FrostyNeighbor Resurfaces with Updated Toolset Targeting Ukrainian Government Entities
ESET reports new FrostyNeighbor (Ghostwriter/UNC1151) cyberespionage activity since March 2026, targeting Ukrainian government organizations with server-side victim validation and updated PicassoLoader variants.
ESET researchers have uncovered a fresh wave of cyberespionage operations attributed to the Belarus-aligned threat actor known as FrostyNeighbor (also tracked as Ghostwriter, UNC1151, UAC-0057, TA445, PUSHCHA, or Storm-0257). The campaign, active since March 2026, specifically targets governmental organizations in Ukraine, demonstrating the group's continued evolution in tactics, techniques, and procedures.
FrostyNeighbor's latest compromise chain begins with spearphishing emails containing malicious PDF attachments. The PDFs, such as one named "53_7.03.2026_R.pdf," impersonate the Ukrainian telecommunications company Ukrtelecom and include a download button linking to an attacker-controlled server. Notably, the group employs server-side victim validation: if the victim's geographic location does not match the expected target region, the server delivers a benign decoy PDF instead of the malicious payload. This anti-analysis technique helps the group evade detection and avoid burning its infrastructure on unintended targets.
Once validated, the victim receives a JavaScript variant of PicassoLoader, the group's signature downloader. PicassoLoader retrieves a Cobalt Strike beacon from an attacker-controlled environment, disguising the payload as a renderable image or hiding it within web-associated file types such as CSS, JS, or SVG. Cobalt Strike then provides the attackers with full remote control over the compromised system. ESET notes that PicassoLoader variants have been observed in .NET, PowerShell, JavaScript, and C++, reflecting the group's investment in maintaining a diverse and resilient toolset.
FrostyNeighbor continues to exploit known vulnerabilities to gain initial access. The group has leveraged CVE-2023-38831, a WinRAR vulnerability, and CVE-2024-42009, a cross-site scripting (XSS) flaw in Roundcube webmail. The Roundcube exploit allows JavaScript execution upon opening a weaponized email, enabling credential harvesting. The group also abuses legitimate services such as Slack for payload delivery and Canarytokens for victim tracking, complicating both detection and attribution.
The targeting scope extends beyond Ukraine. While Ukrainian operations focus on military, defense, and government entities, FrostyNeighbor's victimology in Poland and Lithuania is broader, encompassing industrial, manufacturing, healthcare, pharmaceutical, and logistics sectors. The group has also conducted spearphishing campaigns targeting Polish users of major free email providers like Interia Poczta and Onet Poczta, using spoofed login pages to harvest credentials.
This latest activity builds on a long history of FrostyNeighbor operations documented by multiple security vendors. In July 2024, CERT-UA reported a surge of activity targeting Ukrainian government entities. SentinelOne documented new payload adaptations in February 2025, and HarfangLab observed malicious archives targeting Ukrainian and Polish entities in August 2025. In December 2025, StrikeReady reported the group's use of dynamic CAPTCHAs as an anti-analysis technique. The March 2026 campaign represents the most closely mirrors the December 2025 findings in its use of server-side validation, but introduces the JavaScript PicassoLoader variant as a further evolution.
Organizations in Eastern Europe, particularly government and defense sectors in Ukraine, Poland, and Lithuania, should remain vigilant against spearphishing attempts and ensure that systems are patched against CVE-2023-38831 and CVE-2024-42009. Network defenders should monitor for anomalous use of legitimate services like Slack for file delivery and be alert to Cobalt Strike beacon indicators. ESET's full report provides detailed indicators of compromise and technical analysis of the new PicassoLoader variant.