ESET researchers identified renewed activity from FrostyNeighbor, a long-running cyberespionage actor apparently aligned with Belarusian interests, targeting Ukrainian government organizations in campaigns observed since March 2026. The latest findings reveal continued evolution of the group’s tooling, compromise chains, and evasion techniques as it sustains cyberespionage operations across Eastern Europe.
Telemetry analyzed by ESET shows FrostyNeighbor primarily targeting governmental, military, and other critical sectors in the region while regularly updating its methods to avoid detection. The report also notes that the group uses server-side validation to verify intended victims before delivering its final payload, reflecting a more selective and tightly controlled attack approach.
“FrostyNeighbor has demonstrated a continued evolution in its tactics, techniques, and procedures (TTPs), leveraging over time a diverse arsenal of malware and delivery mechanisms to target entities,” Damien Schaeffer wrote in a company blog post last week.
He detailed that key developments included the deployment of multiple PicassoLoader variants written in .NET, PowerShell, JavaScript, and C++. The downloader retrieves a disguised Cobalt Strike beacon hidden in image or web-related file types such as CSS, JS, or SVG, enabling attackers to gain full control of compromised systems. FrostyNeighbor also uses lure documents, including CHM, XLS, PPT, and DOC files, and exploited the WinRAR vulnerability CVE-2023-38831. The group further abuses legitimate services such as Slack for payload delivery and Canarytokens for victim tracking, complicating detection and attribution efforts.
“While Ukrainian targeting seems to be focused on military, defense sector, and governmental entities, the victimology in Poland and Lithuania is broader and includes, among others, a wide variety of sectors like industrial and manufacturing, healthcare and pharmaceuticals, logistics, and many governmental organizations,” Schaeffer mentioned. “As this report is solely based on our telemetry, other campaigns against entities in countries in the same region cannot be excluded.”
He pointed out that FrostyNeighbor conducted spearphishing campaigns targeting users of Polish organizations, focusing on major free email providers such as Interia Poczta and Onet Poczta. “These campaigns included spoofed login pages designed to harvest credentials. Additionally, CERT-PL reported that the group exploited the CVE‑2024‑42009 XSS vulnerability in Roundcube, which enables JavaScript execution upon opening of weaponized email messages, to exfiltrate the victim’s credentials. This reflects the group’s effort in both malware compromise and credential harvesting.”
“Since March 2026, we have detected new activities that we attributed to FrostyNeighbor, using links in malicious PDFs sent via spearphishing attachments to target governmental organizations in Ukraine. The compromise chain is the newest observed to date, using a JavaScript version of PicassoLoader to deliver a Cobalt Strike payload,” according to Schaeffer.
Highlighting that FrostyNeighbor has conducted spear-phishing campaigns targeting Ukrainian government organizations using malicious PDF attachments, he observed that the latest compromise chain uses a JavaScript variant of PicassoLoader to deliver a Cobalt Strike payload. Victims receive a lure PDF that impersonates the Ukrainian telecommunications provider Ukrtelecom, containing a download link hosted on attacker-controlled infrastructure.
The campaign uses geographic filtering to validate targets before delivering malware. Victims outside Ukraine receive a benign decoy PDF related to Ukrainian electronic communications regulations, while users connecting from Ukrainian IP addresses receive a RAR archive containing a JavaScript dropper. The script displays the decoy PDF to avoid suspicion while deploying PicassoLoader, establishing persistence through scheduled tasks and registry modifications. The downloader fingerprints compromised systems by collecting system details, running processes, and timing information, which are periodically sent to the command-and-control server.
Based on the collected victim data, operators appear to decide whether to deploy the final payload manually. If the target is deemed valuable, the server delivers a third-stage JavaScript dropper that installs a Cobalt Strike beacon. The malware copies the legitimate rundll32[dot]exe process, writes the beacon to disk as a DLL, and establishes persistence through registry-run keys and shortcut files. The final Cobalt Strike payload then communicates with a remote command-and-control server controlled by the attackers.
In conclusion, Schaeffer wrote that FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms.
“This newest compromise chain we detected is a continuation of the group’s willingness to update and renew its arsenal, trying to evade detection to compromise its targets,” according to Schaeffer. “The group’s campaigns continue to focus on Eastern Europe, with a notable emphasis on the governmental, defense, and key sectors, especially in Poland, Lithuania, and Ukraine, according to ESET telemetry.”
He added that the payload is only delivered after server-side victim validation, combining automated checks of the requesting user agent and IP address with the manual validation by the operators. Continuous and close monitoring of the group’s operations, infrastructure, and toolset changes is essential to detect and mitigate future operations.
