ESET researchers have uncovered fresh Ghostwriter (aka FrostyNeighbor) activity targeting Ukrainian governmental organisations, active since at least March 2026. The campaign begins with a spear-phishing email carrying a PDF attachment impersonating Ukrtelecom, including a lure file named 53_7.03.2026_R.pdf and a download button linking to a document on a group-controlled delivery server.
That server uses geofencing: victims from Ukraine receive a RAR archive containing a JavaScript file that, when executed, launches a JavaScript version of PicassoLoader to profile the host and report back every ten minutes. High-value targets may receive a third-stage payload that deploys a Cobalt Strike beacon, with operators manually deciding whether to proceed based on the collected information.
The malware disguises rundll32[.]exe as ViberPC[.]exe and establishes persistence via a registry Run key, while its C2 infrastructure hides behind Cloudflare using .icu and .buzz domains. In Ukraine, FrostyNeighbor focuses on military, defence, and governmental entities, with broader victimology including various sectors in Poland and Lithuania, according to ESET telemetry.