Belarusian ‘Ghostwriter’ Actor Picks Up BitB for Ukraine-Related Attacks

Ghostwriter is one of 3 campaigns using war-themed attacks, with cyber-fire coming in from government-backed actors in China, Iran, North Korea & Russia.

Ghostwriter – a threat actor previously linked with the Belarusian Ministry of Defense – has glommed onto the recently disclosed, nearly invisible “Browser-in-the-Browser” (BitB) credential-phishing technique in order to continue its ongoing exploitation of the war in Ukraine.

In a Wednesday post, Google’s Threat Analysis Group (TAG) said that they’d already spotted BitB being used by multiple government-backed actors prior to the media turning a laser eye on BitB earlier this month. The fresh attention was triggered by a penetration tester and security researcher – who goes by the handle mr.d0x – who posted a description of BitB.

Ghostwriter actors quickly picked up on BitB, combining it with another of the advanced persistent threat’s (APT’s) phishing techniques: namely, hosting credential-phishing landing pages on compromised sites.


The newly disclosed credential-phishing method of BitB  takes advantage of third-party single sign-on (SSO) options embedded on websites that issue popup windows for authentication, such as “Sign in with Google,” Facebook, Apple or Microsoft.

These days, SSO popups are a routine way to authenticate when you

Read More: