惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

U
Unit 42
C
Cybersecurity and Infrastructure Security Agency CISA
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Know Your Adversary
Know Your Adversary
S
Securelist
I
Intezer
AWS News Blog
AWS News Blog
L
LINUX DO - 热门话题
P
Privacy International News Feed
Recent Announcements
Recent Announcements
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 聂微东
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Attack and Defense Labs
Attack and Defense Labs
N
News and Events Feed by Topic
The GitHub Blog
The GitHub Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
Schneier on Security
Schneier on Security
N
Netflix TechBlog - Medium
爱范儿
爱范儿
B
Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
CERT Recently Published Vulnerability Notes
Hacker News: Ask HN
Hacker News: Ask HN
Google DeepMind News
Google DeepMind News
Engineering at Meta
Engineering at Meta
Blog — PlanetScale
Blog — PlanetScale
WordPress大学
WordPress大学
S
Secure Thoughts
K
Kaspersky official blog
N
News | PayPal Newsroom
O
OpenAI News
Last Week in AI
Last Week in AI
C
Check Point Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Cyberwarzone
Cyberwarzone
Application and Cybersecurity Blog
Application and Cybersecurity Blog
T
Tor Project blog
大猫的无限游戏
大猫的无限游戏
Vercel News
Vercel News
D
Docker
Hugging Face - Blog
Hugging Face - Blog
T
Threat Research - Cisco Blogs
Cisco Talos Blog
Cisco Talos Blog
The Register - Security
The Register - Security
博客园 - 司徒正美
Martin Fowler
Martin Fowler
人人都是产品经理
人人都是产品经理
P
Palo Alto Networks Blog

WeLiveSecurity

Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
FrostyNeighbor: Fresh mischief and digital shenanigans
Damien Schaeffer · 2026-05-14 · via WeLiveSecurity

This blogpost covers newly discovered activities attributed to FrostyNeighbor, targeting governmental organizations in Ukraine. FrostyNeighbor has been running continual cyberoperations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe, according to our telemetry.

Key points of the report:

  • FrostyNeighbor is a long-running cyberespionage actor apparently aligned with the interests of Belarus.
  • The group primarily targets governmental, military, and key sectors in Eastern Europe.
  • This report documents new activity observed that started in March 2026, showing continued evolution of tooling and compromise chains.
  • FrostyNeighbor uses server-side validation of its victims before delivering the final payload.
  • The group has been active recently in campaigns targeting governmental organizations in Ukraine.

Introduction

FrostyNeighbor, also known as Ghostwriter, UNC1151, UAC‑0057, TA445, PUSHCHA, or Storm-0257, is a group allegedly operating from Belarus. According to Mandiant, the group has been active since at least 2016. The majority of FrostyNeighbor’s operations have targeted countries neighboring Belarus; a small minority have been observed in other European countries. FrostyNeighbor performs campaigns that utilize spearphishing, spread disinformation, and attempt to influence their targets (like the Ghostwriter influence activity) but has also compromised a variety of governmental and private sector entities, with a focus on Ukraine, Poland, and Lithuania.

FrostyNeighbor has demonstrated a continued evolution in its tactics, techniques, and procedures (TTPs), leveraging over time a diverse arsenal of malware and delivery mechanisms to target entities. Key developments include the deployment of multiple variants of the group’s main payload downloader, named PicassoLoader by CERT-UA. Variants of this downloader are written in .NET, PowerShell, JavaScript, and C++. The name comes from the fact that it retrieves a Cobalt Strike beacon, from an attacker-controlled environment, disguised as a renderable image or hidden in a web-associated file type, like CSS, JS, or SVG. Cobalt Strike is a post-exploitation framework widely used both by pentesters and threat actors, and its associated beacon acts as an initial implant, allowing the attacker to fully control the compromised victim’s computer.

Moreover, the group uses a wide variety of lure documents to compromise its targets, such as CHM, XLS, PPT, or DOC, and it has exploited the WinRAR vulnerability CVE‑2023‑38831. FrostyNeighbor has also exploited legitimate services such as Slack for payload delivery, and Canarytokens for victim tracking, complicating detection and attribution efforts.

While Ukrainian targeting seems to be focused on military, defense sector, and governmental entities, the victimology in Poland and Lithuania is broader and includes, among others, a wide variety of sectors like industrial and manufacturing, healthcare and pharmaceuticals, logistics, and many governmental organizations. As this report is solely based on our telemetry, other campaigns against entities in countries in the same region cannot be excluded.

FrostyNeighbor has conducted spearphishing campaigns targeting users of Polish organizations, focusing on major free email providers such as Interia Poczta and Onet Poczta. These campaigns included spoofed login pages designed to harvest credentials. Additionally, CERT-PL reported that the group exploited the CVE‑2024‑42009 XSS vulnerability in Roundcube, which enables JavaScript execution upon opening of weaponized email messages, to exfiltrate the victim’s credentials. This reflects the group’s effort in both malware compromise and credential harvesting.

Past publications

FrostyNeighbor’s campaigns have been active for years and have therefore been widely documented publicly over time. Some of these include reports from July 2024, when CERT-UA reported about a surge of activity attributed to the group, targeting Ukrainian governmental entities. In February 2025, SentinelOne documented a surge of activity targeting Ukrainian government and opposition activists in Belarus, using new adaptations of previously observed payloads.

In August 2025, HarfangLab observed new clusters of activity that involved malicious archives in specific compromise chains to target Ukrainian and Polish entities. Finally, in December 2025, StrikeReady documented a new anti-analysis technique, using dynamic CAPTCHAs that the victims had to solve, executed by a VBA macro in the lure document.

Newly discovered activity

Since March 2026, we have detected new activities that we attributed to FrostyNeighbor, using links in malicious PDFs sent via spearphishing attachments to target governmental organizations in Ukraine. The compromise chain is the newest observed to date, using a JavaScript version of PicassoLoader to deliver a Cobalt Strike payload, as illustrated in Figure 1.

Figure 1. Compromise chain overview (2)
Figure 1. Compromise chain overview

It starts with a blurry lure PDF file named 53_7.03.2026_R.pdf, shown in Figure 2, impersonating the Ukrainian telecommunications company Ukrtelecom, with a message that it purportedly “guarantees reliable protecting of customer data” (machine translated), and a download button with a link leading to a document hosted on a delivery server controlled by the group.

Figure 2. PDF lure document with a remote download link
Figure 2. PDF lure document with a remote download link

If the victim is not from the expected geographic location, the server delivers a benign PDF file with the same name, 53_7.03.2026_R.pdf, related to regulations in the field of electronic communications from 2024 to 2026 from Ukraine’s National Commission for the State Regulation of Electronic Communications, Radio Frequency Spectrum and the Provision of Postal Services (nkek.gov.ua), as shown in Figure 3.

Figure 3. Decoy PDF file
Figure 3. Decoy PDF file related to strategic priorities and regulations in the field of electronic communications

If the victim is using an IP address from Ukraine, the server instead delivers a RAR archive named 53_7.03.2026_R.rar, containing the first stage of the attack named 53_7.03.2026_R.js – a JavaScript file that drops and displays a PDF file as a decoy. Simultaneously, it also executes the second stage: a JavaScript version of the PicassoLoader downloader, known to be used by the group. The first-stage script has been deobfuscated and refactored for readability, with a shortened version provided in Figure 4.

Figure 4. First-stage JavaScript dropper 53_7.03.2026_R.js
Figure 4. First-stage JavaScript dropper 53_7.03.2026_R.js

On first execution, the script decodes and displays to the victim the same PDF decoy illustrated in Figure 3, and executes itself with the ‑‑update flag to reach the other section of the code; the other flags are not used at all.

During the second execution, the script drops the second-stage downloader (PicassoLoader), which is embedded in the script (encoded using base64) as %AppData%\WinDataScope\Update.js, and downloads a scheduled task template from https://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg, as shown in Figure 5.

Figure 5. Scheduled task template downloaded from the C&C server
Figure 5. Scheduled task template downloaded from the C&C server

Despite a JPG image being requested, the server responds with text-based content, using the Content-Type and Content-Disposition headers to advertise an XML attachment from their C&C server hosted behind the Cloudflare infrastructure:

Content-Type: application/xml
Server: cloudflare
Content-Disposition: attachment; filename="config.xml"

To achieve persistence and trigger the first execution of PicassoLoader, the script then replaces the placeholder values with the data parsed from the response file 1GreenAM.jpg:

  • <StartBoundary></StartBoundary>,
  • <Command>1</Command>, and
  • <Arguments>1</Arguments>.

The first stage, 53_7.03.2026_R.js, also drops a REG file under %AppData%\WinDataScope as WinUpdate.reg, whose contents are imported into the registry by the PicassoLoader downloader. The PicassoLoader script has been deobfuscated and refactored for readability, with a shortened version provided in Figure 6.

Figure 6. Second-stage JavaScript PicassoLoader downloader
Figure 6. Second-stage JavaScript PicassoLoader downloader

When running, PicassoLoader fingerprints the victim’s computer by collecting the username, computer name, OS version, the boot time of the computer, the current time, and the list of running processes with their process IDs (PIDs). Every 10 minutes, the compromised computer’s fingerprint is sent to the C&C server via an HTTP POST request to https://book-happy.needbinding[.]icu/employment/documents-and-resources. If the C&C server response content is larger than 100 bytes, the received data is executed using the eval method.

The decision whether or not to deliver a payload is very likely manually performed by the operators, based on the collected information to decide if the victim is of interest. If they are, the C&C server responds with a third-stage JavaScript dropper for Cobalt Strike; otherwise, it returns an empty response. This third-stage script has been deobfuscated and refactored for readability, with a shortened version provided in Figure 7.

Figure 7. Third-stage Cobalt Strike dropper
Figure 7. Third-stage Cobalt Strike dropper

This additional script starts by copying the legitimate rundll32.exe to %ProgramData%\ViberPC.exe, very likely to bypass some security mechanisms or detection rules.

Then, a Cobalt Strike beacon embedded in this stage is base64 decoded and written to disk as %ProgramData%\ViberPC.dll. Finally, persistence is achieved by creating and importing a REG file named ViberPC.reg, which registers in the HKCU Run key a LNK file, named %ProgramData%\ViberPC.lnk, that executes the copied version of rundll32.exe with the command line argument %ProgramData%\ViberPC.dll, calling its DLL export SettingTimeAPI.

The final payload is a Cobalt Strike beacon that contacts its C&C server at https://nama-belakang.nebao[.]icu/statistics/discover.txt.

Conclusion

FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms. This newest compromise chain we detected is a continuation of the group’s willingness to update and renew its arsenal, trying to evade detection to compromise its targets.

The group’s campaigns continue to focus on Eastern Europe, with a notable emphasis on the governmental, defense, and key sectors, especially in Poland, Lithuania, and Ukraine, according to ESET telemetry.

The payload is only delivered after server-side victim validation, combining automated checks of the requesting user agent and IP address with the manual validation by the operators. Continuous and close monitoring of the group’s operations, infrastructure, and toolset changes is essential to detect and mitigate future operations.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.

Files

SHA‑1 Filename Detection Description
776A43E46C36A539C916ED426745EE96E2392B39 53_7.03.2026_R.rar JS/TrojanDropper.FrostyNeighbor.E Lure RAR archive.
8D1F2A6DF51C7783F2EAF1A0FC0FF8D032E5B57F 53_7.03.2026_R.js JS/TrojanDropper.FrostyNeighbor.E JavaScript dropper.
B65551D339AECE718EA1465BF3542C794C445EFC Update.js JS/TrojanDownloader.FrostyNeighbor.D JavaScript PicassoLoader downloader.
E15ABEE1CFDE8BE7D87C7C0B510450BAD6BC0906 Update.js JS/TrojanDropper.FrostyNeighbor.D Cobalt Strike dropper.
43E30BE82D82B24A6496F6943ECB6877E83F88AB ViberPC.dll Win32/CobaltStrike.Beacon.S Cobalt Strike beacon.
4F2C1856325372B9B7769D00141DBC1A23BDDD14 53_7.03.2026_R.pdf PDF/TrojanDownloader.FrostyNeighbor.D Lure PDF document.
D89E5524E49199B1C3B66C524E7A63C3F0A0C199 Certificate.pdf PDF/TrojanDownloader.FrostyNeighbor.E Lure PDF document.
7E537D8E91668580A482BD77A5A4CABA26D6BDAC certificate.js JS/TrojanDownloader.FrostyNeighbor.G JavaScript PicassoLoader downloader.
FA6882672AD3654800987613310D7C3FBADE027E certificate.js JS/TrojanDownloader.FrostyNeighbor.E JavaScript PicassoLoader downloader.
3FA7D1B13542F1A9EB054111F9B69C250AF68643 Сетифікат_CAF.rar JS/TrojanDropper.FrostyNeighbor.G Lure RAR archive.
4E52C92709A918383E90534052AAA257ACE2780C Сетифікат_CAF.js JS/TrojanDropper.FrostyNeighbor.G JavaScript dropper.
6FDED427A16D5314BA3E1EB9AFD120DC84449769 EdgeTaskMachine.js JS/TrojanDropper.FrostyNeighbor.F JavaScript PicassoLoader downloader.
27FA11F6A1D653779974B6FB54DE4AF47F211232 EdgeSystemConfig.dll Win32/CobaltStrike.Beacon.S Cobalt Strike beacon.

Network

IP Domain Hosting provider First seen Details
N/A attachment-storage-asset-static.needbinding[.]icu N/A 2026‑03‑10 PicassoLoader C&C server.
N/A book-happy.needbinding[.]icu N/A 2026‑03‑10 PicassoLoader C&C server.
N/A nama-belakang.nebao[.]icu N/A 2026‑03‑10 Cobalt Strike C&C server.
N/A easiestnewsfromourpointofview.algsat[.]icu N/A 2026‑04‑14 PicassoLoader C&C server.
N/A mickeymousegamesdealer.alexavegas[.]icu N/A 2026‑03‑26 PicassoLoader C&C server.
N/A hinesafar.sardk[.]icu N/A 2026‑04‑14 PicassoLoader C&C server.
N/A shinesafar.sardk[.]icu N/A 2026‑04‑14 PicassoLoader C&C server.
N/A best-seller.lavanille[.]buzz N/A 2026‑04‑14 Cobalt Strike C&C server.

MITRE ATT&CK techniques

This table was built using version 18 of the MITRE ATT&CK framework.

Tactic ID Name Description
Resource Development T1583 Acquire Infrastructure FrostyNeighbor acquires domain names and rents C&C servers.
T1608 Stage Capabilities FrostyNeighbor hosts the final payload on a C&C server.
T1588.002 Obtain Capabilities: Tool FrostyNeighbor obtained a leaked version of Cobalt Strike to generate payloads.
Initial Access T1566.001 Phishing: Spearphishing Attachment FrostyNeighbor sends a weaponized lure document in email attachments.
Execution T1204.002 User Execution: Malicious File FrostyNeighbor tricks its victims into opening or editing a document to gain code execution.
T1053.005 Scheduled Task/Job: Scheduled Task FrostyNeighbor uses scheduled tasks to achieve persistence.
T1059 Command and Scripting Interpreter FrostyNeighbor uses scripting languages such as JavaScript, Visual Basic, and PowerShell.
Persistence T1060 Registry Run Keys / Startup Folder FrostyNeighbor uses the registry Run key and the Startup Folder to achieve persistence.
Defense Evasion T1027 Obfuscated Files or Information FrostyNeighbor obfuscates scripts and compiled binaries.
T1027.009 Obfuscated Files or Information: Embedded Payloads FrostyNeighbor embeds next stages or payloads inside the initial lure document.
T1036.005 Masquerading: Match Legitimate Resource Name or Location FrostyNeighbor drops malicious files using common Microsoft filenames and locations.
Discovery T1057 Process Discovery PicassoLoader collects the list of running processes.
T1082 System Information Discovery PicassoLoader collects system and user information.
Command and Control T1071.001 Application Layer Protocol: Web Protocols FrostyNeighbor uses HTTPS for C&C communication and payload delivery.
Exfiltration T1041 Exfiltration Over C2 Channel FrostyNeighbor uses HTTPS with Cobalt Strike.