FrostyNeighbor Carefully Targets Govt Orgs in Poland, Ukraine TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityAttackers Weaponize RubyGems for Data Dead DropsAttackers Weaponize RubyGems for Data Dead DropsbyAlexander CulafiMay 13, 20264 Min ReadСloud SecurityLatAm Vibe Hackers Generate Custom Hacking Tools on the FlyLatAm Vibe Hackers Generate Custom Hacking Tools on the FlybyAlexander CulafiMay 13, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesEndpoint SecurityRemote WorkforceThreat IntelligenceNews'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, UkraineAttackers uniquely fingerprint victims before delivering spear-phishing payloads aimed at espionage, in the latest campaign from the Belarussian nation-state threat group.Elizabeth Montalbano,Contributing WriterMay 14, 20264 Min ReadSource: Piotr Malczyk via Alamy Stock PhotoA known Belarussian cyberespionage group is back with a threat campaign against targets in Eastern Europe that uses spearphishing to deliver malicious payloads to Eastern European government and military organizations. The campaign is unique in that the group appears to be particularly choosy about who it targets.In a campaign that began in March and targets entities in Poland and Ukraine specifically, FrostyNeighbor — also tracked as Ghostwriter, UNC1151, TA445, PUSHCHA, and Storm-0257 — demonstrates a continued evolution of its cybercriminal activities on behalf of Belarus, according to a report by ESET research published Thursday.Its latest attack wave targets Ukrainian and Polish government organizations, and demonstrates how the group is continuing to evolve its espionage toolkit and delivery infrastructure, according to ESET. The advanced persistent threat (APT) is using a fresh compromise chain with spear-phishing PDFs, server-side victim validation, and a JavaScript-based version of PicassoLoader, the group's main payload downloader, to ultimately deploy Cobalt Strike for post-compromise operations.Related:Foxconn Attack Highlights Manufacturing's Cyber Crisis"Since January 2026, the group seems to have abandoned the use of macro-based initial lure document ... to only use blurry PDFs containing a malicious link to the next stage," Damien Schaeffer, ESET senior malware researcher, tells Dark Reading.That PDF lure impersonates Ukrainian telecom provider Ukrtelecom, and claims to provide secure customer data protection. It includes a download link hosted on attacker-controlled infrastructure.FrostNeighbor's Cyber Evolution Beyond DisinformationFrostyNeighbor, believed to be active since at least 2016, is known for combining cyberespionage with other malicious operations, including spearphishing, credential theft, malware deployment, and disinformation activity associated with the broader Ghostwriter influence operation. That campaign — which began in 2021 and was first believed to be out of Russia — targeted several European countries, including Germany, Poland, Ukraine, and the Baltic states of Estonia, Latvia, and Lithuania, with phishing and misinformation. Eventually, researchers discovered that Ghostwriter/FrostyNeighbor had a more significant phishing infrastructure than first known, which figures prominently in its latest attack. The latest iteration is highly targeted, with attackers fingerprinting the victim's computer to ensure targeting is specific. While this in an of itself is not unique, FrostyNeighbor operators appear to then be deciding manually whether or not the target will get the implant or not, Schaeffer says.Related:China's 'FamousSparrow' APT Nests in South Caucasus Energy FirmFrostyNeighbor's Manual, Specific Victim-TargetingIf the victim is not from the expected geographic location, the server delivers a benign PDF file. However, if the victim is using an IP address from Ukraine, the server instead delivers a RAR archive containing the first stage of the attack — a JavaScript file that drops and displays the aforementioned PDF file as a decoy. Simultaneously, it also executes the second stage: a JavaScript version of the PicassoLoader downloader. When running, PicassoLoader fingerprints the victim’s computer by collecting the username, computer name, OS version, the boot time of the computer, the current time, and the list of running processes with their process IDs.The decision whether or not to deliver a payload is very likely manually performed by the operators, as mentioned before, based on the collected information to decide if the victim is of interest, according to ESET. If they are, command-and-control (C2) responds with a third-stage JavaScript dropper for Cobalt Strike, the final payload; otherwise, it returns an empty response. Defensive, Anti-Espionage Action for Eastern European TargetsRelated:Tech Can't Stop These Threats — Your People CanFrostyNeighbor remains "quite active in term of operations, and has demonstrated a continued evolution in its TTPs, trying new techniques to evade detections and compromise its targets," Schaeffer says. Indeed, the newest compromise chain outlined in the report is a continuation of the group’s persistent willingness to update and renew its arsenal, according to ESET.For this reason, organizations that could be targeted by the group — especially in Poland, Lithuania, and Ukraine — should take defensive measures. These include taking the usual spear-phishing precautions, such as carefully analyzing emails with an attachment coming from external or unknown senders, Schaeffer says. Defenders also can implement best practices such as restricting user permissions to the minimum, or preventing execution of downloaded files, and monitoring its users and environment for suspicious network communications, he adds. To help defenders identify the campaign, ESET also included a comprehensive list of indicators of compromise (IoCs) in its report. About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Your Guide to Securing AI Adoption in Your OrganizationThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The threat group known as FrostyNeighbor, also tracked under aliases such as Ghostwriter, UNC1151, TA445, PUSHCHA, and Storm-0257, has recently executed a sophisticated cyber espionage campaign targeting government and military organizations in Poland and Ukraine. This campaign demonstrates a continuous evolution in the threat group's operational techniques and delivery infrastructure, as reported by ESET research. The group is noted for uniquely fingerprinting victims before deploying spear-phishing payloads intended for espionage.

The latest attack wave employs a refined compromise chain involving spear-phishing documents, server-side victim validation, and a JavaScript-based version of PicassoLoader, which serves as the primary mechanism for downloading subsequent stages of the malicious code before ultimately deploying Cobalt Strike for post-compromise operations. An observation from ESET senior malware researcher Damien Schaeffer indicates that the group has moved away from using macro-based initial lures, opting instead to use blurry PDFs containing malicious links to subsequent stages.

The operational evolution of FrostyNeighbor extends beyond simple espionage, incorporating spear-phishing, credential theft, malware deployment, and disinformation activities associated with the broader Ghostwriter influence operation. This broader campaign, which began in 2021, initially targeted several European nations including Germany, Poland, Ukraine, and the Baltic states of Estonia, Latvia, and Lithuania, through phishing and misinformation. Researchers subsequently discovered that the group possessed a more extensive phishing infrastructure than previously known, which is prominent in their current activities.

FrostyNeighbor’s targeting sophistication involves specific logic based on the victim's geographic location. If the victim is outside the expected geographic range, the server delivers a benign PDF file. However, if the victim utilizes an IP address from Ukraine, the server delivers a RAR archive containing the first stage of the attack: a JavaScript file that drops and displays the initial PDF as a decoy, simultaneously executing the JavaScript version of the PicassoLoader downloader. The PicassoLoader then fingerprints the victim's system by collecting specific details such as the username, computer name, operating system version, boot time, current time, and a list of running processes along with their process identifiers. The operators are understood to manually review this collected information to decide whether to deliver the final payload, based on their assessment of the target’s interest, which triggers the command-and-control server to respond with the third-stage JavaScript dropper for Cobalt Strike or an empty response.

Given the group’s persistent evolution in tactics, organizations in regions such as Poland, Lithuania, and Ukraine are advised to implement robust defensive measures. These recommendations include maintaining standard spear-phishing precautions, such as carefully scrutinizing emails from external or unknown senders with attachments. Defenders should also enforce security best practices, including restricting user permissions to the minimum necessary, preventing the execution of downloaded files, and continuously monitoring user and environmental communications for suspicious network activity. To aid in campaign identification, ESET also provided a comprehensive list of indicators of compromise indicators for threat detection.