A Belarussian cyberespionage group, FrostyNeighbor, is back with a threat campaign aimed at Eastern European government and military organisations in Poland and Ukraine, according to ESET research. The campaign began in March and continues to evolve its espionage toolkit, moving away from macro-based lures toward blurry PDFs that contain malicious links, with spearphishing as the delivery method.
FrostyNeighbor’s latest wave uses a novel compromise chain featuring spear-phishing PDFs, server-side victim validation, and a JavaScript-based PicassoLoader downloader to deploy Cobalt Strike for post‑compromise operations, the researchers note. The group fingerprinting of victims to assess targeting is described as highly targeted, with some victims receiving a benign PDF while others, potentially from Ukraine, receive a malicious RAR containing the first stage of the attack.
ESET adds that the decision to deploy payloads appears to be performed manually by operators, and that the campaign’s IoCs are provided to help defenders recognise the threat, according to the report.