FrostyNeighbor Cyberespionage Campaign Targets Ukrainian and Polish Governments

FrostyNeighbor Cyberespionage Campaign Targets Ukrainian and Polish Governments

First seen 14 May 2026, 16:08 UTC Markets.BusinessinsiderWelivesecurityDarkreadingwww.cybersecuritydive.comReform.News+4 86% similarity 75.6

Article Content

Browse articles
ThreatCluster

The Belarus-aligned cyber group FrostyNeighbor has launched a targeted campaign against government organizations in Ukraine and Poland since March 2026. Utilizing spearphishing techniques, the group delivers malicious payloads through deceptive PDF documents impersonating the Ukrainian telecom provider Ukrtelecom. The attack employs a JavaScript variant of PicassoLoader to facilitate the deployment of Cobalt Strike for post-compromise operations. FrostyNeighbor's tactics include fingerprinting victims' systems to selectively deliver malware based on geographic location, with a focus on military and governmental entities. The group has been active since at least 2016 and continues to evolve its methods to evade detection. Key vulnerabilities exploited include CVE-2024 and CVE-2023-38831. The ongoing threat poses significant risks to national security in the region.

Key Points: • FrostyNeighbor targets Ukrainian and Polish government organizations using spearphishing. • The group employs a JavaScript variant of PicassoLoader to deliver Cobalt Strike payloads. • Victim systems are fingerprinted to selectively deploy malware based on geographic location.

ThreatCluster AI

Timeline

2026-03-01
FrostyNeighbor campaign begins
The group initiates a targeted cyberespionage campaign against Ukrainian and Polish government entities.
Darkreading
2026-05-14
ESET reports on new FrostyNeighbor activities
ESET uncovers updated tactics and tools used by FrostyNeighbor, including malicious PDFs and PicassoLoader.
Welivesecurity
2026-05-14
FrostyNeighbor exploits CVE-2023-38831
The group is reported to have exploited a vulnerability in WinRAR to facilitate attacks.
Welivesecurity
2026-05-14
FrostyNeighbor's tactics evolve
The group abandons macro-based lures for blurry PDFs containing malicious links, enhancing evasion techniques.
Darkreading

Community

Browse all →