FrostyNeighbor Attacks: Hackers Abuse Scheduled Tasks for Persistence
Key Takeaways The state-aligned hacking group FrostyNeighbor has launched a sophisticated new campaign targeting Ukrainian government entities. The attacks utilize spearphishing with malicious PDFs,...
Key Takeaways
- The state-aligned hacking group FrostyNeighbor has launched a sophisticated new campaign targeting Ukrainian government entities.
- The attacks utilize spearphishing with malicious PDFs, a multi-stage infection chain, and server-side victim filtering to deploy the PicassoLoader downloader and ultimately a Cobalt Strike beacon.
- FrostyNeighbor employs scheduled tasks and registry modifications for persistence, making detection and eradication challenging.
- The group demonstrates a highly selective approach, delivering the final payload only after manual validation of high-value targets.
The state-sponsored cyberespionage group known as FrostyNeighbor, also tracked by various aliases including Ghostwriter, UNC1151, TA445, PUSHCHA, and Storm-0257, has initiated a sophisticated new wave of attacks against Ukrainian government organizations. Active since at least 2016, this Belarus-aligned threat actor has consistently refined its tactics, techniques, and procedures (TTPs), making its latest campaign particularly evasive and difficult to uncover.
Table Of Content
Beginning in March 2026, the current operation integrates deceptive documents, multi-layered malware scripts, and a critical server-side victim filtering mechanism. This coordinated approach allows the attackers to maintain a low profile and ensure that their high-value payloads are only delivered to truly desirable targets, as detailed in a recent report.
Initial Infection Chain and Deception
The attack sequence commences with spearphishing emails containing malicious PDF attachments. These documents are meticulously crafted to appear as authentic government communications. For instance, one observed lure mimicked official correspondence from Ukrtelecom, a major Ukrainian telecommunications provider, promising assurances regarding customer data protection.
When a recipient interacts with a download button embedded within the malicious PDF, they are redirected to a server controlled by the attackers. Crucially, the subsequent payload delivered to the victim is contingent upon their geographical location and other identifiable characteristics, indicating a precise targeting strategy.
ESET’s threat research blog, WeLiveSecurity, shared insights with Cyber Security News (CSN), emphasizing FrostyNeighbor’s continuous development of tools and methods specifically designed to circumvent security alerts. Historically, FrostyNeighbor’s campaigns have focused on entities within Ukraine, Poland, and Lithuania, encompassing a broad spectrum of targets from government and military bodies to industrial firms and healthcare organizations.
This latest campaign underscores the group’s patience and precision. The final, most potent payload is only deployed after a manual confirmation process, wherein human operators assess the target’s value. This selective methodology poses significant challenges for detection and replication within sandboxed environments, further complicating defensive efforts.
Security researchers have been actively monitoring FrostyNeighbor for years, with past reports from CERT-UA, SentinelOne, HarfangLab, and StrikeReady consistently documenting the evolution of their TTPs. Recent findings highlight a new delivery mechanism that leverages JavaScript to stage the attack across multiple steps, discreetly fetching tools disguised as benign image or web files.
Hackers Abuse Scheduled Tasks
Upon a Ukrainian victim clicking the embedded link in the initial PDF lure, the attacker’s server delivers a RAR archive named 53_7.03.2026_R.rar. Inside this archive is a JavaScript file that executes in two stages. First, it drops a decoy PDF to distract the user, while simultaneously launching the next stage in the background. This second-stage script, known as PicassoLoader, is a versatile downloader previously observed in multiple FrostyNeighbor campaigns, implemented in various programming languages.
To establish persistence on the compromised system, PicassoLoader retrieves a scheduled task template from its command-and-control (C2) server. This template is cleverly disguised as a JPEG image file but is, in fact, an XML configuration file. The script then populates this XML with actual execution parameters and registers the scheduled task on the victim’s machine. This strategic use of scheduled tasks ensures that PicassoLoader automatically executes with every Windows startup, providing FrostyNeighbor with reliable and persistent access to the compromised endpoint.
Cobalt Strike Deployed After Victim Validation
A distinctive and highly effective aspect of this attack chain is the server-side validation that precedes the deployment of any high-impact payload. Every ten minutes, PicassoLoader transmits a system fingerprint to the C2 server. This fingerprint includes critical information such as the username, computer name, operating system version, and a list of currently running processes. A human operator then meticulously reviews this data to determine if the target warrants further exploitation.
Should the victim be deemed valuable, the C2 server responds by delivering a third-stage JavaScript dropper. This script takes an additional measure to evade detection by copying the legitimate Windows executable rundll32.exe under an altered filename. This tactic aims to bypass security solutions that might flag unfamiliar executables. Subsequently, a Cobalt Strike beacon is written to disk, and a corresponding registry entry is created to ensure its automatic launch at every system startup. This final stage grants the attackers full, persistent remote control over the compromised machine.
What You Should Do
- Educate Users: Conduct regular training on identifying spearphishing attempts, especially those involving unsolicited PDF attachments or links that lead to external downloads.
- Implement Email Security: Deploy advanced email gateway solutions with robust attachment scanning, URL sandboxing, and DMARC, DKIM, and SPF authentication to filter out malicious emails.
- Endpoint Detection and Response (EDR): Utilize EDR solutions to monitor for suspicious activities like the creation of new scheduled tasks, unusual process execution (e.g.,
rundll32.exerenamed), and beaconing activity to known C2 infrastructure. - Network Segmentation and Filtering: Implement network segmentation to limit lateral movement and deploy robust network filtering to block connections to known malicious domains and IP addresses.
- Monitor Scheduled Tasks and Registry: Regularly audit scheduled tasks and registry entries for unauthorized modifications, especially those configured for automatic startup.
- Threat Intelligence Integration: Integrate the provided Indicators of Compromise (IoCs) into your security information and event management (SIEM) systems, firewalls, and endpoint protection platforms for proactive detection and blocking.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-1 | 776A43E46C36A539C916ED426745EE96E2392B39 | 53_7.03.2026_R.rar — JS/TrojanDropper.FrostyNeighbor |
| SHA-1 | 8D1F2A6DF51C7783F2EAF1A0FC0FF8D032E5B57F | 53_7.03.2026_R.js — JS/TrojanDropper.FrostyNeighbor |
| SHA-1 | B65551D339AECE718EA1465BF3542C794C445EFC | Update.js — JS/TrojanDownloader.FrostyNeighbor |
| SHA-1 | E15ABEE1CFDE8BE7D87C7C0B510450BAD6BC0906 | Update.js — JS/TrojanDropper.FrostyNeighbor |
| SHA-1 | 43E30BE82D82B24A6496F6943ECB6877E83F88AB | ViberPC.dll — Win32/CobaltStrike.Beacon |
| SHA-1 | 4F2C1856325372B9B7769D00141DBC1A23BDDD14 | 53_7.03.2026_R.pdf — PDF/TrojanDownloader.FrostyNeighbor |
| SHA-1 | D89E5524E49199B1C3B66C524E7A63C3F0A0C199 | Certificate.pdf — PDF/TrojanDownloader.FrostyNeighbor |
| SHA-1 | 7E537D8E91668580A482BD77A5A4CABA26D6BDAC | certificate.js — JS/TrojanDownloader.FrostyNeighbor |
| SHA-1 | FA6882672AD3654800987613310D7C3FBADE027E | certificate.js — JS/TrojanDownloader.FrostyNeighbor |
| SHA-1 | 3FA7D1B13542F1A9EB054111F9B69C250AF68643 | Сетифікат_CAF.rar — JS/TrojanDropper.FrostyNeighbor |
| SHA-1 | 4E52C92709A918383E90534052AAA257ACE2780C | Сетифікат_CAF.js — JS/TrojanDropper.FrostyNeighbor |
| SHA-1 | 6FDED427A16D5314BA3E1EB9AFD120DC84449769 | EdgeTaskMachine.js — JS/TrojanDropper.FrostyNeighbor |
| SHA-1 | 27FA11F6A1D653779974B6FB54DE4AF47F211232 | EdgeSystemConfig.dll — Win32/CobaltStrike.Beacon |
| Domain | attachment-storage-asset-static.needbinding[.]icu | C&C server — PicassoLoader delivery |
| Domain | book-happy.needbinding[.]icu | C&C server — scheduled task template and fingerprint collection |
| Domain | nama-belakang.nebao[.]icu | C&C server — Cobalt Strike beacon C&C |
| Domain | easiestnewsfromourpointofview.algsat[.]icu | C&C infrastructure |
| Domain | mickeymousegamesdealer.al[.]icu | C&C infrastructure |
| Domain | exavegas[.]icu | C&C infrastructure |
| Domain | hinesafar.sardk[.]icu | C&C infrastructure |
| Domain | shinesafar.sardk[.]icu | C&C infrastructure |
| Domain | best-seller.lavanille[.]buzz | C&C infrastructure |
| URL | https://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg | Scheduled task template delivery URL |
| URL | https://book-happy.needbinding[.]icu/employment/documents-and-resources | PicassoLoader fingerprint POST endpoint |
| URL | https://nama-belakang.nebao[.]icu/statistics/discover.txt | Cobalt Strike beacon C&C endpoint |
| Filename | 53_7.03.2026_R.rar | First-stage RAR archive lure |
| Filename | 53_7.03.2026_R.js | First-stage JavaScript dropper |
| Filename | 53_7.03.2026_R.pdf | Decoy PDF lure document |
| Filename | Update.js | PicassoLoader second-stage downloader |
| Filename | WinUpdate.reg | Registry file dropped by first-stage script |
| Filename | ViberPC.exe | Renamed copy of rundll32.exe |
| Filename | ViberPC.dll | Cobalt Strike beacon payload |
| Filename | ViberPC.reg | Registry file for Cobalt Strike persistence |
| Filename | ViberPC.lnk | Shortcut file for Cobalt Strike execution |
| Filename | EdgeTaskMachine.js | Additional FrostyNeighbor dropper |
| Filename | EdgeSystemConfig.dll | Additional Cobalt Strike beacon |
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.