MOONSCAPE

CTU researchers assess with high confidence that MOONSCAPE obtains unauthorized access to account credentials to support espionage and intelligence operations.

Operating since at least 2020, the group conducts persistent spearphishing campaigns against Ukrainian, Latvian, German, Polish and Lithuanian speaking targets. These campaigns exploit email validation or verification themes, and have been observed spoofing popular webmail providers, national information services, social media platforms and military entities.

MOONSCAPE has been publicly linked to the Ghostwriter influence campaign. Ghostwriter involves propagating narratives, critical of NATO presence in Eastern Europe, designed to influence public opinion in Lithuania, Latvia and Poland. CTU researchers assess with moderate confidence that MOONSCAPE is Belarusian or Russian in origin.