PicassoLoader

PicassoLoader is a payload downloader used by the Ghostwriter cluster, also tracked as UAC-0057, UNC1151, and FrostyNeighbor. It has been described by CERT-UA as a long-standing loader/downloader used to deliver follow-on payloads, most notably Cobalt Strike Beacon. Reported variants are implemented in .NET, PowerShell, JavaScript, and C++.

Observed delivery vectors include macro-enabled lure documents, malicious RAR archives, JavaScript droppers, and campaigns exploiting WinRAR vulnerability CVE-2023-38831. In one CERT-UA-described chain, a malicious archive triggered BAT/LNK/mshta-based execution, dropped a decoy PDF, and ran JavaScript assessed as a PicassoLoader variant that downloaded an SVG file containing an encrypted .NET payload, which was decrypted with the Rabbit algorithm and led to Cobalt Strike Beacon deployment. In later Ghostwriter/FrostyNeighbor campaigns, spearphishing emails with PDF lures impersonating Ukrtelecom led Ukrainian victims to geofenced delivery servers that returned RAR archives containing JavaScript-based PicassoLoader.

PicassoLoader’s documented behavior includes collecting host profiling data such as username, computer name, OS version, boot time, current time, and running processes, then sending that information to attacker-controlled servers via HTTP POST. In the 2026 FrostyNeighbor activity, the malware beaconed victim information every ten minutes, and operators appear to have manually decided whether to deliver a third-stage payload. If selected, victims received additional JavaScript or DLL stages culminating in Cobalt Strike Beacon. Reported persistence associated with these chains includes scheduled tasks and Windows Registry Run keys; one campaign copied rundll32.exe as ViberPC.exe and stored the beacon as ViberPC.dll.

Targeting described in the source material includes Ukrainian government organizations, military and defense entities, and local self-government-related personnel, as well as Belarusian opposition activists. Additional affected sectors in Poland and Lithuania include industrial, healthcare, logistics, and government organizations. High-confidence indicators mentioned in the content include files such as sdfhui2kjd.js, mokpp9342jktihh.dll, Update.js, certificate.js, 53_7.03.2026_R.js, and EdgeTaskMachine.js; infrastructure including windacarmelita[.]pw, topibuzz[.]space, book-happy.needbinding[.]icu, attachment-storage-asset-static.needbinding[.]icu, easiestnewsfromourpointofview.algsat[.]icu, mickeymousegamesdealer.alexavegas[.]icu, hinesafar.sardk[.]icu, and shinesafar.sardk[.]icu; and host artifacts such as %TMP%\sdfhui2kjd.js, %TMP%\mokpp9342jktihh.dll, %APPDATA%\Microsoft\runbll32.dll, %AppData%\Microsoft\ruhbll32.dll, and persistence via a scheduled task named "System service".