Back

FrostyNeighbor Cyberespionage Campaign Targets Ukrainian and Polish Governments

Severity: High (Score: 75.6)

Sources: www.cybersecuritydive.com, Markets.Businessinsider, Darkreading, Reform.News, Welivesecurity

Summary

The Belarus-aligned cyber group FrostyNeighbor has launched a targeted campaign against government organizations in Ukraine and Poland since March 2026. Utilizing spearphishing techniques, the group delivers malicious payloads through deceptive PDF documents impersonating the Ukrainian telecom provider Ukrtelecom. The attack employs a JavaScript variant of PicassoLoader to facilitate the deployment of Cobalt Strike for post-compromise operations. FrostyNeighbor's tactics include fingerprinting victims' systems to selectively deliver malware based on geographic location, with a focus on military and governmental entities. The group has been active since at least 2016 and continues to evolve its methods to evade detection. Key vulnerabilities exploited include CVE-2024 and CVE-2023-38831. The ongoing threat poses significant risks to national security in the region. Key Points: • FrostyNeighbor targets Ukrainian and Polish government organizations using spearphishing. • The group employs a JavaScript variant of PicassoLoader to deliver Cobalt Strike payloads. • Victim systems are fingerprinted to selectively deploy malware based on geographic location.

Key Entities

  • Fancy Bear (apt_group)
  • FrostyNeighbor (apt_group)
  • Pushcha (apt_group)
  • Sandworm (apt_group)
  • Storm-0257 (apt_group)
  • Ghostwriter (campaign)
  • Ghostwriter Influence Operation (campaign)
  • Botnet (attack_type)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Democratic National Committee (company)
  • Ukraine Government (company)
  • Ukrtelecom (company)
  • Asus (company)
  • WatchGuard (company)
  • Belarus (country)
  • Estonia (country)
  • Latvia (country)
  • Lithuania (country)
  • Poland (country)
  • Cwe-79 - Cross-site Scripting (xss) (cwe)
  • mickeymousegamesdealer.al (domain)
  • nkek.gov.ua (domain)
  • trojandropper.fr (domain)
  • welivesecurity.com (domain)
  • Government (industry)
  • Healthcare (industry)
  • Manufacturing (industry)
  • Pharmaceuticals (industry)
  • Telecommunications (industry)
  • Cobalt Strike (malware)
  • Cyclops Blink (malware)
  • VPNFilter (malware)
  • PicassoLoader (tool)
  • Canarytokens (tool)
  • PowerShell (tool)
  • Rundll32 (tool)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1059.007 - JavaScript (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Slack (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed