Fresh mischief and digital shenanigans

This blogpost discusses the latest activities linked to FrostyNeighbor, focusing on governmental organizations in Ukraine. FrostyNeighbor has been carrying out ongoing cyber operations, consistently changing and updating its tools, modifying its compromise chain and techniques to avoid detection – with a particular focus on victims in Eastern Europe, based on our monitoring data.

Key findings from the report:

• FrostyNeighbor is a persistent cyberespionage actor associated with the interests of Belarus.
• The group primarily targets governmental, military, and critical sectors in Eastern Europe.
• This report highlights new activities observed since March 2026, indicating the continuous evolution of tools and compromise chains.
• FrostyNeighbor validates its victims on the server-side before delivering the final payload.
• The group has recently been active in campaigns targeting governmental organizations in Ukraine.

Introduction

FrostyNeighbor, also known as Ghostwriter, UNC1151, UAC‑0057, TA445, PUSHCHA, or Storm-0257, is a group reportedly operating from Belarus. According to Mandiant, the group has been active since at least 2016. The majority of FrostyNeighbor’s operations have targeted countries neighboring Belarus, with some observed in other European countries. FrostyNeighbor conducts campaigns involving spearphishing, disinformation dissemination, and attempts to influence their targets (such as the Ghostwriter influence activity), while also compromising various governmental and private sector entities, particularly focusing on Ukraine, Poland, and Lithuania.

FrostyNeighbor has shown an evolution in its tactics, techniques, and procedures (TTPs) over time, utilizing a range of malware and delivery methods to target entities. Significant developments include deploying multiple variants of the group’s main payload downloader, known as PicassoLoader by CERT-UA. These variants are written in .NET, PowerShell, JavaScript, and C++. Named after retrieving a Cobalt Strike beacon, disguised as a renderable image or concealed in web-related file types like CSS, JS, or SVG. Cobalt Strike is a widely used post-exploitation framework by both penetration testers and threat actors, with its beacon serving as an initial implant for complete control over the compromised victim’s system.

Furthermore, the group employs various bait documents to compromise targets, including CHM, XLS, PPT, or DOC files, and has exploited the WinRAR vulnerability CVE‑2023‑38831. FrostyNeighbor has also utilized legitimate services like Slack for payload delivery, and Canarytokens for tracking victims, making detection and attribution more challenging.

While the focus of Ukrainian targeting seems to be on military, defense, and governmental entities, victimology in Poland and Lithuania is broader, encompassing sectors like industrial, healthcare, logistics, and many governmental organizations. Given that this report is based on our monitoring data, the possibility of other campaigns targeting entities in neighboring countries cannot be ruled out.

FrostyNeighbor has conducted spearphishing campaigns targeting users of Polish organizations, particularly concentrating on major free email providers such as Interia Poczta and Onet Poczta. These campaigns included spoofed login pages designed to gather credentials. Additionally, CERT-PL reported that the group exploited the CVE‑2024‑42009 XSS vulnerability in Roundcube, enabling JavaScript execution upon opening weaponized email messages to extract victim credentials. This illustrates the group’s focus on both malware compromise and credential harvesting.

Past reports

FrostyNeighbor’s campaigns have been ongoing for years and have been extensively documented over time. Some of these reports include findings from July 2024, when CERT-UA reported an increase in activity attributed to the group targeting Ukrainian governmental entities. In February 2025, SentinelOne documented heightened activity targeting the Ukrainian government and opposition activists in Belarus, utilizing new adaptations of previously observed payloads.

In August 2025, HarfangLab noted new clusters of activity involving malicious archives in specific compromise chains to target Ukrainian and Polish entities. Finally, in December 2025, StrikeReady documented a novel anti-analysis technique involving dynamic CAPTCHAs that victims had to solve, executed by a VBA macro in the bait document.

Newly identified activity

Since March 2026, we have identified new activities attributed to FrostyNeighbor, utilizing links in malicious PDFs sent via spearphishing attachments to target governmental organizations in Ukraine. This latest compromise chain employs a JavaScript version of PicassoLoader to deliver a Cobalt Strike payload, as depicted in Figure 1.

It commences with a deceptive lure PDF file named 53_7.03.2026_R.pdf, resembling the Ukrainian telecommunications company Ukrtelecom, with a message claiming to “guarantee reliable protection of customer data” (machine translated), along with a download button linking to a document hosted on a server controlled by the group.

If the victim’s IP address is not from the expected location, the server delivers a harmless PDF file with the same name, 53_7.03.2026_R.pdf, related to electronic communications regulations from 2024 to 2026 by Ukraine’s National Commission for the State Regulation of Electronic Communications, Radio Frequency Spectrum, and the Provision of Postal Services (nkek.gov.ua), as shown in Figure 3.

If the victim’s IP address is from Ukraine, the server delivers a RAR archive named 53_7.03.2026_R.rar, containing the initial stage of the attack named 53_7.03.2026_R.js – a JavaScript file that drops and displays a PDF file as a decoy, while concurrently executing the second stage: a JavaScript version of the PicassoLoader downloader, commonly used by the group.