Full Report
ESET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the group’s continual cyberespionage operations
Analysis Summary
# Threat Actor: FrostyNeighbor
## Attribution & Identity
FrostyNeighbor is a long-running cyberespionage group that is assessed to be aligned with the interests of the **Belarusian government**. The group has been active since at least 2016 and is widely tracked by the security community under several aliases.
* **Aliases:** Ghostwriter, UNC1151, UAC-0057, TA445, PUSHCHA, Storm-0257.
* **Known Associations:** Linked to the Belarusian government; frequently operates in alignment with regional geopolitical interests.
## Activity Summary
The group remains highly active, with documented operations continuing into **March 2026**. Their primary focus is on persistent cyberespionage and influence operations (informational warfare). Recent activities involving updated compromise chains and delivery methods have been identified as targeting governmental organizations in Ukraine. The group is known for its agility, frequently updating its toolset to evade detection and employing server-side validation to ensure payloads are only delivered to intended victims.
## Tactics, Techniques & Procedures
- **Initial Access:** Spearphishing using weaponized attachments (CHM, XLS, PPT, DOC). Exploitation of vulnerabilities such as CVE-2023-38831 (WinRAR) and CVE-2024-42009 (Roundcube XSS).
- **Execution:** Heavy use of scripting interpreters (JavaScript, VBScript, PowerShell, .NET, and C++).
- **Evasion:** Uses "PicassoLoader" to retrieve payloads disguised as renderable images or web files (CSS, JS, SVG). Employs server-side validation of victims before delivering final stages.
- **Persistence:** Utilization of Scheduled Tasks, Registry Run Keys, and the Windows Startup folder.
- **Tracking:** Use of Canarytokens to track victim interaction with lure documents.
**MITRE ATT&CK IDs:**
* **T1566.001:** Phishing: Spearphishing Attachment
* **T1204.002:** User Execution: Malicious File
* **T1053.005:** Scheduled Task/Job: Scheduled Task
* **T1059:** Command and Scripting Interpreter
* **T1060:** Registry Run Keys / Startup Folder
* **T1027 / T1027.009:** Obfuscated Files / Embedded Payloads
* **T1036.005:** Masquerading: Match Legitimate Resource Name
* **T1057 / T1082:** Process and System Information Discovery
* **T1071.001:** Application Layer Protocol: Web Protocols
* **T1041:** Exfiltration Over C2 Channel
## Targeting
* **Sectors:** Governmental, military, defense, industrial/manufacturing, healthcare, pharmaceuticals, and logistics.
* **Geography:** Primarily Eastern Europe, with a heavy focus on Ukraine, Poland, and Lithuania. Occasional activity in other European countries.
* **Victims:** Specifically targeted Ukrainian governmental entities and users of Polish free email providers (Interia Poczta and Onet Poczta) for credential harvesting.
## Tools & Infrastructure
* **Malware Families:**
* **PicassoLoader:** A multi-language downloader (PowerShell, .NET, JS, C++) used to deliver final payloads.
* **Cobalt Strike Beacon:** The primary post-exploitation framework used for full system control.
* **Services:** Exploitation of legitimate platforms like **Slack** for payload delivery and **Canarytokens** for tracking.
* **Infrastructure:**
* HTTPS used for C2 communication.
* Spoofed login pages for credential harvesting (Interia/Onet poczta).
* Controlled environments disguised as benign file hosts (JS/CSS/SVG hosting).
## Implications
FrostyNeighbor represents a persistent, evolving threat to Eastern European stability. Their hybrid approach—combining traditional cyberespionage (credential and data theft) with "Ghostwriter" influence operations (disinformation)—suggests they are a key instrument of Belarusian state policy. Their continuous refinement of "PicassoLoader" and use of server-side filtering indicate a high level of operational security awareness designed to bypass automated sandbox analysis and traditional EDR signatures.
## Mitigations
* **Vulnerability Management:** Prioritize patching for known exploited vulnerabilities, specifically **CVE-2023-38831** (WinRAR) and **CVE-2024-42009** (Roundcube).
* **Email Security:** Implement robust attachment filtering to block or scrutinize high-risk file types like CHM and macro-enabled Office documents.
* **Endpoint Monitoring:** Monitor for unauthorized Scheduled Task creation and modifications to Registry Run keys.
* **Network Defense:** Inspect traffic to legitimate cloud services (like Slack) for unusual patterns that may indicate payload delivery or C2.
* **User Training:** Educate staff, particularly in governmental and military sectors, on identifying sophisticated spearphishing and credential harvesting attempts that spoof local webmail providers.