Skip to main content
Mallory
Back to threat actors
🇧🇾 BY5 malware familiesExploits CVEs in the wild

FrostyNeighbor

Also known asFrostyNeighbor

FrostyNeighbor is a long-running cyberespionage threat actor also tracked as Ghostwriter, UNC1151, UAC-0057, TA445, PUSHCHA, and Storm-0257. The provided reporting describes the group as allegedly operating from Belarus, historically attributed to Belarus, and linked or aligned with the interests of the Belarusian government. Activity has been observed since at least 2016, with sustained targeting in Eastern Europe, especially Ukraine, Poland, and Lithuania. The group primarily targets governmental, military, defense, and other key-sector organizations. Reported victims include Ukrainian government organizations, as well as industrial, healthcare, logistics, and government entities in Poland and Lithuania. The content also notes targeting of opposition activists in Belarus. Observed tradecraft includes spearphishing, credential theft, email theft, exploitation of public-facing applications, and influence or disinformation operations. In the March 2026 campaign against Ukrainian governmental organizations, spearphishing emails carried a PDF masquerading as an official Ukrtelecom communication. The PDF linked to a geofenced delivery server that returned a benign decoy to non-Ukrainian IP space and a malicious RAR archive to Ukrainian IPs. The archive contained JavaScript that displayed a decoy document and deployed a JavaScript variant of PicassoLoader. PicassoLoader fingerprinted hosts by collecting system information and beaconed to attacker-controlled infrastructure every 10 minutes; operators likely manually reviewed victim data before selectively delivering a third-stage payload, typically Cobalt Strike. In the described chain, the next stage copied rundll32.exe as ViberPC.exe, wrote a Cobalt Strike beacon as ViberPC.dll, and established persistence via an HKCU Run key and LNK-based execution. The group has used multiple PicassoLoader variants written in .NET, PowerShell, JavaScript, and C++. Reported payload delivery and evasion methods include disguising Cobalt Strike beacons as images or web-associated file types, use of lure documents such as CHM, XLS, PPT, and DOC files, abuse of legitimate services including Slack and Canarytokens, and anti-analysis techniques such as dynamic CAPTCHAs executed by VBA macros. The content also states that FrostyNeighbor exploited WinRAR vulnerability CVE-2023-38831 in earlier operations, exploited Roundcube XSS vulnerability CVE-2024-42009 to exfiltrate credentials from weaponized email messages, and targeted Polish and Lithuanian companies with spearphishing emails impersonating Polish businesses.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration
  • Military
  • Capital Goods
  • Health Care Equipment & Services
  • Pharmaceuticals, Biotechnology & Life Sciences
  • Transportation

Where they target

Geographies tied to known operations.

  • 🇺🇦 Ukraine
  • 🇵🇱 Poland
  • 🇱🇹 Lithuania

Where they're from

Attributed origin per open-source reporting.

  • BY
MITRE ATT&CK

Tradecraft

30 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics41 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
3 techniques
T1583
Acquire Infrastructure
T1588
Obtain Capabilities
T1588.002
Tool
T1608
Stage Capabilities
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001×4
Spearphishing Attachment
TA0002
Execution
4 techniques
T1047
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.003
Windows Command Shell
T1059.005
Visual Basic
T1204
User Execution
T1204.002×3
Malicious File
TA0003
Persistence
2 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
2 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0005
Stealth
3 techniques
T1027×2
Obfuscated Files or Information
T1027.009
Embedded Payloads
T1036×2
Masquerading
T1036.005
Match Legitimate Resource Name or Location
T1218
System Binary Proxy Execution
T1218.010
Regsvr32
T1218.011
Rundll32
TA0006
Credential Access
1 technique
T1212
Exploitation for Credential Access
TA0007
Discovery
3 techniques
T1016
System Network Configuration Discovery
T1057×2
Process Discovery
T1082×4
System Information Discovery
TA0009
Collection
2 techniques
T1005
Data from Local System
T1560
Archive Collected Data
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1071.001×3
Web Protocols
T1105×3
Ingress Tool Transfer
T1132
Data Encoding
T1568
Dynamic Resolution
TA0010
Exfiltration
1 technique
T1041×2
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Cobalt StrikeOperators then manually decide whether to deliver a third-stage payload, typically a Cobalt Strike beacon, to high-value targets.4May 15, 2026
PicassoLoaderFor Ukrainian IP addresses, it delivers a RAR archive containing a JavaScript file. This file executes a JavaScript version of PicassoLoader, the group's payload downloader, which collects system information and sends it to attacker-controlled servers.3May 15, 2026
ConfuserExThe dropped DLL, which we will later refer to as the first stage implant, is written in C# and obfuscated using ConfuserEx.1Mar 8, 2026
MacroPackThe obfuscation is consistent with the result of MacroPack (an offensive security tool which is available on GitHub) when executed with the --obfuscate-names parameter.1Mar 8, 2026
UPXThe implant is a C++ DLL ... and has been packed with UPX.1Mar 8, 2026
WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2024-42009Stored XSS in Roundcube Webmail message_body()In the wildEvidence2

Additionally, CERT-PL reported that the group exploited the CVE‑2024‑42009 XSS vulnerability in Roundcube, which enables JavaScript execution upon opening of weaponized email messages, to exfiltrate the victim’s credentials.

CVE-2023-38831Arbitrary Code Execution in WinRAR Archive File HandlingIn the wildEvidence1

Moreover, the group uses a wide variety of lure documents to compromise its targets, such as CHM, XLS, PPT, or DOC, and it has exploited the WinRAR vulnerability CVE‑2023‑38831.

IOCS

Observables

9 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

9 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
scworldNews
May 15, 2026
ESET details new Ghostwriter activity targeting Ukrainian government | brief | SC Media

Conducting spear-phishing-led intrusion campaigns against Ukrainian government organizations, with selective follow-on payload delivery to high-value targets; broader targeting also affects military, defense, industrial, healthcare, logistics, and government entities in Ukraine, Poland, and Lithuania.

Read more
eset welivesecurity blogNews
May 14, 2026
FrostyNeighbor: Fresh mischief and digital shenanigans

Long-running cyberespionage actor aligned with Belarusian interests, targeting governmental, military, and other key sectors in Eastern Europe. Recent activity targeted Ukrainian governmental organizations using spearphishing attachments, server-side victim validation, PicassoLoader, and Cobalt Strike, while broader operations also included credential harvesting, disinformation, and compromises across Poland and Lithuania.

Read more
eset welivesecurity blogNews
Nov 6, 2025
ESET APT Activity Report Q2 2025–Q3 2025

FrostyNeighbor is a threat actor exploiting XSS vulnerabilities in Roundcube and targeting Polish and Lithuanian companies with spearphishing emails, delivering credential and email stealers.

Read more
risky biz rssNews
Jul 14, 2025
Risky Bulletin: Major EoT/HoT vulnerability can bring trains to sudden stops

Espionage-oriented activity using malicious CHM files, assessed as Belarus-attributed, targeting Polish organizations and historically interested in multiple Eastern/Central European countries.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping30

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables9

Domains, IPs, and hashes tied to this actor, refreshed continuously.