A threat actor previously linked to the Belarusian Ministry of Defense, Ghostwriter, has recently adopted nearly invisible Browser-in-the-Browser (BitB) credential phishing techniques. The tool is likely being leveraged in its attacks against Ukraine and exploitation of the war being waged in the country. Ghostwriter is currently using war-themed attacks to lure victims into clicking malicious links. Google’s Threat Analysis Group reported that Ghostwriter isn’t the first threat actor it has witnessed using BitB. Earlier this month, multiple government-backed actors were deploying the tool.

The renewed attention on BitB was likely due to a security researcher and penetration tester who posted a description of what BitB is. Ghostwriter quickly added the tool to its arsenal, combining it with its other phishing techniques such as hosting credential-phishing landing pages on already-compromised sites. BitB takes advantage of third-party sign-on SSO options embedded in websites that deploy popup windows for authentication. Companies such as Facebook, Google, Apple, and Microsoft use this sign-on method for some of its features.

Read More: Belarusian ‘Ghostwriter’ Actor Picks Up BitB for Ukraine-Related Attacks

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.