{"id":335,"date":"2026-05-15T07:30:29","date_gmt":"2026-05-15T07:30:29","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/05\/15\/fresh-mischief-and-digital-shenanigans\/"},"modified":"2026-05-15T07:30:29","modified_gmt":"2026-05-15T07:30:29","slug":"fresh-mischief-and-digital-shenanigans","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/05\/15\/fresh-mischief-and-digital-shenanigans\/","title":{"rendered":"Fresh mischief and digital shenanigans"},"content":{"rendered":"<div>\n<p>This blogpost covers newly discovered activities attributed to FrostyNeighbor, targeting governmental organizations in Ukraine. FrostyNeighbor has been running continual cyberoperations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection \u2013 targeting victims located in Eastern Europe, according to our telemetry.<\/p>\n<blockquote>\n<p><strong>Key points of the report:<\/strong><\/p>\n<ul>\n<li>FrostyNeighbor is a long-running cyberespionage actor apparently aligned with the interests of Belarus.<\/li>\n<li>The group primarily targets governmental, military, and key sectors in Eastern Europe.<\/li>\n<li>This report documents new activity observed that started in March 2026, showing continued evolution of tooling and compromise chains.<\/li>\n<li>FrostyNeighbor uses server-side validation of its victims before delivering the final payload.<\/li>\n<li>The group has been active recently in campaigns targeting governmental organizations in Ukraine.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>Introduction<\/h2>\n<p>FrostyNeighbor, also known as Ghostwriter, UNC1151, UAC\u20110057, TA445, PUSHCHA, or Storm-0257, is a group allegedly <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc1151-linked-to-belarus-government\/\" target=\"_blank\" rel=\"noopener\">operating from Belarus<\/a>. According to <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/unc1151-linked-to-belarus-government\" target=\"_blank\" rel=\"noopener\">Mandiant<\/a>, the group has been active since at least 2016. The majority of FrostyNeighbor\u2019s operations have targeted countries neighboring Belarus; a small minority have been observed in other European countries. FrostyNeighbor performs campaigns that utilize spearphishing, spread disinformation, and attempt to <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/ghostwriter-influence-campaign\" target=\"_blank\" rel=\"noopener\">influence<\/a> their targets (like the <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/espionage-group-unc1151-likely-conducts-ghostwriter-influence-activity\" target=\"_blank\" rel=\"noopener\">Ghostwriter influence activity<\/a>) but has also compromised a variety of governmental and private sector entities, with a focus on Ukraine, Poland, and Lithuania.<\/p>\n<p>FrostyNeighbor has demonstrated a continued evolution in its tactics, techniques, and procedures (TTPs), leveraging over time a diverse arsenal of malware and delivery mechanisms to target entities. Key developments include the deployment of multiple variants of the group\u2019s main payload downloader, named PicassoLoader by <a href=\"https:\/\/cert.gov.ua\/article\/5661411\" target=\"_blank\" rel=\"noopener\">CERT-UA<\/a>. Variants of this downloader are written in .NET, PowerShell, JavaScript, and C++. The name comes from the fact that it retrieves a <a href=\"https:\/\/www.cobaltstrike.com\/\" target=\"_blank\" rel=\"noopener\">Cobalt Strike<\/a> beacon, from an attacker-controlled environment, disguised as a renderable image or hidden in a web-associated file type, like CSS, JS, or SVG. Cobalt Strike is a post-exploitation framework widely used both by pentesters and threat actors, and its associated beacon acts as an initial implant, allowing the attacker to fully control the compromised victim\u2019s computer.<\/p>\n<p>Moreover, the group uses a wide variety of lure documents to compromise its targets, such as CHM, XLS, PPT, or DOC, and it has exploited the WinRAR vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-38831\" target=\"_blank\" rel=\"noopener\">CVE\u20112023\u201138831<\/a>. FrostyNeighbor has also exploited legitimate services such as Slack for payload delivery, and <a href=\"https:\/\/canarytokens.com\/\" target=\"_blank\" rel=\"noopener\">Canarytokens<\/a> for victim tracking, complicating detection and attribution efforts.<\/p>\n<p>While Ukrainian targeting seems to be focused on military, defense sector, and governmental entities, the victimology in Poland and Lithuania is broader and includes, among others, a wide variety of sectors like industrial and manufacturing, healthcare and pharmaceuticals, logistics, and many governmental organizations. As this report is solely based on our telemetry, other campaigns against entities in countries in the same region cannot be excluded.<\/p>\n<p>FrostyNeighbor has conducted spearphishing campaigns targeting users of Polish organizations, focusing on major free email providers such as <a href=\"https:\/\/poczta.interia.pl\/\" target=\"_blank\" rel=\"noopener\">Interia Poczta<\/a> and <a href=\"https:\/\/konto.onet.pl\/\" target=\"_blank\" rel=\"noopener\">Onet Poczta<\/a>. These campaigns included spoofed login pages designed to harvest credentials. Additionally, <a href=\"https:\/\/cert.pl\/en\/posts\/2025\/06\/unc1151-campaign-roundcube\/\" target=\"_blank\" rel=\"noopener\">CERT-PL<\/a> reported that the group exploited the <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-42009\" target=\"_blank\" rel=\"noopener\">CVE\u20112024\u201142009<\/a> XSS vulnerability in Roundcube, which enables JavaScript execution upon opening of weaponized email messages, to exfiltrate the victim\u2019s credentials. This reflects the group\u2019s effort in both malware compromise and credential harvesting.<\/p>\n<h2>Past publications<\/h2>\n<p>FrostyNeighbor\u2019s campaigns have been active for years and have therefore been widely documented publicly over time. Some of these include reports from July 2024, when <a href=\"https:\/\/cert.gov.ua\/article\/6280159\" target=\"_blank\" rel=\"noopener\">CERT-UA<\/a> reported about a surge of activity attributed to the group, targeting Ukrainian governmental entities. In February 2025, <a href=\"https:\/\/www.sentinelone.com\/labs\/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition\/\">SentinelOne<\/a> documented a surge of activity targeting Ukrainian government and opposition activists in Belarus, using new adaptations of previously observed payloads.<\/p>\n<p>In August 2025, <a href=\"https:\/\/harfanglab.io\/insidethelab\/uac-0057-pressure-ukraine-poland\/\" target=\"_blank\" rel=\"noopener\">HarfangLab<\/a> observed new clusters of activity that involved malicious archives in specific compromise chains to target Ukrainian and Polish entities. Finally, in December 2025, <a href=\"https:\/\/strikeready.com\/blog\/captch-ya-if-you-can\/\" target=\"_blank\" rel=\"noopener\">StrikeReady<\/a> documented a new anti-analysis technique, using dynamic CAPTCHAs that the victims had to solve, executed by a VBA macro in the lure document.<\/p>\n<h2>Newly discovered activity<\/h2>\n<p>Since March 2026, we have detected new activities that we attributed to FrostyNeighbor, using links in malicious PDFs sent via spearphishing attachments to target governmental organizations in Ukraine. The compromise chain is the newest observed to date, using a JavaScript version of PicassoLoader to deliver a Cobalt Strike payload, as illustrated in Figure\u00a01.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. Compromise chain overview\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/frostyneighbor\/figure-1-1-2.png\" alt=\"Figure 1. Compromise chain overview (2)\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. Compromise chain overview<\/em><\/figcaption><\/figure>\n<p>It starts with a blurry lure PDF file named <span style=\"font-family: courier new, courier, monospace;\">53_7.03.2026_R.pdf<\/span>, shown in Figure\u00a02, impersonating the Ukrainian telecommunications company <a href=\"https:\/\/ukrtelecom.ua\/\">Ukrtelecom<\/a>, with a message that it purportedly <em>\u201cguarantees reliable protecting of customer data\u201d<\/em> (machine translated), and a download button with a link leading to a document hosted on a delivery server controlled by the group.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. PDF lure document with a remote download link\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/frostyneighbor\/figure-2.png\" alt=\"Figure 2. PDF lure document with a remote download link\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. PDF lure document with a remote download link<\/em><\/figcaption><\/figure>\n<p>If the victim is not from the expected geographic location, the server delivers a benign PDF file with the same name, <span style=\"font-family: courier new, courier, monospace;\">53_7.03.2026_R.pdf<\/span>, related to regulations in the field of electronic communications from 2024 to 2026 from Ukraine\u2019s National Commission for the State Regulation of Electronic Communications, Radio Frequency Spectrum and the Provision of Postal Services (<a href=\"https:\/\/nkek.gov.ua\/\" target=\"_blank\" rel=\"noopener\">nkek.gov.ua<\/a>), as shown in Figure\u00a03.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 3. Decoy PDF file related to strategic priorities and regulations in the field of electronic communications\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/frostyneighbor\/figure-3.png\" alt=\"Figure 3. Decoy PDF file\" width=\"\" height=\"\"\/><figcaption><em>Figure 3. Decoy PDF file related to strategic priorities and regulations in the field of electronic communications<\/em><\/figcaption><\/figure>\n<p>If the victim is using an IP address from Ukraine, the server instead delivers a RAR archive named <span style=\"font-family: courier new, courier, monospace;\">53_7.03.2026_R.rar<\/span>, containing the first stage of the attack named <span style=\"font-family: courier new, courier, monospace;\">53_7.03.2026_R.js<\/span> \u2013 a JavaScript file that drops and displays a PDF file as a decoy. Simultaneously, it also executes the second stage: a JavaScript version of the PicassoLoader downloader, known to be used by the group. The first-stage script has been deobfuscated and refactored for readability, with a shortened version provided in Figure\u00a04.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 4. First-stage JavaScript dropper 53_7.03.2026_R.js\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/frostyneighbor\/figure-4.png\" alt=\"Figure 4. First-stage JavaScript dropper 53_7.03.2026_R.js\" width=\"\" height=\"\"\/><figcaption><em>Figure 4. First-stage JavaScript dropper<\/em> <span style=\"font-family: courier new, courier, monospace;\">53_7.03.2026_R.js<\/span><\/figcaption><\/figure>\n<p>On first execution, the script decodes and displays to the victim the same PDF decoy illustrated in Figure\u00a03, and executes itself with the <span style=\"font-family: courier new, courier, monospace;\">\u2011\u2011update<\/span> flag to reach the other section of the code; the other flags are not used at all.<\/p>\n<p>During the second execution, the script drops the second-stage downloader (PicassoLoader), which is embedded in the script (encoded using base64) as <span style=\"font-family: courier new, courier, monospace;\">%AppData%\\WinDataScope\\Update.js<\/span>, and downloads a scheduled task template from <span style=\"font-family: courier new, courier, monospace;\">https:\/\/book-happy.needbinding[.]icu\/wp-content\/uploads\/2023\/10\/1GreenAM.jpg<\/span>, as shown in Figure\u00a05.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 5. Scheduled task template downloaded from the C&amp;C server\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/frostyneighbor\/figure-5.png\" alt=\"Figure 5. Scheduled task template downloaded from the C&amp;C server\" width=\"\" height=\"\"\/><figcaption><em>Figure 5. Scheduled task template downloaded from the C&amp;C server<\/em><\/figcaption><\/figure>\n<p>Despite a JPG image being requested, the server responds with text-based content, using the Content-Type and Content-Disposition headers to advertise an XML attachment from their C&amp;C server hosted behind the Cloudflare infrastructure:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">Content-Type: application\/xml<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">Server: cloudflare<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">Content-Disposition: attachment; filename=\u00bbconfig.xml\u00bb<\/span><\/p>\n<p>To achieve persistence and trigger the first execution of PicassoLoader, the script then replaces the placeholder values with the data parsed from the response file<span style=\"font-family: courier new, courier, monospace;\"> 1GreenAM.jpg<\/span>:<\/p>\n<p>The first stage, <span style=\"font-family: courier new, courier, monospace;\">53_7.03.2026_R.js<\/span>, also drops a REG file under <span style=\"font-family: courier new, courier, monospace;\">%AppData%\\WinDataScope<\/span> as <span style=\"font-family: courier new, courier, monospace;\">WinUpdate.reg<\/span>, whose contents are imported into the registry by the PicassoLoader downloader. The PicassoLoader script has been deobfuscated and refactored for readability, with a shortened version provided in Figure\u00a06.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 6. Second-stage JavaScript PicassoLoader downloader\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/frostyneighbor\/figure-6.png\" alt=\"Figure 6. Second-stage JavaScript PicassoLoader downloader\" width=\"\" height=\"\"\/><figcaption><em>Figure 6. Second-stage JavaScript PicassoLoader downloader<\/em><\/figcaption><\/figure>\n<p>When running, PicassoLoader fingerprints the victim\u2019s computer by collecting the username, computer name, OS version, the boot time of the computer, the current time, and the list of running processes with their process IDs (PIDs). Every 10\u00a0minutes, the compromised computer\u2019s fingerprint is sent to the C&amp;C server via an HTTP POST request to <span style=\"font-family: courier new, courier, monospace;\">https:\/\/book-happy.needbinding[.]icu\/employment\/documents-and-resources<\/span>. If the C&amp;C server response content is larger than 100\u00a0bytes, the received data is executed using the <span style=\"font-family: courier new, courier, monospace;\">eval<\/span> method.<\/p>\n<p>The decision whether or not to deliver a payload is very likely manually performed by the operators, based on the collected information to decide if the victim is of interest. If they are, the C&amp;C server responds with a third-stage JavaScript dropper for Cobalt Strike; otherwise, it returns an empty response. This third-stage script has been deobfuscated and refactored for readability, with a shortened version provided in Figure\u00a07.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 7. Third-stage Cobalt Strike dropper\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/05-26\/frostyneighbor\/figure-7.png\" alt=\"Figure 7. Third-stage Cobalt Strike dropper\" width=\"\" height=\"\"\/><figcaption><em>Figure 7. Third-stage Cobalt Strike dropper<\/em><\/figcaption><\/figure>\n<p>This additional script starts by copying the legitimate <span style=\"font-family: courier new, courier, monospace;\">rundll32.exe<\/span> to <span style=\"font-family: courier new, courier, monospace;\">%ProgramData%\\ViberPC.exe<\/span>, very likely to bypass some security mechanisms or detection rules.<\/p>\n<p>Then, a Cobalt Strike beacon embedded in this stage is base64 decoded and written to disk as <span style=\"font-family: courier new, courier, monospace;\">%ProgramData%\\ViberPC.dll<\/span>. Finally, persistence is achieved by creating and importing a REG file named <span style=\"font-family: courier new, courier, monospace;\">ViberPC.reg<\/span>, which registers in the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/setupapi\/run-and-runonce-registry-keys\">HKCU Run key<\/a> a LNK file, named <span style=\"font-family: courier new, courier, monospace;\">%ProgramData%\\ViberPC.lnk<\/span>, that executes the copied version of <span style=\"font-family: courier new, courier, monospace;\">rundll32.exe<\/span> with the command line argument <span style=\"font-family: courier new, courier, monospace;\">%ProgramData%\\ViberPC.dll<\/span>, calling its DLL export <span style=\"font-family: courier new, courier, monospace;\">SettingTimeAPI<\/span>.<\/p>\n<p>The final payload is a Cobalt Strike beacon that contacts its C&amp;C server at <span style=\"font-family: courier new, courier, monospace;\">https:\/\/nama-belakang.nebao[.]icu\/statistics\/discover.txt<\/span>.<\/p>\n<h2>Conclusion<\/h2>\n<p>FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms. This newest compromise chain we detected is a continuation of the group\u2019s willingness to update and renew its arsenal, trying to evade detection to compromise its targets.<\/p>\n<p>The group\u2019s campaigns continue to focus on Eastern Europe, with a notable emphasis on the governmental, defense, and key sectors, especially in Poland, Lithuania, and Ukraine, according to ESET telemetry.<\/p>\n<p>The payload is only delivered after server-side victim validation, combining automated checks of the requesting user agent and IP address with the manual validation by the operators. Continuous and close monitoring of the group\u2019s operations, infrastructure, and toolset changes is essential to detect and mitigate future operations.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\u00a0<\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=frostyneighbor-fresh-mischief-digital-shenanigans&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in our <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/frostyneighbor\">GitHub repository<\/a>.<\/p>\n<h3>Files<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"175\"><strong>SHA\u20111<\/strong><\/td>\n<td width=\"175\"><strong>Filename<\/strong><\/td>\n<td width=\"142\"><strong>Detection<\/strong><\/td>\n<td width=\"150\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">776A43E46C36A539C916<wbr\/>ED426745EE96E2392B39<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">53_7.03.2026_R<wbr\/>.rar<\/span><\/td>\n<td width=\"142\">JS\/TrojanDropper.Fr<wbr\/>ostyNeighbor.E<\/td>\n<td width=\"150\">Lure RAR archive.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">8D1F2A6DF51C7783F2EA<wbr\/>F1A0FC0FF8D032E5B57F<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">53_7.03.2026_R<wbr\/>.js<\/span><\/td>\n<td width=\"142\">JS\/TrojanDropper.Fr<wbr\/>ostyNeighbor.E<\/td>\n<td width=\"150\">JavaScript dropper.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">B65551D339AECE718EA1<wbr\/>465BF3542C794C445EFC<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">Update.js<\/span><\/td>\n<td width=\"142\">JS\/TrojanDownloader<wbr\/>.FrostyNeighbor.D<\/td>\n<td width=\"150\">JavaScript PicassoLoader downloader.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">E15ABEE1CFDE8BE7D87C<wbr\/>7C0B510450BAD6BC0906<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">Update.js<\/span><\/td>\n<td width=\"142\">JS\/TrojanDropper.Fr<wbr\/>ostyNeighbor.D<\/td>\n<td width=\"150\">Cobalt Strike dropper.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">43E30BE82D82B24A6496<wbr\/>F6943ECB6877E83F88AB<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">ViberPC.dll<\/span><\/td>\n<td width=\"142\">Win32\/CobaltStrike.<wbr\/>Beacon.S<\/td>\n<td width=\"150\">Cobalt Strike beacon.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">4F2C1856325372B9B776<wbr\/>9D00141DBC1A23BDDD14<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">53_7.03.2026_R<wbr\/>.pdf<\/span><\/td>\n<td width=\"142\">PDF\/TrojanDownloade<wbr\/>r.FrostyNeighbor.D<\/td>\n<td width=\"150\">Lure PDF document.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">D89E5524E49199B1C3B6<wbr\/>6C524E7A63C3F0A0C199<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">Certificate.pdf<\/span><\/td>\n<td width=\"142\">PDF\/TrojanDownloade<wbr\/>r.FrostyNeighbor.E<\/td>\n<td width=\"150\">Lure PDF document.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">7E537D8E91668580A482<wbr\/>BD77A5A4CABA26D6BDAC<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">certificate.js<\/span><\/td>\n<td width=\"142\">JS\/TrojanDownloader<wbr\/>.FrostyNeighbor.G<\/td>\n<td width=\"150\">JavaScript PicassoLoader downloader.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">FA6882672AD365480098<wbr\/>7613310D7C3FBADE027E<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">certificate.js<\/span><\/td>\n<td width=\"142\">JS\/TrojanDownloader<wbr\/>.FrostyNeighbor.E<\/td>\n<td width=\"150\">JavaScript PicassoLoader downloader.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">3FA7D1B13542F1A9EB05<wbr\/>4111F9B69C250AF68643<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">\u0421\u0435\u0442\u0438\u0444\u0456\u043a\u0430\u0442_CAF.rar<\/span><\/td>\n<td width=\"142\">JS\/TrojanDropper.Fr<wbr\/>ostyNeighbor.G<\/td>\n<td width=\"150\">Lure RAR archive.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">4E52C92709A918383E90<wbr\/>534052AAA257ACE2780C<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">\u0421\u0435\u0442\u0438\u0444\u0456\u043a\u0430\u0442_CAF.js<\/span><\/td>\n<td width=\"142\">JS\/TrojanDropper.Fr<wbr\/>ostyNeighbor.G<\/td>\n<td width=\"150\">JavaScript dropper.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">6FDED427A16D5314BA3E<wbr\/>1EB9AFD120DC84449769<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">EdgeTaskMachine<wbr\/>.js<\/span><\/td>\n<td width=\"142\">JS\/TrojanDropper.Fr<wbr\/>ostyNeighbor.F<\/td>\n<td width=\"150\">JavaScript PicassoLoader downloader.<\/td>\n<\/tr>\n<tr>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">27FA11F6A1D653779974<wbr\/>B6FB54DE4AF47F211232<\/span><\/td>\n<td width=\"175\"><span style=\"font-family: courier new, courier, monospace;\">EdgeSystemConfig<wbr\/>.dll<\/span><\/td>\n<td width=\"142\">Win32\/CobaltStrike.<wbr\/>Beacon.S<\/td>\n<td width=\"150\">Cobalt Strike beacon.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Network<\/h3>\n<table style=\"height: 612px;\" border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 68px;\">\n<td style=\"width: 39px; height: 68px;\" width=\"49\"><strong>IP<\/strong><\/td>\n<td style=\"width: 279px; height: 68px;\" width=\"213\"><strong>Domain<\/strong><\/td>\n<td style=\"width: 89px; height: 68px;\" width=\"115\"><strong>Hosting provider<\/strong><\/td>\n<td style=\"width: 92px; height: 68px;\" width=\"107\"><strong>First seen<\/strong><\/td>\n<td style=\"width: 128px; height: 68px;\" width=\"158\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 68px;\">\n<td style=\"width: 39px; height: 68px;\" width=\"49\">N\/A<\/td>\n<td style=\"width: 279px; height: 68px;\" width=\"213\"><span style=\"font-family: courier new, courier, monospace;\">attachment-storage-asset-<wbr\/>static.needbinding[.]icu<\/span><\/td>\n<td style=\"width: 89px; height: 68px;\" width=\"115\">N\/A<\/td>\n<td style=\"width: 92px; height: 68px;\" width=\"107\">2026\u201103\u201110<\/td>\n<td style=\"width: 128px; height: 68px;\" width=\"158\">PicassoLoader C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"width: 39px; height: 68px;\" width=\"49\">N\/A<\/td>\n<td style=\"width: 279px; height: 68px;\" width=\"213\"><span style=\"font-family: courier new, courier, monospace;\">book-happy.needbindin<wbr\/>g[.]icu<\/span><\/td>\n<td style=\"width: 89px; height: 68px;\" width=\"115\">N\/A<\/td>\n<td style=\"width: 92px; height: 68px;\" width=\"107\">2026\u201103\u201110<\/td>\n<td style=\"width: 128px; height: 68px;\" width=\"158\">PicassoLoader C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"width: 39px; height: 68px;\" width=\"49\">N\/A<\/td>\n<td style=\"width: 279px; height: 68px;\" width=\"213\"><span style=\"font-family: courier new, courier, monospace;\">nama-belakang.nebao[.]icu<\/span><\/td>\n<td style=\"width: 89px; height: 68px;\" width=\"115\">N\/A<\/td>\n<td style=\"width: 92px; height: 68px;\" width=\"107\">2026\u201103\u201110<\/td>\n<td style=\"width: 128px; height: 68px;\" width=\"158\">Cobalt Strike C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"width: 39px; height: 68px;\" width=\"49\">N\/A<\/td>\n<td style=\"width: 279px; height: 68px;\" width=\"213\"><span style=\"font-family: courier new, courier, monospace;\">easiestnewsfromourpointof<wbr\/>view.algsat[.]icu<\/span><\/td>\n<td style=\"width: 89px; height: 68px;\" width=\"115\">N\/A<\/td>\n<td style=\"width: 92px; height: 68px;\" width=\"107\">2026\u201104\u201114<\/td>\n<td style=\"width: 128px; height: 68px;\" width=\"158\">PicassoLoader C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"width: 39px; height: 68px;\" width=\"49\">N\/A<\/td>\n<td style=\"width: 279px; height: 68px;\" width=\"213\"><span style=\"font-family: courier new, courier, monospace;\">mickeymousegamesdealer.al<wbr\/>exavegas[.]icu<\/span><\/td>\n<td style=\"width: 89px; height: 68px;\" width=\"115\">N\/A<\/td>\n<td style=\"width: 92px; height: 68px;\" width=\"107\">2026\u201103\u201126<\/td>\n<td style=\"width: 128px; height: 68px;\" width=\"158\">PicassoLoader C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"width: 39px; height: 68px;\" width=\"49\">N\/A<\/td>\n<td style=\"width: 279px; height: 68px;\" width=\"213\"><span style=\"font-family: courier new, courier, monospace;\">hinesafar.sardk[.]icu<\/span><\/td>\n<td style=\"width: 89px; height: 68px;\" width=\"115\">N\/A<\/td>\n<td style=\"width: 92px; height: 68px;\" width=\"107\">2026\u201104\u201114<\/td>\n<td style=\"width: 128px; height: 68px;\" width=\"158\">PicassoLoader C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"width: 39px; height: 68px;\" width=\"49\">N\/A<\/td>\n<td style=\"width: 279px; height: 68px;\" width=\"213\"><span style=\"font-family: courier new, courier, monospace;\">shinesafar.sardk[.]icu<\/span><\/td>\n<td style=\"width: 89px; height: 68px;\" width=\"115\">N\/A<\/td>\n<td style=\"width: 92px; height: 68px;\" width=\"107\">2026\u201104\u201114<\/td>\n<td style=\"width: 128px; height: 68px;\" width=\"158\">PicassoLoader C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"width: 39px; height: 68px;\" width=\"49\">N\/A<\/td>\n<td style=\"width: 279px; height: 68px;\" width=\"213\"><span style=\"font-family: courier new, courier, monospace;\">best-seller.lavanill<wbr\/>e[.]buzz<\/span><\/td>\n<td style=\"width: 89px; height: 68px;\" width=\"115\">N\/A<\/td>\n<td style=\"width: 92px; height: 68px;\" width=\"107\">2026\u201104\u201114<\/td>\n<td style=\"width: 128px; height: 68px;\" width=\"158\">Cobalt Strike C&amp;C server.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 18 <\/a>of the MITRE ATT&amp;CK framework.<\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"113\"><strong>Tactic<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>Name<\/strong><\/td>\n<td width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Resource Development<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1583\">T1583<\/a><\/td>\n<td width=\"151\">Acquire Infrastructure<\/td>\n<td width=\"265\">FrostyNeighbor acquires domain names and rents C&amp;C servers.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1608\">T1608<\/a><\/td>\n<td width=\"151\">Stage Capabilities<\/td>\n<td width=\"265\">FrostyNeighbor hosts the final payload on a C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1588\/002\">T1588.002<\/a><\/td>\n<td width=\"151\">Obtain Capabilities: Tool<\/td>\n<td width=\"265\">FrostyNeighbor obtained a leaked version of Cobalt Strike to generate payloads.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Initial Access<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1566\/001\">T1566.001<\/a><\/td>\n<td width=\"151\">Phishing: Spearphishing Attachment<\/td>\n<td width=\"265\">FrostyNeighbor sends a weaponized lure document in email attachments.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Execution<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1204\/002\">T1204.002<\/a><\/td>\n<td width=\"151\">User Execution: Malicious File<\/td>\n<td width=\"265\">FrostyNeighbor tricks its victims into opening or editing a document to gain code execution.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1053\/005\">T1053.005<\/a><\/td>\n<td width=\"151\">Scheduled Task\/Job: Scheduled Task<\/td>\n<td width=\"265\">FrostyNeighbor uses scheduled tasks to achieve persistence.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1059\">T1059<\/a><\/td>\n<td width=\"151\">Command and Scripting Interpreter<\/td>\n<td width=\"265\">FrostyNeighbor uses scripting languages such as JavaScript, Visual Basic, and PowerShell.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Persistence<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1060\">T1060<\/a><\/td>\n<td width=\"151\">Registry Run Keys \/ Startup Folder<\/td>\n<td width=\"265\">FrostyNeighbor uses the registry Run key and the Startup Folder to achieve persistence.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Defense Evasion<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1027\">T1027<\/a><\/td>\n<td width=\"151\">Obfuscated Files or Information<\/td>\n<td width=\"265\">FrostyNeighbor obfuscates scripts and compiled binaries.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1027\/009\">T1027.009<\/a><\/td>\n<td width=\"151\">Obfuscated Files or Information: Embedded Payloads<\/td>\n<td width=\"265\">FrostyNeighbor embeds next stages or payloads inside the initial lure document.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1036\/005\">T1036.005<\/a><\/td>\n<td width=\"151\">Masquerading: Match Legitimate Resource Name or Location<\/td>\n<td width=\"265\">FrostyNeighbor drops malicious files using common Microsoft filenames and locations.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Discovery<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1057\">T1057<\/a><\/td>\n<td width=\"151\">Process Discovery<\/td>\n<td width=\"265\">PicassoLoader collects the list of running processes.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1082\">T1082<\/a><\/td>\n<td width=\"151\">System Information Discovery<\/td>\n<td width=\"265\">PicassoLoader collects system and user information.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1071\/001\">T1071.001<\/a><\/td>\n<td width=\"151\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"265\">FrostyNeighbor uses HTTPS for C&amp;C communication and payload delivery.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Exfiltration<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1041\">T1041<\/a><\/td>\n<td width=\"151\">Exfiltration Over C2 Channel<\/td>\n<td width=\"265\">FrostyNeighbor uses HTTPS with Cobalt Strike.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=frostyneighbor-fresh-mischief-digital-shenanigans&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>This blogpost covers newly discovered activities attributed to FrostyNeighbor, targeting governmental organizations in Ukraine. FrostyNeighbor has been running<\/p>\n","protected":false},"author":1,"featured_media":336,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-335","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/335","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=335"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/335\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/336"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}