Belarus-Linked FrostyNeighbor APT Targets Government and Military Orgs in Poland and Ukraine
The Belarus-aligned threat group FrostyNeighbor (Ghostwriter) has been conducting a highly targeted spear-phishing campaign since March 2026 against government and military organizations in Poland and Ukraine.
ESET researchers have published a report detailing a new campaign by FrostyNeighbor, a Belarus-aligned cyber-espionage group also tracked as Ghostwriter, UNC1151, TA445, PUSHCHA, and Storm-0257. The campaign, which began in March 2026, targets government and military organizations in Poland and Ukraine using carefully crafted spear-phishing emails to deliver malicious payloads.
The group is demonstrating a continued evolution of its tradecraft, with the campaign notable for its highly selective targeting approach. FrostyNeighbor appears to be particularly choosy about its victims, suggesting a focused intelligence-gathering mission rather than a broad opportunistic campaign. The group has historically conducted cyber-espionage operations on behalf of Belarusian interests.
The attack chain begins with spear-phishing emails that deliver payloads designed to establish persistent access to compromised networks. ESET's analysis indicates the group has refined its techniques to evade detection and maintain long-term access to targeted environments. The campaign specifically focuses on Eastern European entities aligned with NATO's eastern flank.
Organizations in Poland and Ukraine, particularly those in government and defense sectors, should be on high alert for spear-phishing attempts associated with this group. The campaign underscores the ongoing cyber-espionage threat posed by state-aligned actors targeting Eastern Europe amid the continuing geopolitical tensions in the region.