Изображение носит иллюстративный характер. Фото: freepik.com
The Belarus-linked hacking group FrostyNeighbor, also known as Ghostwriter and UNC1151, has been conducting a new cyber-espionage campaign targeting Ukrainian government institutions since March 2026. This is stated in a new study by cybersecurity company ESET, published this week.
According to researchers, the group has been active since at least 2016 and remains one of the most active cyber-espionage operations in Eastern Europe. FrostyNeighbor primarily targets government institutions, military organizations and strategically important sectors. For years, its attacks have focused on Ukraine, Poland and Lithuania.
In the latest campaign, the attackers are using phishing emails containing PDF files. One of the identified documents was disguised as a notification from Ukrainian telecommunications operator Ukrtelecom. The file contained a link to what appeared to be an official document. However, the next stage of the attack depended on the target’s location.
Researchers found that the attackers’ server checks the user’s IP address before delivering any malicious content. If the request originates from outside Ukraine, the user receives a harmless decoy document related to electronic communications regulation. If the target is located in Ukraine, the server delivers an archive containing a malicious JavaScript file.
Once launched, the script displays a legitimate document to the user while simultaneously installing the next stage of the infection chain, a loader known as PicassoLoader. The tool collects system information, including the username, computer name, operating system version, device uptime and a list of running processes. The collected data is regularly transmitted to the attackers’ command-and-control server.
According to ESET, the decision to proceed with further infection is not made automatically. The group’s operators review the collected information and determine whether a particular target is of interest. Only after this assessment may the next component of the attack be delivered — a tool based on Cobalt Strike that enables remote control of the system and its use for espionage purposes.
The authors of the report note that FrostyNeighbor continuously refines its methods. In recent years, the group has used various types of lures, including CHM, XLS, PPT and DOC documents, exploited the WinRAR vulnerability CVE-2023-38831, and relied on legitimate services to deliver malicious code and track victims.
According to ESET, the new attack scheme demonstrates a high level of operational sophistication. The use of geographic filtering, server-side victim validation and a multi-stage infection chain allows the attackers to reduce the risk of detection and focus on the most valuable targets.
The company believes that FrostyNeighbor’s activity confirms the continued interest of Belarus-linked cyber groups in government institutions and strategic facilities across Eastern European countries.