Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks

HomeCyber Security News Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks By Tushar Subhra Dutta May 15, 2026 A state-aligned hacking group known as FrostyNeighbor has resurfaced with a fresh wave of cyberattacks targeting government organizations in Ukraine, using a carefully designed infection chain that is harder than ever to detect. The group, active since at least 2016, has a long history of targeting countries neighboring Belarus, and its latest campaign shows just how far it has evolved. The new activity, detected starting in March 2026, blends deceptive documents, layered malware scripts, and server-side victim filtering into a single coordinated operation. The attacks begin with spearphishing emails carrying malicious PDF files designed to look like legitimate government communications. One lure document impersonated Ukrtelecom, a Ukrainian telecommunications company, and appeared to offer assurances about customer data protection. When a recipient clicks the download button inside the PDF, they are directed to a server fully controlled by the attackers. What they receive next depends entirely on where they are connecting from. ESET’s official threat research blog, WeLiveSecurity’s analysts identified and said in a report shared with Cyber Security News (CSN) that FrostyNeighbor, also tracked as Ghostwriter, UNC1151, TA445, PUSHCHA, and Storm-0257, is a long-running cyber espionage actor apparently aligned with the interests of Belarus. ESET researchers noted that the group regularly updates its tools and methods specifically to avoid triggering security alerts. FrostyNeighbor’s campaigns have historically focused on Ukraine, Poland, and Lithuania, with victims ranging from government and military bodies to industrial firms and healthcare organizations. Compromise chain overview (Source – Welivesecurity) In its newest campaign, the group demonstrates both patience and precision, delivering the final payload only after manually confirming that a target is worth pursuing. This selective approach makes the operation especially difficult to detect or replicate in a controlled environment. The group has been under active surveillance for years, with past reports from CERT-UA, SentinelOne, HarfangLab, and StrikeReady all documenting its evolving tactics. The latest findings reveal a newer delivery mechanism using JavaScript to stage the attack across multiple steps, pulling in tools cleverly disguised as ordinary image or web files. Hackers Abuse Scheduled Tasks Once a victim from Ukraine clicks the embedded link in the lure document, the attacker’s server delivers a RAR archive named 53_7.03.2026_R.rar. Inside is a JavaScript file that drops a decoy PDF to keep the target occupied while quietly launching the next stage in the background. This second-stage script, called PicassoLoader, is a downloader the group has used across multiple campaigns and in several different programming languages. To lock in its presence on the victim’s machine, PicassoLoader downloads a scheduled task template from the command-and-control server, disguised as a JPEG image file. The server actually delivers an XML configuration file, and the script fills in real execution parameters before registering the scheduled task on the system. Scheduled task template downloaded from the C&C server (Source – Welivesecurity) This ensures PicassoLoader runs automatically at every Windows startup, which is exactly how FrostyNeighbor maintains persistent access on compromised machines. Cobalt Strike Deployed After Victim Validation What makes this attack chain particularly sharp is the server-side validation step that occurs before any serious payload is delivered. Every ten minutes, PicassoLoader sends a system fingerprint, including the username, computer name, operating system version, and list of running processes, to the command-and-control server. A human operator then reviews this information and decides whether the target is worth the next move. If the victim qualifies, the server responds with a third-stage JavaScript dropper. This script copies the legitimate Windows file rundll32.exe under a different name, likely to bypass security tools that flag unfamiliar executables. A Cobalt Strike beacon is then written to disk, and a registry entry ensures it launches automatically on every startup, giving the attackers full and persistent remote control over the compromised machine. Security researchers recommend continuous and close monitoring of the group’s infrastructure, toolset changes, and operational patterns as the most effective defense against future campaigns. Organizations across Eastern Europe, especially those in government, defense, and critical sectors, should treat any unsolicited PDF attachment as a potential threat and remain on high alert. Indicators of Compromise (IoCs):- Type Indicator Description SHA-1 776A43E46C36A539C916ED426745EE96E2392B39 53_7.03.2026_R.rar — JS/TrojanDropper.FrostyNeighbor SHA-1 8D1F2A6DF51C7783F2EAF1A0FC0FF8D032E5B57F 53_7.03.2026_R.js — JS/TrojanDropper.FrostyNeighbor SHA-1 B65551D339AECE718EA1465BF3542C794C445EFC Update.js — JS/TrojanDownloader.FrostyNeighbor SHA-1 E15ABEE1CFDE8BE7D87C7C0B510450BAD6BC0906 Update.js — JS/TrojanDropper.FrostyNeighbor SHA-1 43E30BE82D82B24A6496F6943ECB6877E83F88AB ViberPC.dll — Win32/CobaltStrike.Beacon SHA-1 4F2C1856325372B9B7769D00141DBC1A23BDDD14 53_7.03.2026_R.pdf — PDF/TrojanDownloader.FrostyNeighbor SHA-1 D89E5524E49199B1C3B66C524E7A63C3F0A0C199 Certificate.pdf — PDF/TrojanDownloader.FrostyNeighbor SHA-1 7E537D8E91668580A482BD77A5A4CABA26D6BDAC certificate.js — JS/TrojanDownloader.FrostyNeighbor SHA-1 FA6882672AD3654800987613310D7C3FBADE027E certificate.js — JS/TrojanDownloader.FrostyNeighbor SHA-1 3FA7D1B13542F1A9EB054111F9B69C250AF68643 СетифікатCAF.rar — JS/TrojanDropper.FrostyNeighbor SHA-1 4E52C92709A918383E90534052AAA257ACE2780C СетифікатCAF.js — JS/TrojanDropper.FrostyNeighbor SHA-1 6FDED427A16D5314BA3E1EB9AFD120DC84449769 EdgeTaskMachine.js — JS/TrojanDropper.FrostyNeighbor SHA-1 27FA11F6A1D653779974B6FB54DE4AF47F211232 EdgeSystemConfig.dll — Win32/CobaltStrike.Beacon Domain attachment-storage-asset-static.needbinding[.]icu C&C server — PicassoLoader delivery Domain book-happy.needbinding[.]icu C&C server — scheduled task template and fingerprint collection Domain nama-belakang.nebao[.]icu C&C server — Cobalt Strike beacon C&C Domain easiestnewsfromourpointofview.algsat[.]icu C&C infrastructure Domain mickeymousegamesdealer.al[.]icu C&C infrastructure Domain exavegas[.]icu C&C infrastructure Domain hinesafar.sardk[.]icu C&C infrastructure Domain shinesafar.sardk[.]icu C&C infrastructure Domain best-seller.lavanille[.]buzz C&C infrastructure URL https://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg Scheduled task template delivery URL URL https://book-happy.needbinding[.]icu/employment/documents-and-resources PicassoLoader fingerprint POST endpoint URL https://nama-belakang.nebao[.]icu/statistics/discover.txt Cobalt Strike beacon C&C endpoint Filename 53_7.03.2026_R.rar First-stage RAR archive lure Filename 53_7.03.2026_R.js First-stage JavaScript dropper Filename 53_7.03.2026_R.pdf Decoy PDF lure document Filename Update.js PicassoLoader second-stage downloader Filename WinUpdate.reg Registry file dropped by first-stage script Filename ViberPC.exe Renamed copy of rundll32.exe Filename ViberPC.dll Cobalt Strike beacon payload Filename ViberPC.reg Registry file for Cobalt Strike persistence Filename ViberPC.lnk Shortcut file for Cobalt Strike execution Filename EdgeTaskMachine.js Additional FrostyNeighbor dropper Filename EdgeSystemConfig.dll Additional Cobalt Strike beacon Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Magecart Hackers Abuse Google Tag Manager to Inject Credit Card Skimmers Open WebUI Vulnerability via File Upload Leads to 1-Click RCE Attack Threat Actors Leverage Vercel’s AI Tools to Mass‑Produce Realistic Phishing Sites Fragnesia Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released New BitUnlocker Downgrade Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes Latest News Cyber Security News Critical Microsoft Exchange Server Vulnerability Actively Exploited in Attacks Cyber Security News Critical Next.js Vulnerability Exposes Cloud Credentials, API keys, and Admin Panels Cyber Security News OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack Cyber Security Cisco Catalyst SD-WAN Controller 0-Day Actively Exploited to Gain Admin Access Cyber Security News Sandworm Hackers Pivot From Compromised IT Systems Toward Critical OT Assets