GhostShell Malware Uses mTLS Implant and Telegram Dead-Drop to Target Ukrainian Drone Operations

A newly identified malware cluster known as GhostShell has been found actively targeting Ukraine’s drone operations and its broader defense supply chain.

The campaign uses a sophisticated combination of techniques, including a mutual TLS implant and a Telegram-based dead-drop resolver, to quietly establish persistence inside targeted networks.

The threat actor behind this operation has been active since at least February 2026 and its methods suggest a deliberate focus on organizations connected to Ukrainian UAV technology.

The malware arrives through a booby-trapped archive named Besomar_documentation.rar, which exploits two archive-handling vulnerabilities, CVE-2025-8088 and CVE-2025-6218.

Once opened, the archive silently drops a malicious script into the Windows Startup folder, ensuring the malware runs every time the system starts.

The archive also carries a set of decoy PDF files designed to impersonate Besomar, a Ukrainian company known for building high-precision fixed-wing drones used in defense applications.

Researchers at Synaptic Security, who published a detailed report shared with Cyber Security News (CSN), tracked the cluster and named it GhostShell, assigning it the identifier MB-0009.

The decoy documents were tailored to cover military units, technical staff, procurement personnel, and volunteer organizations inside Ukraine’s drone ecosystem.

This broad targeting pattern strongly suggests the actor is interested not just in individual operators, but in the full supply chain supporting UAV deployments.

The malware delivers three distinct payloads after the initial script runs, each taking a different path to reach back to the attacker.

One payload establishes a persistent implant, another uses a Telegram channel as a live resolver to retrieve the attacker’s server address, and a third tunnels stolen data through an encrypted proxy.

The use of separate communication channels makes it harder for defenders to cut off all access at once, pointing to a carefully planned operation.

The first payload, named 122.exe, acts as a loader that decrypts and runs a Stage-2 implant directly in memory without writing anything visible to disk.

The implant communicates with the command server over HTTPS and authenticates using a custom client certificate issued by a private authority labeled “GhostShell Implant CA.”

This mutual TLS approach means the server will only respond to connections that carry the correct certificate, blocking outside attempts to probe or intercept the traffic.

The second payload, update.exe, disguises itself as the Windows Security Health Service and uses a Telegram channel at t.me/flufff6262 as a dead-drop resolver.

It fetches an encoded value from that channel, decodes it to get the attacker’s live server address, and then injects a shellcode payload that connects back over HTTPS. By storing the server address on Telegram, the actor can rotate the destination without rebuilding or redeploying anything.

The third component, 22.exe, is a Go-based launcher that wraps a full tunneling client inside itself. It sets up an encrypted proxy connection and delivers Vidar v2, a known infostealer, entirely in memory.

Vidar can harvest browser passwords, cookies, cryptocurrency wallet data, messaging app files, and screenshots, sending everything out through the encrypted tunnel in a way that is difficult to detect on the network.

Attack Chain and Defense Recommendations

The full attack chain starts with the malicious RAR archive, which exploits a known vulnerability to plant a startup script without requiring any special interaction beyond opening the file.

The script then downloads the three payloads from a delivery domain registered in February 2026. Each payload uses a different registrar and hosting provider, a deliberate choice to avoid a single point of disruption.

Organizations working within or alongside Ukraine’s defense sector should treat unexpected compressed archives with caution, especially those referencing drone hardware or procurement materials.

Blocking access to newly registered domains at the network perimeter can reduce exposure to this type of staged delivery.

Security teams should also look for mTLS client certificates with the issuer string “GhostShell Implant CA” in captured traffic, as this value serves as a reliable detection anchor across all future samples tied to this cluster.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA-256	28f58061348a1c54fa6e7ff6618630259618d4afdf78514d5fccfc993797cdff	Besomar_documentation.rar – initial delivery archive
SHA-256	ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3	122.exe – XOR-overlay loader (Stage-1)
SHA-256	8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25	22.exe – Go-based Xray/Vidar v2 launcher
SHA-256	b1834634820ae696f0514ca2b6723061f115857232306e573f4d115bc6ead012	update.exe – in-memory HTTPS stager
SHA-256	423c98b9a8ad09bbb0aa24e86c23095ef6a26e30b3db07358927929d2fb2ecb3	client.key.pem – implant private key
SHA-256	1d6f3e8583ce84b892097a03b0d4525850f8d3c59dea56482f17e5c44422dc89	client.cert.pem – mTLS client certificate
SHA-256	c91874dc34e991e614060d6f16da7d4680e5eb7d36fba489644863f4c6c8cf66	config.pfx – PKCS#12 container extracted from implant
SHA-256	c83272741d42a7aa738fbad85e21d0565e50cbf3b72f32b835c225965b3cc207	122_stage2_unpacked.bin – unpacked Stage-2 implant binary
SHA-256	cff6007dbb9826d0a08865f47a71b31e90c5067c637ac863e360315da984f107	MicrosoftUpdate-1.302.1609.vbs – Startup persistence script
SHA-256	a938b7291dbdcdcadb67d560b94bfee366e7f97f06d6f666b25e298c442d8542	БпЛА Besomar 3210.pdf – decoy drone product document
SHA-256	c5c458a7b1bdfa3cbffdbcd0791912ff19267ad2808a5266a9975b22a53e73e0	Зарядна станція.pdf – decoy charging station document
SHA-256	e4d377b339f96c69c3001b854b22decae41883bd31f2f5a8c20f57d931ae0b44	Катапульта.pdf – decoy catapult document
SHA-256	59842745dafd1537c3e2187f82fae7791e646a74251fe20d6c8ebaadf5720880	Комплектація БпЛА Besomar.pdf – decoy UAV configuration document
SHA-256	54218a8f2d1acc5d1beb576b970bb5333a4b78b05493754d2d1457ebf22a0ac1	Модифікація Besomar 3210-N.pdf – decoy modification document
SHA-256	3ec6c91d68b416381ac9f6310a9e011f4060369c63416021864a6d5b91e97dc4	Переваги співпраці.pdf – decoy collaboration benefits document
SHA-256	a8dfa5a35f30c1789ce08b7e16660423bb1545fc8ec7411d24cfd41d1439bb45	Про компанію.pdf – decoy about the company document
Domain	cloudaxis[.]cc	Stage-1 payload delivery domain (registered February 2026)
Domain	cdnexpress[.]cc	Stage-2 mTLS C2 domain
IP Address	154.58.204[.]149	cloudaxis.cc hosting IP (Madrid/Cogent, AS214036 Ultahost)
IP Address	5.252.177[.]88	cdnexpress.cc C2 IP (MivoCloud, AS39798)
IP Address	5.181.156[.]168	Xray VLESS tunnel endpoint, port 25475 (MivoCloud, AS39798)
IP Address	86.54.25[.]2	Runtime Metasploit C2 IP resolved via Telegram dead-drop
URL	https://cloudaxis[.]cc/gsmft/yueu/fkvqld/tvqqwh/ushu/122.exe	Download URL for 122.exe loader
URL	https://cloudaxis[.]cc/gsmft/yueu/fkvqld/tvqqwh/ushu/22.exe	Download URL for 22.exe launcher
URL	https://cloudaxis[.]cc/gsmft/yueu/fkvqld/tvqqwh/ushu/update.exe	Download URL for update.exe stager
URL	https://cdnexpress[.]cc/analytics	Stage-2 implant C2 beacon endpoint
URL	https://t[.]me/flufff6262	Telegram dead-drop channel used to resolve live C2 address
File Name	Besomar_documentation.rar	Initial lure archive exploiting CVE-2025-8088/CVE-2025-6218
File Name	122.exe	Stage-1 XOR-overlay loader
File Name	update.exe	In-memory HTTPS stager masquerading as Windows Security Health Service
File Name	22.exe	Go-based Xray-Core launcher delivering Vidar v2
File Name	MicrosoftUpdate-1.302.1609.vbs	Startup persistence VBS script
Certificate Issuer	CN=GhostShell Implant CA	Self-named private CA issuer hardcoded in the C2 builder – primary cluster pivot
Certificate Subject	CN=ed6e62814295701f	Per-implant identifier embedded in the mTLS client certificate

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.