FrostyNeighbor
FrostyNeighbor is a long-running cyberespionage threat actor also tracked as Ghostwriter, UNC1151, UAC-0057, TA445, PUSHCHA, and Storm-0257. The provided reporting describes the group as allegedly operating from Belarus, historically attributed to Belarus, and linked or aligned with the interests of the Belarusian government. Activity has been observed since at least 2016, with sustained targeting in Eastern Europe, especially Ukraine, Poland, and Lithuania. The group primarily targets governmental, military, defense, and other key-sector organizations. Reported victims include Ukrainian government organizations, as well as industrial, healthcare, logistics, and government entities in Poland and Lithuania. The content also notes targeting of opposition activists in Belarus. Observed tradecraft includes spearphishing, credential theft, email theft, exploitation of public-facing applications, and influence or disinformation operations. In the March 2026 campaign against Ukrainian governmental organizations, spearphishing emails carried a PDF masquerading as an official Ukrtelecom communication. The PDF linked to a geofenced delivery server that returned a benign decoy to non-Ukrainian IP space and a malicious RAR archive to Ukrainian IPs. The archive contained JavaScript that displayed a decoy document and deployed a JavaScript variant of PicassoLoader. PicassoLoader fingerprinted hosts by collecting system information and beaconed to attacker-controlled infrastructure every 10 minutes; operators likely manually reviewed victim data before selectively delivering a third-stage payload, typically Cobalt Strike. In the described chain, the next stage copied rundll32.exe as ViberPC.exe, wrote a Cobalt Strike beacon as ViberPC.dll, and established persistence via an HKCU Run key and LNK-based execution. The group has used multiple PicassoLoader variants written in .NET, PowerShell, JavaScript, and C++. Reported payload delivery and evasion methods include disguising Cobalt Strike beacons as images or web-associated file types, use of lure documents such as CHM, XLS, PPT, and DOC files, abuse of legitimate services including Slack and Canarytokens, and anti-analysis techniques such as dynamic CAPTCHAs executed by VBA macros. The content also states that FrostyNeighbor exploited WinRAR vulnerability CVE-2023-38831 in earlier operations, exploited Roundcube XSS vulnerability CVE-2024-42009 to exfiltrate credentials from weaponized email messages, and targeted Polish and Lithuanian companies with spearphishing emails impersonating Polish businesses.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
- Military
- Capital Goods
- Health Care Equipment & Services
- Pharmaceuticals, Biotechnology & Life Sciences
- Transportation
Where they target
Geographies tied to known operations.
- 🇺🇦 Ukraine
- 🇵🇱 Poland
- 🇱🇹 Lithuania
Where they're from
Attributed origin per open-source reporting.
- BY
Tradecraft
30 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
Additionally, CERT-PL reported that the group exploited the CVE‑2024‑42009 XSS vulnerability in Roundcube, which enables JavaScript execution upon opening of weaponized email messages, to exfiltrate the victim’s credentials.
Moreover, the group uses a wide variety of lure documents to compromise its targets, such as CHM, XLS, PPT, or DOC, and it has exploited the WinRAR vulnerability CVE‑2023‑38831.
Observables
9 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting spear-phishing-led intrusion campaigns against Ukrainian government organizations, with selective follow-on payload delivery to high-value targets; broader targeting also affects military, defense, industrial, healthcare, logistics, and government entities in Ukraine, Poland, and Lithuania.
Long-running cyberespionage actor aligned with Belarusian interests, targeting governmental, military, and other key sectors in Eastern Europe. Recent activity targeted Ukrainian governmental organizations using spearphishing attachments, server-side victim validation, PicassoLoader, and Cobalt Strike, while broader operations also included credential harvesting, disinformation, and compromises across Poland and Lithuania.
FrostyNeighbor is a threat actor exploiting XSS vulnerabilities in Roundcube and targeting Polish and Lithuanian companies with spearphishing emails, delivering credential and email stealers.
Espionage-oriented activity using malicious CHM files, assessed as Belarus-attributed, targeting Polish organizations and historically interested in multiple Eastern/Central European countries.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.