MOONSCAPE
Objectives
Aliases
SUMMARY
CTU researchers assess with high confidence that MOONSCAPE obtains unauthorized access to account credentials to support espionage and intelligence operations.
Operating since at least 2020, the group conducts persistent spearphishing campaigns against Ukrainian, Latvian, German, Polish and Lithuanian speaking targets. These campaigns exploit email validation or verification themes, and have been observed spoofing popular webmail providers, national information services, social media platforms and military entities.
MOONSCAPE has been publicly linked to the Ghostwriter influence campaign. Ghostwriter involves propagating narratives, critical of NATO presence in Eastern Europe, designed to influence public opinion in Lithuania, Latvia and Poland. CTU researchers assess with moderate confidence that MOONSCAPE is Belarusian or Russian in origin.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.