| Telegram dead-drop | t[.]me/flufff6262 | Detect suspicious access to public resolver channels |
Security teams should focus on patching, archive controls, and certificate hunting
Organizations connected to Ukraine’s defense, drone, logistics, volunteer, or procurement ecosystem should treat unexpected compressed archives as high risk, especially when they arrive with UAV-related documents or urgent procurement language.
WinRAR patching also remains important. NVD describes the WinRAR path traversal flaw as a vulnerability that can allow arbitrary code execution through crafted archive files, while the related WinRAR directory traversal issue can also let attackers execute code in the context of the current user.
Security teams should look for unusual files in the Windows Startup folder, suspicious use of wscript.exe, unexpected curl activity launched by scripts, newly registered domains in proxy logs, and TLS traffic involving client certificates that do not match normal enterprise patterns.
- Update WinRAR and remove old versions from unmanaged endpoints.
- Block or quarantine unexpected RAR archives from unknown senders.
- Monitor Startup folders for new VBS, LNK, BAT, CMD, and HTA files.
- Hunt for the certificate issuer string GhostShell Implant CA.
- Review Telegram access from sensitive networks where business use is not expected.
- Use the WinRAR exploitation background to check whether older intrusion attempts used similar Startup-folder behavior.
GhostShell shows how targeted malware campaigns can combine older patched vulnerabilities with newer infrastructure tricks. The technical details are advanced, but the first line of defense remains familiar: patch exposed software, restrict risky attachments, inspect script-based persistence, and monitor encrypted traffic patterns that do not fit normal business use.
FAQ
GhostShell is a newly reported malware cluster tracked as MB-0009. It targets Ukraine’s drone operations and defense supply chain using malicious RAR archives, decoy UAV documents, an mTLS-backed implant, a Telegram dead-drop resolver, and an infostealer payload.
The campaign starts with a malicious archive named Besomar_documentation.rar. When opened or extracted on a vulnerable WinRAR installation, the archive can place a VBS script in the Windows Startup folder, allowing malware activity to continue when the user logs in.
GhostShell uses a Telegram channel as a dead-drop resolver. The malware retrieves encoded configuration data from the channel, decodes it, and uses it to find a live command server. This lets the attacker change infrastructure without rebuilding the malware.
The campaign can deliver Vidar v2, an infostealer capable of collecting browser passwords, cookies, browsing history, autofill data, cryptocurrency wallet data, messaging app artifacts, screenshots, system information, and selected files.
Organizations should update WinRAR, block suspicious compressed archives, inspect Windows Startup folders, monitor script execution, review newly registered domains, and hunt for unusual mTLS client certificates, especially the issuer string GhostShell Implant CA.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages