Recent mischief and digital shenanigans

This blogpost covers newly found actions attributed to FrostyNeighbor, concentrating on governmental organizations in Ukraine. FrostyNeighbor has been operating continuous cyberoperations, altering and updating its toolset frequently, updating its compromise chain and strategies to evade detection – concentrating on victims positioned in Jap Europe, in line with our telemetry.

Key factors of the report:

• FrostyNeighbor is a long-running cyberespionage actor apparently aligned with the pursuits of Belarus.
• The group primarily targets governmental, navy, and key sectors in Jap Europe.
• This report paperwork new exercise noticed that began in March 2026, exhibiting continued evolution of tooling and compromise chains.
• FrostyNeighbor makes use of server-side validation of its victims earlier than delivering the ultimate payload.
• The group has been lively not too long ago in campaigns concentrating on governmental organizations in Ukraine.

Introduction

FrostyNeighbor, also referred to as Ghostwriter, UNC1151, UAC‑0057, TA445, PUSHCHA, or Storm-0257, is a gaggle allegedly working from Belarus. In response to Mandiant, the group has been lively since no less than 2016. The vast majority of FrostyNeighbor’s operations have focused nations neighboring Belarus; a small minority have been noticed in different European nations. FrostyNeighbor performs campaigns that make the most of spearphishing, unfold disinformation, and try and affect their targets (just like the Ghostwriter affect exercise) however has additionally compromised quite a lot of governmental and personal sector entities, with a deal with Ukraine, Poland, and Lithuania.

FrostyNeighbor has demonstrated a continued evolution in its techniques, methods, and procedures (TTPs), leveraging over time a various arsenal of malware and supply mechanisms to focus on entities. Key developments embrace the deployment of a number of variants of the group’s important payload downloader, named PicassoLoader by CERT-UA. Variants of this downloader are written in .NET, PowerShell, JavaScript, and C++. The title comes from the truth that it retrieves a Cobalt Strike beacon, from an attacker-controlled setting, disguised as a renderable picture or hidden in a web-associated file sort, like CSS, JS, or SVG. Cobalt Strike is a post-exploitation framework extensively used each by pentesters and risk actors, and its related beacon acts as an preliminary implant, permitting the attacker to totally management the compromised sufferer’s laptop.

Furthermore, the group makes use of all kinds of lure paperwork to compromise its targets, corresponding to CHM, XLS, PPT, or DOC, and it has exploited the WinRAR vulnerability CVE‑2023‑38831. FrostyNeighbor has additionally exploited reliable companies corresponding to Slack for payload supply, and Canarytokens for sufferer monitoring, complicating detection and attribution efforts.

Whereas Ukrainian concentrating on appears to be targeted on navy, protection sector, and governmental entities, the victimology in Poland and Lithuania is broader and contains, amongst others, all kinds of sectors like industrial and manufacturing, healthcare and prescription drugs, logistics, and plenty of governmental organizations. As this report is solely primarily based on our telemetry, different campaigns towards entities in nations in the identical area can’t be excluded.

FrostyNeighbor has carried out spearphishing campaigns concentrating on customers of Polish organizations, specializing in main free e-mail suppliers corresponding to Interia Poczta and Onet Poczta. These campaigns included spoofed login pages designed to reap credentials. Moreover, CERT-PL reported that the group exploited the CVE‑2024‑42009 XSS vulnerability in Roundcube, which allows JavaScript execution upon opening of weaponized e-mail messages, to exfiltrate the sufferer’s credentials. This displays the group’s effort in each malware compromise and credential harvesting.

Previous publications

FrostyNeighbor’s campaigns have been lively for years and have subsequently been extensively documented publicly over time. A few of these embrace reviews from July 2024, when CERT-UA reported a couple of surge of exercise attributed to the group, concentrating on Ukrainian governmental entities. In February 2025, SentinelOne documented a surge of exercise concentrating on Ukrainian authorities and opposition activists in Belarus, utilizing new diversifications of beforehand noticed payloads.

In August 2025, HarfangLab noticed new clusters of exercise that concerned malicious archives in particular compromise chains to focus on Ukrainian and Polish entities. Lastly, in December 2025, StrikeReady documented a brand new anti-analysis method, utilizing dynamic CAPTCHAs that the victims needed to resolve, executed by a VBA macro within the lure doc.

Newly found exercise

Since March 2026, now we have detected new actions that we attributed to FrostyNeighbor, utilizing hyperlinks in malicious PDFs despatched through spearphishing attachments to focus on governmental organizations in Ukraine. The compromise chain is the latest noticed thus far, utilizing a JavaScript model of PicassoLoader to ship a Cobalt Strike payload, as illustrated in Determine 1.

It begins with a blurry lure PDF file named 53_7.03.2026_R.pdf, proven in Determine 2, impersonating the Ukrainian telecommunications firm Ukrtelecom, with a message that it purportedly “ensures dependable defending of buyer knowledge” (machine translated), and a obtain button with a hyperlink resulting in a doc hosted on a supply server managed by the group.

If the sufferer just isn’t from the anticipated geographic location, the server delivers a benign PDF file with the identical title, 53_7.03.2026_R.pdf, associated to laws within the area of digital communications from 2024 to 2026 from Ukraine’s Nationwide Fee for the State Regulation of Digital Communications, Radio Frequency Spectrum and the Provision of Postal Providers (nkek.gov.ua), as proven in Determine 3.

If the sufferer is utilizing an IP handle from Ukraine, the server as a substitute delivers a RAR archive named 53_7.03.2026_R.rar, containing the primary stage of the assault named 53_7.03.2026_R.js – a JavaScript file that drops and shows a PDF file as a decoy. Concurrently, it additionally executes the second stage: a JavaScript model of the PicassoLoader downloader, recognized for use by the group. The primary-stage script has been deobfuscated and refactored for readability, with a shortened model supplied in Determine 4.

On first execution, the script decodes and shows to the sufferer the identical PDF decoy illustrated in Determine 3, and executes itself with the ‑‑replace flag to succeed in the opposite part of the code; the opposite flags will not be used in any respect.

Throughout the second execution, the script drops the second-stage downloader (PicassoLoader), which is embedded within the script (encoded utilizing base64) as %AppDatapercentWinDataScopeUpdate.js, and downloads a scheduled process template from https://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg, as proven in Determine 5.

Regardless of a JPG picture being requested, the server responds with text-based content material, utilizing the Content material-Sort and Content material-Disposition headers to promote an XML attachment from their C&C server hosted behind the Cloudflare infrastructure:

Content material-Sort: software/xml
Server: cloudflare
Content material-Disposition: attachment; filename=”config.xml”

To attain persistence and set off the primary execution of PicassoLoader, the script then replaces the placeholder values with the info parsed from the response file 1GreenAM.jpg:

• <StartBoundary></StartBoundary>,
• <Command>1</Command>, and
• <Arguments>1</Arguments>.

The primary stage, 53_7.03.2026_R.js, additionally drops a REG file below %AppDatapercentWinDataScope as WinUpdate.reg, whose contents are imported into the registry by the PicassoLoader downloader. The PicassoLoader script has been deobfuscated and refactored for readability, with a shortened model supplied in Determine 6.

When operating, PicassoLoader fingerprints the sufferer’s laptop by amassing the username, laptop title, OS model, the boot time of the pc, the present time, and the checklist of operating processes with their course of IDs (PIDs). Each 10 minutes, the compromised laptop’s fingerprint is distributed to the C&C server through an HTTP POST request to https://book-happy.needbinding[.]icu/employment/documents-and-resources. If the C&C server response content material is bigger than 100 bytes, the acquired knowledge is executed utilizing the eval technique.

The choice whether or not or to not ship a payload may be very seemingly manually carried out by the operators, primarily based on the collected info to determine if the sufferer is of curiosity. If they’re, the C&C server responds with a third-stage JavaScript dropper for Cobalt Strike; in any other case, it returns an empty response. This third-stage script has been deobfuscated and refactored for readability, with a shortened model supplied in Determine 7.

This extra script begins by copying the reliable rundll32.exe to %ProgramDatapercentViberPC.exe, very prone to bypass some safety mechanisms or detection guidelines.

Then, a Cobalt Strike beacon embedded on this stage is base64 decoded and written to disk as %ProgramDatapercentViberPC.dll. Lastly, persistence is achieved by creating and importing a REG file named ViberPC.reg, which registers within the HKCU Run key a LNK file, named %ProgramDatapercentViberPC.lnk, that executes the copied model of rundll32.exe with the command line argument %ProgramDatapercentViberPC.dll, calling its DLL export SettingTimeAPI.

The ultimate payload is a Cobalt Strike beacon that contacts its C&C server at https://nama-belakang.nebao[.]icu/statistics/uncover.txt.

Conclusion

FrostyNeighbor stays a persistent and adaptive risk actor, demonstrating a excessive degree of operational maturity with using numerous lure paperwork, evolving lure and downloader variants, and new supply mechanisms. This latest compromise chain we detected is a continuation of the group’s willingness to replace and renew its arsenal, making an attempt to evade detection to compromise its targets.

The group’s campaigns proceed to deal with Jap Europe, with a notable emphasis on the governmental, protection, and key sectors, particularly in Poland, Lithuania, and Ukraine, in line with ESET telemetry.

The payload is simply delivered after server-side sufferer validation, combining automated checks of the requesting consumer agent and IP handle with the handbook validation by the operators. Steady and shut monitoring of the group’s operations, infrastructure, and toolset adjustments is important to detect and mitigate future operations.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis presents personal APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

A complete checklist of indicators of compromise (IoCs) and samples will be present in our GitHub repository.

Recordsdata

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 18 of the MITRE ATT&CK framework.