This blogpost covers newly found actions attributed to FrostyNeighbor, focusing on governmental organizations in Ukraine. FrostyNeighbor has been operating continuous cyberoperations, altering and updating its toolset frequently, updating its compromise chain and strategies to evade detection – focusing on victims situated in Jap Europe, in accordance with our telemetry.
Key factors of the report:
- FrostyNeighbor is a long-running cyberespionage actor apparently aligned with the pursuits of Belarus.
- The group primarily targets governmental, army, and key sectors in Jap Europe.
- This report paperwork new exercise noticed that began in March 2026, displaying continued evolution of tooling and compromise chains.
- FrostyNeighbor makes use of server-side validation of its victims earlier than delivering the ultimate payload.
- The group has been lively just lately in campaigns focusing on governmental organizations in Ukraine.
Introduction
FrostyNeighbor, also referred to as Ghostwriter, UNC1151, UAC‑0057, TA445, PUSHCHA, or Storm-0257, is a bunch allegedly working from Belarus. In line with Mandiant, the group has been lively since no less than 2016. The vast majority of FrostyNeighbor’s operations have focused nations neighboring Belarus; a small minority have been noticed in different European nations. FrostyNeighbor performs campaigns that make the most of spearphishing, unfold disinformation, and try to affect their targets (just like the Ghostwriter affect exercise) however has additionally compromised a wide range of governmental and personal sector entities, with a concentrate on Ukraine, Poland, and Lithuania.
FrostyNeighbor has demonstrated a continued evolution in its ways, strategies, and procedures (TTPs), leveraging over time a various arsenal of malware and supply mechanisms to focus on entities. Key developments embody the deployment of a number of variants of the group’s essential payload downloader, named PicassoLoader by CERT-UA. Variants of this downloader are written in .NET, PowerShell, JavaScript, and C++. The title comes from the truth that it retrieves a Cobalt Strike beacon, from an attacker-controlled atmosphere, disguised as a renderable picture or hidden in a web-associated file kind, like CSS, JS, or SVG. Cobalt Strike is a post-exploitation framework extensively used each by pentesters and risk actors, and its related beacon acts as an preliminary implant, permitting the attacker to totally management the compromised sufferer’s laptop.
Furthermore, the group makes use of all kinds of lure paperwork to compromise its targets, reminiscent of CHM, XLS, PPT, or DOC, and it has exploited the WinRAR vulnerability CVE‑2023‑38831. FrostyNeighbor has additionally exploited reliable providers reminiscent of Slack for payload supply, and Canarytokens for sufferer monitoring, complicating detection and attribution efforts.
Whereas Ukrainian focusing on appears to be targeted on army, protection sector, and governmental entities, the victimology in Poland and Lithuania is broader and contains, amongst others, all kinds of sectors like industrial and manufacturing, healthcare and prescribed drugs, logistics, and lots of governmental organizations. As this report is solely based mostly on our telemetry, different campaigns in opposition to entities in nations in the identical area can’t be excluded.
FrostyNeighbor has performed spearphishing campaigns focusing on customers of Polish organizations, specializing in main free e-mail suppliers reminiscent of Interia Poczta and Onet Poczta. These campaigns included spoofed login pages designed to reap credentials. Moreover, CERT-PL reported that the group exploited the CVE‑2024‑42009 XSS vulnerability in Roundcube, which permits JavaScript execution upon opening of weaponized e-mail messages, to exfiltrate the sufferer’s credentials. This displays the group’s effort in each malware compromise and credential harvesting.
Previous publications
FrostyNeighbor’s campaigns have been lively for years and have due to this fact been extensively documented publicly over time. A few of these embody reviews from July 2024, when CERT-UA reported a few surge of exercise attributed to the group, focusing on Ukrainian governmental entities. In February 2025, SentinelOne documented a surge of exercise focusing on Ukrainian authorities and opposition activists in Belarus, utilizing new variations of beforehand noticed payloads.
In August 2025, HarfangLab noticed new clusters of exercise that concerned malicious archives in particular compromise chains to focus on Ukrainian and Polish entities. Lastly, in December 2025, StrikeReady documented a brand new anti-analysis method, utilizing dynamic CAPTCHAs that the victims needed to resolve, executed by a VBA macro within the lure doc.
Newly found exercise
Since March 2026, we have now detected new actions that we attributed to FrostyNeighbor, utilizing hyperlinks in malicious PDFs despatched by way of spearphishing attachments to focus on governmental organizations in Ukraine. The compromise chain is the latest noticed so far, utilizing a JavaScript model of PicassoLoader to ship a Cobalt Strike payload, as illustrated in Determine 1.
It begins with a blurry lure PDF file named 53_7.03.2026_R.pdf, proven in Determine 2, impersonating the Ukrainian telecommunications firm Ukrtelecom, with a message that it purportedly “ensures dependable defending of buyer information” (machine translated), and a obtain button with a hyperlink resulting in a doc hosted on a supply server managed by the group.
If the sufferer isn’t from the anticipated geographic location, the server delivers a benign PDF file with the identical title, 53_7.03.2026_R.pdf, associated to rules within the area of digital communications from 2024 to 2026 from Ukraine’s Nationwide Fee for the State Regulation of Digital Communications, Radio Frequency Spectrum and the Provision of Postal Companies (nkek.gov.ua), as proven in Determine 3.
If the sufferer is utilizing an IP tackle from Ukraine, the server as an alternative delivers a RAR archive named 53_7.03.2026_R.rar, containing the primary stage of the assault named 53_7.03.2026_R.js – a JavaScript file that drops and shows a PDF file as a decoy. Concurrently, it additionally executes the second stage: a JavaScript model of the PicassoLoader downloader, recognized for use by the group. The primary-stage script has been deobfuscated and refactored for readability, with a shortened model offered in Determine 4.
On first execution, the script decodes and shows to the sufferer the identical PDF decoy illustrated in Determine 3, and executes itself with the ‑‑replace flag to achieve the opposite part of the code; the opposite flags will not be used in any respect.
Throughout the second execution, the script drops the second-stage downloader (PicassoLoader), which is embedded within the script (encoded utilizing base64) as %AppDatapercentWinDataScopeUpdate.js, and downloads a scheduled job template from https://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg, as proven in Determine 5.
Regardless of a JPG picture being requested, the server responds with text-based content material, utilizing the Content material-Sort and Content material-Disposition headers to promote an XML attachment from their C&C server hosted behind the Cloudflare infrastructure:
Content material-Sort: software/xml
Server: cloudflare
Content material-Disposition: attachment; filename=”config.xml”
To attain persistence and set off the primary execution of PicassoLoader, the script then replaces the placeholder values with the info parsed from the response file 1GreenAM.jpg:
The primary stage, 53_7.03.2026_R.js, additionally drops a REG file underneath %AppDatapercentWinDataScope as WinUpdate.reg, whose contents are imported into the registry by the PicassoLoader downloader. The PicassoLoader script has been deobfuscated and refactored for readability, with a shortened model offered in Determine 6.
When operating, PicassoLoader fingerprints the sufferer’s laptop by amassing the username, laptop title, OS model, the boot time of the pc, the present time, and the listing of operating processes with their course of IDs (PIDs). Each 10 minutes, the compromised laptop’s fingerprint is shipped to the C&C server by way of an HTTP POST request to https://book-happy.needbinding[.]icu/employment/documents-and-resources. If the C&C server response content material is bigger than 100 bytes, the obtained information is executed utilizing the eval technique.
The choice whether or not or to not ship a payload could be very doubtless manually carried out by the operators, based mostly on the collected data to resolve if the sufferer is of curiosity. If they’re, the C&C server responds with a third-stage JavaScript dropper for Cobalt Strike; in any other case, it returns an empty response. This third-stage script has been deobfuscated and refactored for readability, with a shortened model offered in Determine 7.
This extra script begins by copying the reliable rundll32.exe to %ProgramDatapercentViberPC.exe, very more likely to bypass some safety mechanisms or detection guidelines.
Then, a Cobalt Strike beacon embedded on this stage is base64 decoded and written to disk as %ProgramDatapercentViberPC.dll. Lastly, persistence is achieved by creating and importing a REG file named ViberPC.reg, which registers within the HKCU Run key a LNK file, named %ProgramDatapercentViberPC.lnk, that executes the copied model of rundll32.exe with the command line argument %ProgramDatapercentViberPC.dll, calling its DLL export SettingTimeAPI.
The ultimate payload is a Cobalt Strike beacon that contacts its C&C server at https://nama-belakang.nebao[.]icu/statistics/uncover.txt.
Conclusion
FrostyNeighbor stays a persistent and adaptive risk actor, demonstrating a excessive stage of operational maturity with using numerous lure paperwork, evolving lure and downloader variants, and new supply mechanisms. This latest compromise chain we detected is a continuation of the group’s willingness to replace and renew its arsenal, making an attempt to evade detection to compromise its targets.
The group’s campaigns proceed to concentrate on Jap Europe, with a notable emphasis on the governmental, protection, and key sectors, particularly in Poland, Lithuania, and Ukraine, in accordance with ESET telemetry.
The payload is just delivered after server-side sufferer validation, combining automated checks of the requesting consumer agent and IP tackle with the guide validation by the operators. Steady and shut monitoring of the group’s operations, infrastructure, and toolset adjustments is important to detect and mitigate future operations.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis presents personal APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.
IoCs
A complete listing of indicators of compromise (IoCs) and samples may be present in our GitHub repository.
Recordsdata
| SHA‑1 | Filename | Detection | Description |
| 776A43E46C36A539C916 |
53_7.03.2026_R |
JS/TrojanDropper.Fr |
Lure RAR archive. |
| 8D1F2A6DF51C7783F2EA |
53_7.03.2026_R |
JS/TrojanDropper.Fr |
JavaScript dropper. |
| B65551D339AECE718EA1 |
Replace.js | JS/TrojanDownloader |
JavaScript PicassoLoader downloader. |
| E15ABEE1CFDE8BE7D87C |
Replace.js | JS/TrojanDropper.Fr |
Cobalt Strike dropper. |
| 43E30BE82D82B24A6496 |
ViberPC.dll | Win32/CobaltStrike. |
Cobalt Strike beacon. |
| 4F2C1856325372B9B776 |
53_7.03.2026_R |
PDF/TrojanDownloade |
Lure PDF doc. |
| D89E5524E49199B1C3B6 |
Certificates.pdf | PDF/TrojanDownloade |
Lure PDF doc. |
| 7E537D8E91668580A482 |
certificates.js | JS/TrojanDownloader |
JavaScript PicassoLoader downloader. |
| FA6882672AD365480098 |
certificates.js | JS/TrojanDownloader |
JavaScript PicassoLoader downloader. |
| 3FA7D1B13542F1A9EB05 |
Сетифікат_CAF.rar | JS/TrojanDropper.Fr |
Lure RAR archive. |
| 4E52C92709A918383E90 |
Сетифікат_CAF.js | JS/TrojanDropper.Fr |
JavaScript dropper. |
| 6FDED427A16D5314BA3E |
EdgeTaskMachine |
JS/TrojanDropper.Fr |
JavaScript PicassoLoader downloader. |
| 27FA11F6A1D653779974 |
EdgeSystemConfig |
Win32/CobaltStrike. |
Cobalt Strike beacon. |
Community
| IP | Area | Internet hosting supplier | First seen | Particulars |
| N/A | attachment-storage-asset- |
N/A | 2026‑03‑10 | PicassoLoader C&C server. |
| N/A | book-happy.needbindin |
N/A | 2026‑03‑10 | PicassoLoader C&C server. |
| N/A | nama-belakang.nebao[.]icu | N/A | 2026‑03‑10 | Cobalt Strike C&C server. |
| N/A | easiestnewsfromourpointof |
N/A | 2026‑04‑14 | PicassoLoader C&C server. |
| N/A | mickeymousegamesdealer.al |
N/A | 2026‑03‑26 | PicassoLoader C&C server. |
| N/A | hinesafar.sardk[.]icu | N/A | 2026‑04‑14 | PicassoLoader C&C server. |
| N/A | shinesafar.sardk[.]icu | N/A | 2026‑04‑14 | PicassoLoader C&C server. |
| N/A | best-seller.lavanill |
N/A | 2026‑04‑14 | Cobalt Strike C&C server. |
MITRE ATT&CK strategies
This desk was constructed utilizing model 18 of the MITRE ATT&CK framework.
| Tactic | ID | Title | Description |
| Useful resource Improvement | T1583 | Purchase Infrastructure | FrostyNeighbor acquires domains and rents C&C servers. |
| T1608 | Stage Capabilities | FrostyNeighbor hosts the ultimate payload on a C&C server. | |
| T1588.002 | Receive Capabilities: Instrument | FrostyNeighbor obtained a leaked model of Cobalt Strike to generate payloads. | |
| Preliminary Entry | T1566.001 | Phishing: Spearphishing Attachment | FrostyNeighbor sends a weaponized lure doc in e-mail attachments. |
| Execution | T1204.002 | Consumer Execution: Malicious File | FrostyNeighbor methods its victims into opening or enhancing a doc to realize code execution. |
| T1053.005 | Scheduled Process/Job: Scheduled Process | FrostyNeighbor makes use of scheduled duties to attain persistence. | |
| T1059 | Command and Scripting Interpreter | FrostyNeighbor makes use of scripting languages reminiscent of JavaScript, Visible Fundamental, and PowerShell. | |
| Persistence | T1060 | Registry Run Keys / Startup Folder | FrostyNeighbor makes use of the registry Run key and the Startup Folder to attain persistence. |
| Protection Evasion | T1027 | Obfuscated Recordsdata or Info | FrostyNeighbor obfuscates scripts and compiled binaries. |
| T1027.009 | Obfuscated Recordsdata or Info: Embedded Payloads | FrostyNeighbor embeds subsequent levels or payloads contained in the preliminary lure doc. | |
| T1036.005 | Masquerading: Match Legit Useful resource Title or Location | FrostyNeighbor drops malicious recordsdata utilizing widespread Microsoft filenames and areas. | |
| Discovery | T1057 | Course of Discovery | PicassoLoader collects the listing of operating processes. |
| T1082 | System Info Discovery | PicassoLoader collects system and consumer data. | |
| Command and Management | T1071.001 | Software Layer Protocol: Internet Protocols | FrostyNeighbor makes use of HTTPS for C&C communication and payload supply. |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | FrostyNeighbor makes use of HTTPS with Cobalt Strike. |
