'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine

CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY REMOTE WORKFORCE THREAT INTELLIGENCE NEWS 'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine Attackers uniquely fingerprint victims before delivering spear-phishing payloads aimed at espionage, in the latest campaign from the Belarussian nation-state threat group. Elizabeth Montalbano,Contributing Writer May 14, 2026 4 Min Read SOURCE: PIOTR MALCZYK VIA ALAMY STOCK PHOTO A known Belarussian cyber-espionage group is back with a threat campaign against targets in Eastern Europe that uses spear-phishing to deliver malicious payloads to Eastern European government and military organizations. The campaign is unique in that the group appears to be particularly choosy about who it targets. In a campaign that began in March and targets entities in Poland and Ukraine, specifically, FrostyNeighbor — also tracked as Ghostwriter, UNC1151, TA445, PUSHCHA, and Storm-0257 — demonstrates a continued evolution of its cybercriminal activities on behalf of Belarus, according to a report by ESET research published Thursday. Its latest attack wave targets Ukrainian and Polish government organizations, and demonstrates how the group is continuing to evolve its espionage toolkit and delivery infrastructure, according to ESET. The advanced persistent threat (APT) is using a fresh compromise chain with spear-phishing PDFs, server-side victim validation, and a JavaScript-based version of PicassoLoader, the group's main payload downloader, to ultimately deploy Cobalt Strike for post-compromise operations. Related:Foxconn Attack Highlights Manufacturing's Cyber Crisis "Since January 2026, the group seems to have abandoned the use of macro-based initial lure document ... to only use blurry PDFs containing a malicious link to the next stage," Damien Schaeffer, ESET senior malware researcher, tells Dark Reading. That PDF lure impersonates Ukrainian telecom provider Ukrtelecom, and claims to provide secure customer data protection. It includes a download link hosted on attacker-controlled infrastructure. FrostNeighbor's Cyber Evolution Beyond Disinformation LOADING... FrostyNeighbor, believed to be active since at least 2016, is known for combining cyber espionage with other malicious operations, including spear-phishing, credential theft, malware deployment, and disinformation activity associated with the broader Ghostwriter influence operation.  That campaign — which began in 2021 and was first believed to be out of Russia — targeted several European countries, including Germany, Poland, Ukraine, and the Baltic states of Estonia, Latvia, and Lithuania, with phishing and misinformation. Eventually, researchers discovered that Ghostwriter/FrostyNeighbor had a more significant phishing infrastructure than first known, which figures prominently in its latest attack.  The latest iteration is highly targeted, with attackers fingerprinting the victim's computer to ensure targeting is specific. While this in and of itself is not unique, FrostyNeighbor operators appear to then be deciding manually whether or not the target will get the implant or not, Schaeffer says. Related:China's 'FamousSparrow' APT Nests in South Caucasus Energy Firm FrostyNeighbor's Manual, Specific Victim-Targeting If the victim is not from the expected geographic location, the server delivers a benign PDF file. However, if the victim is using an IP address from Ukraine, the server instead delivers a RAR archive containing the first stage of the attack — a JavaScript file that drops and displays the aforementioned PDF file as a decoy. Simultaneously, it also executes the second stage: a JavaScript version of the PicassoLoader downloader.  When running, PicassoLoader fingerprints the victim's computer by collecting the username, computer name, OS version, boot time of the computer, current time, and list of running processes with their process IDs. The decision whether or not to deliver a payload is very likely manually performed by the operators, as mentioned before, based on the collected information to decide if the victim is of interest, according to ESET. If they are, command-and-control (C2) responds with a third-stage JavaScript dropper for Cobalt Strike, the final payload; otherwise, it returns an empty response.  Defensive, Anti-Espionage Action for Eastern European Targets Related:Tech Can't Stop These Threats — Your People Can FrostyNeighbor remains "quite active in term of operations, and has demonstrated a continued evolution in its TTPs, trying new techniques to evade detections and compromise its targets," Schaeffer says. Indeed, the newest compromise chain outlined in the report is a continuation of the group's persistent willingness to update and renew its arsenal, according to ESET. For this reason, organizations that could be targeted by the group — especially in Poland, Lithuania, and Ukraine — should take defensive measures. These include taking the usual spear-phishing precautions, such as carefully analyzing emails with an attachment coming from external or unknown senders, Schaeffer says.  Defenders also can implement best practices such as restricting user permissions to the minimum, or preventing execution of downloaded files, and monitoring its users and environment for suspicious network communications, he adds. To help defenders identify the campaign, ESET also included a comprehensive list of indicators of compromise (IoCs) in its report. Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? Your Guide to Securing AI Adoption in Your Organization The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS