Catch up with politics news from the world
Provided by AGP
Belarus-aligned FrostyNeighbor attacks Ukrainian government, again — ESET Research discovers
- FrostyNeighbor, a long-running cyberespionage actor apparently aligned with the interests of Belarus, has been active recently in campaigns targeting governmental organizations in Ukraine.
- This latest ESET Research report documents new activity observed that started in March 2026, showing continued evolution of tooling and compromise chains.
- The group primarily targets governmental, military, and additional key sectors in Eastern Europe.
- FrostyNeighbor uses server-side validation of its victims before delivering the final payload.
MONTREAL and BRATISLAVA, Slovakia, May 14, 2026 (GLOBE NEWSWIRE) -- ESET Research uncovered new activities from Belarus-aligned threat group FrostyNeighbor, targeting governmental organizations in Ukraine. FrostyNeighbor has been running continual cyberoperations, changing and updating its toolset regularly and updating its compromise chain and methods to evade detection — targeting victims located in Eastern Europe, according to ESET telemetry. The ultimate aim of the attacks is espionage.
Since March 2026, ESET has detected new activities attributed to FrostyNeighbor that use links in malicious PDFs sent via spearphishing attachments. The compromise chain is the newest iteration observed to date, using a JavaScript version of PicassoLoader to deliver a Cobalt Strike payload.
The attack starts with a blurry lure PDF file, impersonating the Ukrainian telecommunications company Ukrtelecom, with a message that it purportedly “guarantees reliable protecting of customer data” and a download button with a link leading to a document hosted on a delivery server controlled by the group. If the victim is using an IP address from Ukraine, the server instead delivers a malicious RAR archive file — a JavaScript file that drops and displays a PDF file as a decoy. Simultaneously, it also executes the second stage: a JavaScript version of the PicassoLoader downloader.
When running, PicassoLoader fingerprints the victim’s computer by collecting the username, computer name, OS version, the boot time of the computer, the current time, and the list of running processes with their process IDs (PIDs). Every 10 minutes, the compromised computer’s fingerprint is sent to the C&C. The decision of whether to deliver a payload is likely manually performed by the operators and based on the collected information in order to determine whether the victim is of interest. If they are, the C&C server responds with a third-stage JavaScript dropper for Cobalt Strike with cyberespionage capabilities.
“FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms. This newest compromise chain that we detected is a continuation of the group’s willingness to update and renew its arsenal, trying to evade detection to compromise its targets,” says ESET researcher Damien Schaeffer, who discovered and analyzed the latest campaign by FrostyNeighbor.
FrostyNeighbor, also known as Ghostwriter, UNC1151, UAC 0057, TA445, PUSHCHA, or Storm-0257, is a group reportedly operating from Belarus that has been active since at least 2016. The majority of FrostyNeighbor’s operations have targeted countries neighboring Belarus; a small minority have been observed in other European countries. FrostyNeighbor performs campaigns that utilize spearphishing, the spread of disinformation, and attempts to influence their targets but has also compromised a variety of governmental and private sector entities, with a focus on Ukraine, Poland, and Lithuania.
While Ukrainian targeting seems to be focused on military, defense sector, and governmental entities, the victimology in Poland and Lithuania is broader and includes, among others, a wide variety of sectors like industrial and manufacturing, healthcare and pharmaceuticals, logistics, and many governmental organizations.
For more details about FrostyNeighbor and its latest campaign, check out the ESET Research blogpost “FrostyNeighbor: Fresh mischief and digital shenanigans,” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
About ESET
ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.
Media contact: Jessica Beffa jessica.beffa@eset.com 720-413-4938
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
