EXECUTIVE SUMMARY
A financially motivated threat group, identified by its use of the GHOSTYNETWORKS and OMEGATECH autonomous systems, is conducting a JavaScript‐based backdoor campaign. The operation targets energy, automotive, and government finance entities across Eastern Europe, with notable victims in Ukraine, Russia, Poland, and Germany. Phishing emails with compressed archives carry the malicious script, aiming to establish persistent access for data theft and extortion. The attackers appear focused on extracting financial information and conducting fraudulent transactions, aligning with broader business‐email‐compromise trends observed in 2025.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A financially motivated threat group, identified by its use of the GHOSTYNETWORKS and OMEGATECH autonomous systems, is conducting a JavaScript‐based backdoor campaign. The operation targets energy, automotive, and government finance entities across Eastern Europe, with notable victims in Ukraine, Russia, Poland, and Germany. Phishing emails with compressed archives carry the malicious script, aiming to establish persistent access for data theft and extortion. The attackers appear focused on extracting financial information and conducting fraudulent transactions, aligning with broader business‐email‐compromise trends observed in 2025.[emaillocker id="1283"]
The payload reaches victims as a JavaScript file hidden inside a ZIP or RAR attachment. When the archive is opened and the script executed, it runs under the Windows scripting host, gathers system details, and contacts a remote command‐and‐control server using uncommon ports and a browser‐like user‐agent. The backdoor registers a unique identifier, creates a hidden scheduled task for persistence, and can move laterally by invoking remote PowerShell commands. It also streams collected files to the controller, enabling ongoing exfiltration while maintaining a low‐profile communication channel.
The campaign is significant because the use of JavaScript and compressed containers evades many traditional binary‐based defenses, and the reliance on obscure network routes hampers detection by perimeter tools. Organizations with limited email filtering or outdated scripting controls are especially vulnerable. Recommended actions include blocking script attachments, enforcing execution restrictions on Windows scripting hosts, and monitoring for anomalous outbound traffic to unfamiliar autonomous systems. Maintaining regular backups, applying patches promptly, and conducting phishing awareness training further reduce the risk of compromise and improve recovery prospects.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.003 | Acquire Infrastructure | Virtual Private Server |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Defense Evasion | T1036.007 | Masquerading | Double File Extension |
| Command and Control | T1571 | Non-Standard Port | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The reports contain further technical details:
https://cybersecuritynews.com/hackers-use-ghostynetworks-and-omegatech/