GhostShell

GhostShell is a newly tracked threat actor name used in two distinct reporting contexts present in the source content. First, Synaptic Systems assigned the label GhostShell (MB-0009) to a cluster targeting Ukraine’s drone sector, including military units, supply chains, and volunteer groups, active since at least February 2026. In that activity, the group used a malicious archive named Besomar_documentation.rar with Ukrainian-language decoy PDFs themed around the legitimate Ukrainian drone company Besomar. The archive installed a hidden script in the Windows Startup folder for persistence, contacted cloudaxiscc to retrieve additional payloads, and deployed components including 122.exe, update.exe, and 22.exe. Reported functions included screenshot capture, host identification, exfiltration to cdnexpress.cc, use of a Telegram page link to locate command-and-control infrastructure, and deployment of the Vidar v2 infostealer to steal browser credentials, browsing history, and cryptocurrency wallet data. Synaptic Systems assessed the operation as intended to disrupt Ukrainian defense-related networks, but stated attribution to a specific nation-state would be premature and currently tracks GhostShell as an independent, highly organized cybercriminal group. Second, separate reporting describes GhostShell RAT as a previously unreported Android spyware-as-a-service operation allegedly developed by an Indonesian actor using the alias MRSt3Ss. That operation was linked to a React-based operator panel hosted on a Contabo VPS in Germany, the domain ghostshellrat[.]net, and a multi-tier subscription model with APK building, reseller management, and multilingual localization. Reported capabilities included credential theft, SMS and call interception, contacts and notification capture, location tracking, gallery and camera access, file management, hVNC-style live screen control with touch injection and black-screen mode, and an optional cryptocurrency clipper. The reporting also tied public GitHub repositories under MRSt3Ss to the development history of the platform and noted exposed hardcoded credentials and secrets in public code. Based on the provided content alone, GhostShell is associated with the aliases GhostShell, MB-0009, and GhostShell RAT, while MRSt3Ss is identified as the alleged developer alias for the Android spyware operation.