FrostyNeighbor: Fresh mischief and digital shenanigans

Summary

ESET researchers documented new cyberespionage activities attributed to FrostyNeighbor (also known as Ghostwriter, UNC1151, and Storm-0257), a Belarus-aligned threat actor targeting governmental and military organizations in Ukraine and Eastern Europe. Since March 2026, the group has deployed updated compromise chains using JavaScript variants of PicassoLoader to deliver Cobalt Strike beacons, employing spearphishing with weaponized PDFs impersonating Ukrainian telecommunications companies and geographic-based server-side validation to evade detection. The group continues evolving its tactics across multiple document formats and exploits (including CVE-2023-38831 and CVE-2024-42009), while abusing legitimate services like Slack and Canarytokens.

Full text

This blogpost covers newly discovered activities attributed to FrostyNeighbor, targeting governmental organizations in Ukraine. FrostyNeighbor has been running continual cyberoperations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe, according to our telemetry. Key points of the report: FrostyNeighbor is a long-running cyberespionage actor apparently aligned with the interests of Belarus. The group primarily targets governmental, military, and key sectors in Eastern Europe. This report documents new activity observed that started in March 2026, showing continued evolution of tooling and compromise chains. FrostyNeighbor uses server-side validation of its victims before delivering the final payload. The group has been active recently in campaigns targeting governmental organizations in Ukraine. Introduction FrostyNeighbor, also known as Ghostwriter, UNC1151, UAC‑0057, TA445, PUSHCHA, or Storm-0257, is a group allegedly operating from Belarus. According to Mandiant, the group has been active since at least 2016. The majority of FrostyNeighbor’s operations have targeted countries neighboring Belarus; a small minority have been observed in other European countries. FrostyNeighbor performs campaigns that utilize spearphishing, spread disinformation, and attempt to influence their targets (like the Ghostwriter influence activity) but has also compromised a variety of governmental and private sector entities, with a focus on Ukraine, Poland, and Lithuania. FrostyNeighbor has demonstrated a continued evolution in its tactics, techniques, and procedures (TTPs), leveraging over time a diverse arsenal of malware and delivery mechanisms to target entities. Key developments include the deployment of multiple variants of the group’s main payload downloader, named PicassoLoader by CERT-UA. Variants of this downloader are written in .NET, PowerShell, JavaScript, and C++. The name comes from the fact that it retrieves a Cobalt Strike beacon, from an attacker-controlled environment, disguised as a renderable image or hidden in a web-associated file type, like CSS, JS, or SVG. Cobalt Strike is a post-exploitation framework widely used both by pentesters and threat actors, and its associated beacon acts as an initial implant, allowing the attacker to fully control the compromised victim’s computer. Moreover, the group uses a wide variety of lure documents to compromise its targets, such as CHM, XLS, PPT, or DOC, and it has exploited the WinRAR vulnerability CVE‑2023‑38831. FrostyNeighbor has also exploited legitimate services such as Slack for payload delivery, and Canarytokens for victim tracking, complicating detection and attribution efforts. While Ukrainian targeting seems to be focused on military, defense sector, and governmental entities, the victimology in Poland and Lithuania is broader and includes, among others, a wide variety of sectors like industrial and manufacturing, healthcare and pharmaceuticals, logistics, and many governmental organizations. As this report is solely based on our telemetry, other campaigns against entities in countries in the same region cannot be excluded. FrostyNeighbor has conducted spearphishing campaigns targeting users of Polish organizations, focusing on major free email providers such as Interia Poczta and Onet Poczta. These campaigns included spoofed login pages designed to harvest credentials. Additionally, CERT-PL reported that the group exploited the CVE‑2024‑42009 XSS vulnerability in Roundcube, which enables JavaScript execution upon opening of weaponized email messages, to exfiltrate the victim’s credentials. This reflects the group’s effort in both malware compromise and credential harvesting. Past publications FrostyNeighbor’s campaigns have been active for years and have therefore been widely documented publicly over time. Some of these include reports from July 2024, when CERT-UA reported about a surge of activity attributed to the group, targeting Ukrainian governmental entities. In February 2025, SentinelOne documented a surge of activity targeting Ukrainian government and opposition activists in Belarus, using new adaptations of previously observed payloads. In August 2025, HarfangLab observed new clusters of activity that involved malicious archives in specific compromise chains to target Ukrainian and Polish entities. Finally, in December 2025, StrikeReady documented a new anti-analysis technique, using dynamic CAPTCHAs that the victims had to solve, executed by a VBA macro in the lure document. Newly discovered activity Since March 2026, we have detected new activities that we attributed to FrostyNeighbor, using links in malicious PDFs sent via spearphishing attachments to target governmental organizations in Ukraine. The compromise chain is the newest observed to date, using a JavaScript version of PicassoLoader to deliver a Cobalt Strike payload, as illustrated in Figure 1. Figure 1. Compromise chain overview It starts with a blurry lure PDF file named 53_7.03.2026_R.pdf, shown in Figure 2, impersonating the Ukrainian telecommunications company Ukrtelecom, with a message that it purportedly “guarantees reliable protecting of customer data” (machine translated), and a download button with a link leading to a document hosted on a delivery server controlled by the group. Figure 2. PDF lure document with a remote download link If the victim is not from the expected geographic location, the server delivers a benign PDF file with the same name, 53_7.03.2026_R.pdf, related to regulations in the field of electronic communications from 2024 to 2026 from Ukraine’s National Commission for the State Regulation of Electronic Communications, Radio Frequency Spectrum and the Provision of Postal Services (nkek.gov.ua), as shown in Figure 3. Figure 3. Decoy PDF file related to strategic priorities and regulations in the field of electronic communications If the victim is using an IP address from Ukraine, the server instead delivers a RAR archive named 53_7.03.2026_R.rar, containing the first stage of the attack named 53_7.03.2026_R.js – a JavaScript file that drops and displays a PDF file as a decoy. Simultaneously, it also executes the second stage: a JavaScript version of the PicassoLoader downloader, known to be used by the group. The first-stage script has been deobfuscated and refactored for readability, with a shortened version provided in Figure 4. Figure 4. First-stage JavaScript dropper 53_7.03.2026_R.js On first execution, the script decodes and displays to the victim the same PDF decoy illustrated in Figure 3, and executes itself with the ‑‑update flag to reach the other section of the code; the other flags are not used at all. During the second execution, the script drops the second-stage downloader (PicassoLoader), which is embedded in the script (encoded using base64) as %AppData%\WinDataScope\Update.js, and downloads a scheduled task template from https://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg, as shown in Figure 5. Figure 5. Scheduled task template downloaded from the C&C server Despite a JPG image being requested, the server responds with text-based content, using the Content-Type and Content-Disposition headers to advertise an XML attachment from their C&C server hosted behind the Cloudflare infrastructure: Content-Type: application/xmlServer: cloudflareContent-Disposition: attachment; filename="config.xml" To achieve persistence and trigger the first execution of PicassoLoader, the script then replaces the placeholder values with the data parsed from the response file 1GreenAM.jpg: <StartBoundary></StartBoundary>, <Command>1</Command>, and <Arguments>1</Arguments>. The first stage, 53_7.03.2026_R.js, also drops a REG file under %AppData%\WinDataScope as WinUpdate.reg, whose contents are imported into the registry by the PicassoLoader downloader. The PicassoLoader script

Indicators of Compromise

• cve — CVE-2023-38831
• cve — CVE-2024-42009
• malware — PicassoLoader
• malware — Cobalt Strike

Entities