This blogpost covers newly found out actions attributed to FrostyNeighbor, concentrated on governmental organizations in Ukraine. FrostyNeighbor has been working persistent cyberoperations, converting and updating its toolset incessantly, updating its compromise chain and how to evade detection – concentrated on sufferers situated in Japanese Europe, in line with our telemetry.
Key issues of the file:
- FrostyNeighbor is a long-running cyberespionage actor it appears aligned with the pursuits of Belarus.
- The crowd basically goals governmental, army, and key sectors in Japanese Europe.
- This file paperwork new job noticed that began in March 2026, appearing endured evolution of tooling and compromise chains.
- FrostyNeighbor makes use of server-side validation of its sufferers prior to handing over the overall payload.
- The crowd has been energetic lately in campaigns concentrated on governmental organizations in Ukraine.
Creation
FrostyNeighbor, sometimes called Ghostwriter, UNC1151, UAC‑0057, TA445, PUSHCHA, or Typhoon-0257, is a gaggle allegedly working from Belarus. Consistent with Mandiant, the crowd has been energetic since a minimum of 2016. Nearly all of FrostyNeighbor’s operations have focused nations neighboring Belarus; a small minority had been noticed in different Eu nations. FrostyNeighbor plays campaigns that make the most of spearphishing, unfold disinformation, and try to affect their goals (just like the Ghostwriter affect job) however has additionally compromised numerous governmental and personal sector entities, with a focal point on Ukraine, Poland, and Lithuania.
FrostyNeighbor has demonstrated a endured evolution in its ways, tactics, and procedures (TTPs), leveraging through the years a various arsenal of malware and supply mechanisms to focus on entities. Key trends come with the deployment of more than one variants of the crowd’s major payload downloader, named PicassoLoader through CERT-UA. Variants of this downloader are written in .NET, PowerShell, JavaScript, and C++. The title comes from the truth that it retrieves a Cobalt Strike beacon, from an attacker-controlled atmosphere, disguised as a renderable symbol or hidden in a web-associated record sort, like CSS, JS, or SVG. Cobalt Strike is a post-exploitation framework extensively used each through pentesters and risk actors, and its related beacon acts as an preliminary implant, permitting the attacker to completely keep an eye on the compromised sufferer’s laptop.
Additionally, the crowd makes use of all kinds of trap paperwork to compromise its goals, corresponding to CHM, XLS, PPT, or DOC, and it has exploited the WinRAR vulnerability CVE‑2023‑38831. FrostyNeighbor has additionally exploited reputable services and products corresponding to Slack for payload supply, and Canarytokens for sufferer monitoring, complicating detection and attribution efforts.
Whilst Ukrainian concentrated on appears to be occupied with army, protection sector, and governmental entities, the victimology in Poland and Lithuania is broader and comprises, amongst others, all kinds of sectors like commercial and production, healthcare and prescribed drugs, logistics, and lots of governmental organizations. As this file is simply in accordance with our telemetry, different campaigns towards entities in nations in the similar area can’t be excluded.
FrostyNeighbor has carried out spearphishing campaigns concentrated on customers of Polish organizations, specializing in primary loose e mail suppliers corresponding to Interia Poczta and Onet Poczta. Those campaigns integrated spoofed login pages designed to reap credentials. Moreover, CERT-PL reported that the crowd exploited the CVE‑2024‑42009 XSS vulnerability in Roundcube, which allows JavaScript execution upon opening of weaponized e mail messages, to exfiltrate the sufferer’s credentials. This displays the crowd’s effort in each malware compromise and credential harvesting.
Previous publications
FrostyNeighbor’s campaigns had been energetic for years and feature subsequently been extensively documented publicly through the years. A few of these come with reviews from July 2024, when CERT-UA reported a couple of surge of job attributed to the crowd, concentrated on Ukrainian governmental entities. In February 2025, SentinelOne documented a surge of job concentrated on Ukrainian executive and opposition activists in Belarus, the use of new diversifications of in the past noticed payloads.
In August 2025, HarfangLab noticed new clusters of job that concerned malicious archives in explicit compromise chains to focus on Ukrainian and Polish entities. In any case, in December 2025, StrikeReady documented a brand new anti-analysis method, the use of dynamic CAPTCHAs that the sufferers needed to resolve, achieved through a VBA macro within the trap file.
Newly found out job
Since March 2026, now we have detected new actions that we attributed to FrostyNeighbor, the use of hyperlinks in malicious PDFs despatched by the use of spearphishing attachments to focus on governmental organizations in Ukraine. The compromise chain is the latest noticed thus far, the use of a JavaScript model of PicassoLoader to ship a Cobalt Strike payload, as illustrated in Determine 1.
It begins with a blurry trap PDF record named 53_7.03.2026_R.pdf, proven in Determine 2, impersonating the Ukrainian telecommunications corporate Ukrtelecom, with a message that it purportedly “promises dependable protective of shopper information” (device translated), and a obtain button with a hyperlink resulting in a file hosted on a supply server managed through the crowd.
If the sufferer isn’t from the predicted geographic location, the server delivers a benign PDF record with the similar title, 53_7.03.2026_R.pdf, associated with rules within the box of digital communications from 2024 to 2026 from Ukraine’s Nationwide Fee for the State Legislation of Digital Communications, Radio Frequency Spectrum and the Provision of Postal Products and services (nkek.gov.ua), as proven in Determine 3.
If the sufferer is the use of an IP deal with from Ukraine, the server as an alternative delivers a RAR archive named 53_7.03.2026_R.rar, containing the primary level of the assault named 53_7.03.2026_R.js – a JavaScript record that drops and presentations a PDF record as a decoy. Concurrently, it additionally executes the second one level: a JavaScript model of the PicassoLoader downloader, recognized for use through the crowd. The primary-stage script has been deobfuscated and refactored for clarity, with a shortened model supplied in Determine 4.
On first execution, the script decodes and presentations to the sufferer the similar PDF decoy illustrated in Determine 3, and executes itself with the ‑‑replace flag to achieve the opposite segment of the code; the opposite flags don’t seem to be used in any respect.
All the way through the second one execution, the script drops the second-stage downloader (PicassoLoader), which is embedded within the script (encoded the use of base64) as %AppDatap.cWinDataScopeUpdate.js, and downloads a scheduled activity template from https://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg, as proven in Determine 5.
In spite of a JPG symbol being asked, the server responds with text-based content material, the use of the Content material-Sort and Content material-Disposition headers to market it an XML attachment from their C&C server hosted in the back of the Cloudflare infrastructure:
Content material-Sort: utility/xml
Server: cloudflare
Content material-Disposition: attachment; filename=”config.xml”
To reach endurance and cause the primary execution of PicassoLoader, the script then replaces the placeholder values with the knowledge parsed from the reaction record 1GreenAM.jpg:
The primary level, 53_7.03.2026_R.js, additionally drops a REG record underneath %AppDatap.cWinDataScope as WinUpdate.reg, whose contents are imported into the registry through the PicassoLoader downloader. The PicassoLoader script has been deobfuscated and refactored for clarity, with a shortened model supplied in Determine 6.
When working, PicassoLoader fingerprints the sufferer’s laptop through gathering the username, laptop title, OS model, the boot time of the pc, the present time, and the record of working processes with their procedure IDs (PIDs). Each and every 10 mins, the compromised laptop’s fingerprint is shipped to the C&C server by the use of an HTTP POST request to https://book-happy.needbinding[.]icu/employment/documents-and-resources. If the C&C server reaction content material is bigger than 100 bytes, the gained information is achieved the use of the eval way.
The verdict whether or not or to not ship a payload could be very most probably manually carried out through the operators, in accordance with the amassed data to make a decision if the sufferer is of pastime. If they’re, the C&C server responds with a third-stage JavaScript dropper for Cobalt Strike; differently, it returns an empty reaction. This third-stage script has been deobfuscated and refactored for clarity, with a shortened model supplied in Determine 7.
This extra script begins through copying the reputable rundll32.exe to %ProgramDatap.cViberPC.exe, very more likely to bypass some safety mechanisms or detection regulations.
Then, a Cobalt Strike beacon embedded on this level is base64 decoded and written to disk as %ProgramDatap.cViberPC.dll. In any case, endurance is accomplished through growing and uploading a REG record named ViberPC.reg, which registers within the HKCU Run key a LNK record, named %ProgramDatap.cViberPC.lnk, that executes the copied model of rundll32.exe with the command line argument %ProgramDatap.cViberPC.dll, calling its DLL export SettingTimeAPI.
The general payload is a Cobalt Strike beacon that contacts its C&C server at https://nama-belakang.nebao[.]icu/statistics/uncover.txt.
Conclusion
FrostyNeighbor stays a chronic and adaptive risk actor, demonstrating a top stage of operational adulthood with the usage of various trap paperwork, evolving trap and downloader variants, and new supply mechanisms. This latest compromise chain we detected is a continuation of the crowd’s willingness to replace and renew its arsenal, seeking to evade detection to compromise its goals.
The crowd’s campaigns proceed to concentrate on Japanese Europe, with a notable emphasis at the governmental, protection, and key sectors, particularly in Poland, Lithuania, and Ukraine, in line with ESET telemetry.
The payload is best delivered after server-side sufferer validation, combining automatic assessments of the soliciting for consumer agent and IP deal with with the guide validation through the operators. Steady and shut tracking of the crowd’s operations, infrastructure, and toolset adjustments is very important to locate and mitigate long run operations.
For any inquiries about our analysis revealed on WeLiveSecurity, please touch us at threatintel@eset.com.ESET Analysis provides non-public APT intelligence reviews and knowledge feeds. For any inquiries about this provider, discuss with the ESET Risk Intelligence web page.
IoCs
A complete record of signs of compromise (IoCs) and samples can also be present in our GitHub repository.
Recordsdata
| SHA‑1 | Filename | Detection | Description |
| 776A43E46C36A539C916 |
53_7.03.2026_R |
JS/TrojanDropper.Fr |
Entice RAR archive. |
| 8D1F2A6DF51C7783F2EA |
53_7.03.2026_R |
JS/TrojanDropper.Fr |
JavaScript dropper. |
| B65551D339AECE718EA1 |
Replace.js | JS/TrojanDownloader |
JavaScript PicassoLoader downloader. |
| E15ABEE1CFDE8BE7D87C |
Replace.js | JS/TrojanDropper.Fr |
Cobalt Strike dropper. |
| 43E30BE82D82B24A6496 |
ViberPC.dll | Win32/CobaltStrike. |
Cobalt Strike beacon. |
| 4F2C1856325372B9B776 |
53_7.03.2026_R |
PDF/TrojanDownloade |
Entice PDF file. |
| D89E5524E49199B1C3B6 |
Certificates.pdf | PDF/TrojanDownloade |
Entice PDF file. |
| 7E537D8E91668580A482 |
certificates.js | JS/TrojanDownloader |
JavaScript PicassoLoader downloader. |
| FA6882672AD365480098 |
certificates.js | JS/TrojanDownloader |
JavaScript PicassoLoader downloader. |
| 3FA7D1B13542F1A9EB05 |
Сетифікат_CAF.rar | JS/TrojanDropper.Fr |
Entice RAR archive. |
| 4E52C92709A918383E90 |
Сетифікат_CAF.js | JS/TrojanDropper.Fr |
JavaScript dropper. |
| 6FDED427A16D5314BA3E |
EdgeTaskMachine |
JS/TrojanDropper.Fr |
JavaScript PicassoLoader downloader. |
| 27FA11F6A1D653779974 |
EdgeSystemConfig |
Win32/CobaltStrike. |
Cobalt Strike beacon. |
Community
| IP | Area | Webhosting supplier | First noticed | Main points |
| N/A | attachment-storage-asset- |
N/A | 2026‑03‑10 | PicassoLoader C&C server. |
| N/A | book-happy.needbindin |
N/A | 2026‑03‑10 | PicassoLoader C&C server. |
| N/A | nama-belakang.nebao[.]icu | N/A | 2026‑03‑10 | Cobalt Strike C&C server. |
| N/A | easiestnewsfromourpointof |
N/A | 2026‑04‑14 | PicassoLoader C&C server. |
| N/A | mickeymousegamesdealer.al |
N/A | 2026‑03‑26 | PicassoLoader C&C server. |
| N/A | hinesafar.sardk[.]icu | N/A | 2026‑04‑14 | PicassoLoader C&C server. |
| N/A | shinesafar.sardk[.]icu | N/A | 2026‑04‑14 | PicassoLoader C&C server. |
| N/A | best-seller.lavanill |
N/A | 2026‑04‑14 | Cobalt Strike C&C server. |
MITRE ATT&CK tactics
This desk used to be constructed the use of model 18 of the MITRE ATT&CK framework.
| Tactic | ID | Identify | Description |
| Useful resource Building | T1583 | Gain Infrastructure | FrostyNeighbor acquires domains and rents C&C servers. |
| T1608 | Degree Functions | FrostyNeighbor hosts the overall payload on a C&C server. | |
| T1588.002 | Download Functions: Instrument | FrostyNeighbor received a leaked model of Cobalt Strike to generate payloads. | |
| Preliminary Get right of entry to | T1566.001 | Phishing: Spearphishing Attachment | FrostyNeighbor sends a weaponized trap file in e mail attachments. |
| Execution | T1204.002 | Consumer Execution: Malicious Report | FrostyNeighbor methods its sufferers into opening or modifying a file to achieve code execution. |
| T1053.005 | Scheduled Job/Process: Scheduled Job | FrostyNeighbor makes use of scheduled duties to succeed in endurance. | |
| T1059 | Command and Scripting Interpreter | FrostyNeighbor makes use of scripting languages corresponding to JavaScript, Visible Elementary, and PowerShell. | |
| Patience | T1060 | Registry Run Keys / Startup Folder | FrostyNeighbor makes use of the registry Run key and the Startup Folder to succeed in endurance. |
| Protection Evasion | T1027 | Obfuscated Recordsdata or Knowledge | FrostyNeighbor obfuscates scripts and compiled binaries. |
| T1027.009 | Obfuscated Recordsdata or Knowledge: Embedded Payloads | FrostyNeighbor embeds subsequent phases or payloads throughout the preliminary trap file. | |
| T1036.005 | Masquerading: Fit Reputable Useful resource Identify or Location | FrostyNeighbor drops malicious information the use of not unusual Microsoft filenames and places. | |
| Discovery | T1057 | Procedure Discovery | PicassoLoader collects the record of working processes. |
| T1082 | Gadget Knowledge Discovery | PicassoLoader collects device and consumer data. | |
| Command and Keep watch over | T1071.001 | Software Layer Protocol: Internet Protocols | FrostyNeighbor makes use of HTTPS for C&C communique and payload supply. |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | FrostyNeighbor makes use of HTTPS with Cobalt Strike. |
