Summary Points
- FrostyNeighbor (Ghostwriter) is conducting targeted spear-phishing campaigns against Ukrainian government and military entities since March 2026, using PDF attachments and geofenced delivery servers.
- The attack payload includes a JavaScript-based downloader that collects system info, with manual delivery of Cobalt Strike beacons to high-value targets.
- The group’s efforts extend to industrial, healthcare, and logistics sectors in Poland and Lithuania, reflecting broader geopolitical tensions in Eastern Europe.
Threat, Attack Techniques, and Targets
ESET researchers have identified new activities from the APT group FrostyNeighbor, also known as Ghostwriter. This group has been targeting Ukrainian government organizations since March 2026. They use spear-phishing emails as their main attack method. These emails contain PDF attachments disguised as official messages from Ukrtelecom, a major Ukrainian telecommunications provider. The PDF includes a download button that connects to a delivery server. This server uses geofencing to differentiate between IP addresses inside and outside Ukraine. For Ukrainian IPs, it delivers a RAR archive with a JavaScript file. The script runs a JavaScript version of PicassoLoader, which gathers system information. This data is then sent to servers controlled by attackers. The attackers manually decide if they want to deliver a third-stage payload, often a Cobalt Strike beacon. The group’s main targets are military, defense, and government organizations in Ukraine, but they also target industrial, healthcare, logistics, and government groups in Poland and Lithuania. This pattern shows a focus on specific targets linked to security and political interests in Eastern Europe.
Impact, Security Implications, and Remediation Guidance
This campaign poses serious risks to Ukrainian government and military organizations. The attackers can steal sensitive information and gain control of affected systems. Moreover, the use of advanced tools like PicassoLoader and Cobalt Strike increases the threat’s severity. It shows that the group is capable of executing complex operations. Because of this, organizations should strengthen their defenses against phishing attacks. Users should be cautious with email attachments and verify the sender before opening files. It is also important to keep systems updated and review security policies regularly. If organizations suspect an infection or need technical help, they should contact their security provider or relevant authorities. Since specific remediation guidance is not provided, it is recommended to get advice from cybersecurity experts or vendors familiar with these threats.
Expand Your Tech Knowledge
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Access comprehensive resources on technology by visiting Wikipedia.
ThreatIntel-V1
