GhostShell is a newly identified threat group conducting cyber operations against Ukraine's UAV supply chain since early 2026. The attackers use malicious archives with decoy documents impersonating Besomar, a Ukrainian high-precision interceptor drone manufacturer, to infiltrate defense and procurement networks. The malware chain consists of three payloads: a custom backdoor (122.exe) leveraging mTLS client certificates for screen capture and command execution; an in-memory stager (update.exe) disguised as a Windows Health Service that fetches next-stage payloads via Telegram; and a proxy launcher (22.exe) that tunnels traffic through Xray Core to deploy the Vidar v2 information stealer. The targeting and tactics strongly suggest a Russian cyber operation, though attribution is cautious due to potential indicator forgery. There are no known exploits in the wild or vendor patches available.

The malware chain enables attackers to gain persistent access to targeted defense and procurement networks supporting Ukraine's UAV supply chain. The custom backdoor allows screen capture and command execution, the stager facilitates stealthy payload delivery, and the proxy launcher enables traffic tunneling and deployment of an information stealer (Vidar v2). This compromises sensitive information and operational security of UAV manufacturing and supply processes. The campaign poses a medium severity risk to national defense infrastructure.

No official patches or fixes are currently available for this threat. Organizations involved in Ukraine's UAV supply chain should implement detection and blocking of the identified malware hashes and monitor for the described attack behaviors. Due to the lack of vendor advisories or patches, defensive measures should focus on network segmentation, endpoint detection of the specific payloads, and restricting use of Telegram-based payload delivery channels. Attribution remains uncertain; therefore, mitigation should prioritize containment and monitoring rather than attribution-driven responses.