The report describes newly observed FrostyNeighbor activity against governmental organizations in Ukraine, including a March 2026 compromise chain that uses spearphishing PDFs, JavaScript-based PicassoLoader, and a final Cobalt Strike payload. The actor continues to evolve its tooling, apply server-side victim validation, and rely on infrastructure such as needbinding[.]icu and nebao[.]icu to deliver payloads only to selected targets. #FrostyNeighbor #PicassoLoader #CobaltStrike #Ukraine
Keypoints
- FrostyNeighbor is a long-running cyberespionage group also known as Ghostwriter, UNC1151, UAC-0057, TA445, PUSHCHA, and Storm-0257.
- The group primarily targets governmental, military, and other key sectors in Eastern Europe, with strong focus on Ukraine, Poland, and Lithuania.
- New activity observed since March 2026 targets Ukrainian governmental organizations using malicious PDFs delivered through spearphishing.
- The latest compromise chain uses a JavaScript version of PicassoLoader to stage and deliver a Cobalt Strike beacon.
- Victim validation is performed server-side using geography, IP, and collected fingerprint data before the final payload is sent.
- The actor uses multiple delivery and evasion methods, including decoy PDFs, scheduled tasks, registry persistence, and masquerading as legitimate files.
- FrostyNeighbor has also used credential-harvesting phishing pages and exploited vulnerabilities in WinRAR and Roundcube in related campaigns.
MITRE Techniques
- [T1583 ] Acquire Infrastructure â The group acquires domains and rents C&C servers for its operations (âacquires domain names and rents C&C serversâ).
- [T1608 ] Stage Capabilities â Final payloads are hosted on attacker-controlled servers before delivery (âhosts the final payload on a C&C serverâ).
- [T1588.002 ] Obtain Capabilities: Tool â The actors obtained a leaked Cobalt Strike version to generate payloads (âobtained a leaked version of Cobalt Strike to generate payloadsâ).
- [T1566.001 ] Phishing: Spearphishing Attachment â Weaponized lure documents are delivered as email attachments (âsends a weaponized lure document in email attachmentsâ).
- [T1204.002 ] User Execution: Malicious File â Victims are tricked into opening documents or archives to trigger code execution (âtricks its victims into opening or editing a document to gain code executionâ).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task â Scheduled tasks are used to trigger persistence and execution (âuses scheduled tasks to achieve persistenceâ).
- [T1059 ] Command and Scripting Interpreter â JavaScript, Visual Basic, and PowerShell are used to run malicious logic (âuses scripting languages such as JavaScript, Visual Basic, and PowerShellâ).
- [T1060 ] Registry Run Keys / Startup Folder â Registry Run keys are used for persistence (âuses the registry Run key and the Startup Folder to achieve persistenceâ).
- [T1027 ] Obfuscated Files or Information â Scripts and binaries are obfuscated to hinder analysis (âobfuscates scripts and compiled binariesâ).
- [T1027.009 ] Obfuscated Files or Information: Embedded Payloads â Later-stage payloads are embedded inside initial lure content (âembeds next stages or payloads inside the initial lure documentâ).
- [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location â Malicious files are dropped with common Microsoft-style names and paths (âdrops malicious files using common Microsoft filenames and locationsâ).
- [T1057 ] Process Discovery â PicassoLoader collects running process information (âcollects the list of running processesâ).
- [T1082 ] System Information Discovery â PicassoLoader gathers user and system details (âcollects system and user informationâ).
- [T1071.001 ] Application Layer Protocol: Web Protocols â HTTPS is used for command-and-control and delivery (âuses HTTPS for C&C communication and payload deliveryâ).
- [T1041 ] Exfiltration Over C2 Channel â Data is sent over the C2 channel with Cobalt Strike (âuses HTTPS with Cobalt Strikeâ).
Indicators of Compromise
- [SHA-1 hashes ] malicious files and payload samples â 776A43E46C36A539C916ED426745EE96E2392B39, B65551D339AECE718EA1465BF3542C794C445EFC, and other 8 items
- [File names ] lure documents, droppers, and beacons â 53_7.03.2026_R.pdf, 53_7.03.2026_R.js, and other 8 items
- [Domains ] C&C and delivery infrastructure â attachment-storage-asset-static.needbinding[.]icu, book-happy.needbinding[.]icu, and other 5 items
- [URLs ] downloader and payload retrieval endpoints â https://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg, https://book-happy.needbinding[.]icu/employment/documents-and-resources, and other 1 item
- [Registry/file paths ] persistence and dropped payload locations â %AppData%WinDataScopeUpdate.js, %ProgramData%ViberPC.dll, and other 2 items
- [Vulnerability IDs ] exploited weaknesses referenced in the campaign â CVE-2023-38831, CVE-2024-42009
Read more: https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/