Фото: sebastiaan stam / unsplash.com
Researchers at ESET have identified new activity by the hacker group FrostyNeighbor, also known as Ghostwriter, UNC1151, UAC-0057, TA445, PUSHCHA or Storm-0257, WeLiveSecurity writes. The group is believed to operate from Belarus and has reportedly been active since at least 2016.
According to the researchers, since March 2026 the group has been conducting targeted phishing attacks against Ukrainian government organisations using an updated infection scheme. Victims receive PDF files disguised as documents from the Ukrainian operator Ukrtelecom. When a link in the document is opened, the system checks the user’s IP address. If the address is located in Ukraine, instead of a harmless file the victim downloads a malicious RAR archive containing the PicassoLoader JavaScript loader.
The loader collects data about the infected computer — including the username, operating system version and list of running processes — and sends it to the attackers’ server every 10 minutes. The decision to deliver the final malicious payload is made manually by the operators based on the collected data. If the victim is deemed of interest, a Cobalt Strike beacon is deployed on the computer, giving the attackers full control over the system.
The group continues to target primarily Ukraine, Poland and Lithuania, focusing on government agencies, the defence sector, industry, healthcare and logistics. According to ESET, FrostyNeighbor demonstrates a high level of operational maturity and regularly updates its arsenal to evade detection systems.
“FrostyNeighbor remains a resilient and adaptive threat actor, demonstrating a high level of operational maturity through the use of diverse lure documents, evolving lure and loader variants, and novel delivery mechanisms. This latest attack chain we uncovered continues the group’s efforts to refresh and expand its arsenal while attempting to evade detection in order to compromise its targets,” the report states.