ESET researchers have uncovered new activity from the APT group FrostyNeighbor, also known as Ghostwriter, which has been targeting Ukrainian government organizations since at least March 2026. This campaign mirrors previous operations by the threat actor, which is linked to the government of Belarus, based on information published by Security Affairs.The latest FrostyNeighbor campaign begins with a spear-phishing email containing a PDF attachment disguised as an official communication from Ukrtelecom, a major Ukrainian telecommunications provider. The document includes a download button that leads to a delivery server. This server employs geofencing, serving a decoy document about electronic communications regulations to IP addresses outside Ukraine. However, for Ukrainian IP addresses, it delivers a RAR archive containing a JavaScript file. This file executes a JavaScript version of PicassoLoader, the group's payload downloader, which collects system information and sends it to attacker-controlled servers. Operators then manually decide whether to deliver a third-stage payload, typically a Cobalt Strike beacon, to high-value targets.The group's targeting is specific, focusing on military, defense, and governmental entities in Ukraine, while also impacting industrial, healthcare, logistics, and government bodies in Poland and Lithuania. This evolution aligns with broader geopolitical security dynamics in Eastern Europe.Source: Security Affairs
Threat Intelligence
ESET details new Ghostwriter activity targeting Ukrainian government

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



