Back

FrostyNeighbor Targets Ukrainian Government with Evolving Cyber Tactics

Severity: High (Score: 77.1)

Sources: Markets.Businessinsider, Welivesecurity

Summary

FrostyNeighbor, a Belarus-aligned cyber threat group, has intensified its operations against Ukrainian governmental organizations as of May 2026. Utilizing spearphishing attacks, the group has been sending malicious PDFs that lead to a JavaScript variant of the PicassoLoader downloader, which ultimately deploys a Cobalt Strike payload for espionage. The lure documents impersonate Ukrtelecom, aiming to harvest sensitive information. This campaign marks a continuation of FrostyNeighbor's longstanding focus on Eastern European targets, particularly Ukraine, Poland, and Lithuania. The group has been active since at least 2016 and has shown a capacity for rapid adaptation in its attack methods, including exploiting CVE-2023-38831. The current operations reflect a sophisticated approach to evade detection and maximize impact, with a focus on military and governmental sectors. ESET Research has confirmed these findings based on telemetry data. Key Points: • FrostyNeighbor is targeting Ukrainian government entities with advanced spearphishing tactics. • The group uses a JavaScript version of PicassoLoader to deliver Cobalt Strike payloads. • Recent attacks exploit CVE-2023-38831 and impersonate legitimate organizations like Ukrtelecom.

Key Entities

  • FrostyNeighbor (apt_group)
  • Pushcha (apt_group)
  • Storm-0257 (apt_group)
  • Ta445 (apt_group)
  • Uac‑0057 (apt_group)
  • Ghostwriter (campaign)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Ukrtelecom (company)
  • Belarus (country)
  • Lithuania (country)
  • Poland (country)
  • Slovakia (country)
  • Ukraine (country)
  • Cwe-79 - Cross-site Scripting (xss) (cwe)
  • mickeymousegamesdealer.al (domain)
  • nkek.gov.ua (domain)
  • trojandropper.fr (domain)
  • welivesecurity.com (domain)
  • Government (industry)
  • Healthcare (industry)
  • Manufacturing (industry)
  • Pharmaceuticals (industry)
  • Telecommunications (industry)
  • Cobalt Strike (malware)
  • PicassoLoader (tool)
  • Canarytokens (tool)
  • PowerShell (tool)
  • Rundll32 (tool)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1059.007 - JavaScript (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1082 - System Information Discovery (mitre_attack)
  • Slack (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed