Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Home/Threats/FrostyNeighbor Attacks: Hackers Abuse Scheduled Tasks for Persistence
Threats

FrostyNeighbor Attacks: Hackers Abuse Scheduled Tasks for Persistence

Key Takeaways The state-aligned hacking group FrostyNeighbor has launched a sophisticated new campaign targeting Ukrainian government entities. The attacks utilize spearphishing with malicious PDFs,...

Sarah simpson
Sarah simpson
May 15, 2026 5 Min Read
44 0

Key Takeaways

  • The state-aligned hacking group FrostyNeighbor has launched a sophisticated new campaign targeting Ukrainian government entities.
  • The attacks utilize spearphishing with malicious PDFs, a multi-stage infection chain, and server-side victim filtering to deploy the PicassoLoader downloader and ultimately a Cobalt Strike beacon.
  • FrostyNeighbor employs scheduled tasks and registry modifications for persistence, making detection and eradication challenging.
  • The group demonstrates a highly selective approach, delivering the final payload only after manual validation of high-value targets.

The state-sponsored cyberespionage group known as FrostyNeighbor, also tracked by various aliases including Ghostwriter, UNC1151, TA445, PUSHCHA, and Storm-0257, has initiated a sophisticated new wave of attacks against Ukrainian government organizations. Active since at least 2016, this Belarus-aligned threat actor has consistently refined its tactics, techniques, and procedures (TTPs), making its latest campaign particularly evasive and difficult to uncover.

Table Of Content

  • Key Takeaways
  • Initial Infection Chain and Deception
  • Hackers Abuse Scheduled Tasks
  • Cobalt Strike Deployed After Victim Validation
  • What You Should Do

Beginning in March 2026, the current operation integrates deceptive documents, multi-layered malware scripts, and a critical server-side victim filtering mechanism. This coordinated approach allows the attackers to maintain a low profile and ensure that their high-value payloads are only delivered to truly desirable targets, as detailed in a recent report.

Initial Infection Chain and Deception

The attack sequence commences with spearphishing emails containing malicious PDF attachments. These documents are meticulously crafted to appear as authentic government communications. For instance, one observed lure mimicked official correspondence from Ukrtelecom, a major Ukrainian telecommunications provider, promising assurances regarding customer data protection.

When a recipient interacts with a download button embedded within the malicious PDF, they are redirected to a server controlled by the attackers. Crucially, the subsequent payload delivered to the victim is contingent upon their geographical location and other identifiable characteristics, indicating a precise targeting strategy.

ESET’s threat research blog, WeLiveSecurity, shared insights with Cyber Security News (CSN), emphasizing FrostyNeighbor’s continuous development of tools and methods specifically designed to circumvent security alerts. Historically, FrostyNeighbor’s campaigns have focused on entities within Ukraine, Poland, and Lithuania, encompassing a broad spectrum of targets from government and military bodies to industrial firms and healthcare organizations.

This latest campaign underscores the group’s patience and precision. The final, most potent payload is only deployed after a manual confirmation process, wherein human operators assess the target’s value. This selective methodology poses significant challenges for detection and replication within sandboxed environments, further complicating defensive efforts.

Security researchers have been actively monitoring FrostyNeighbor for years, with past reports from CERT-UA, SentinelOne, HarfangLab, and StrikeReady consistently documenting the evolution of their TTPs. Recent findings highlight a new delivery mechanism that leverages JavaScript to stage the attack across multiple steps, discreetly fetching tools disguised as benign image or web files.

Hackers Abuse Scheduled Tasks

Upon a Ukrainian victim clicking the embedded link in the initial PDF lure, the attacker’s server delivers a RAR archive named 53_7.03.2026_R.rar. Inside this archive is a JavaScript file that executes in two stages. First, it drops a decoy PDF to distract the user, while simultaneously launching the next stage in the background. This second-stage script, known as PicassoLoader, is a versatile downloader previously observed in multiple FrostyNeighbor campaigns, implemented in various programming languages.

To establish persistence on the compromised system, PicassoLoader retrieves a scheduled task template from its command-and-control (C2) server. This template is cleverly disguised as a JPEG image file but is, in fact, an XML configuration file. The script then populates this XML with actual execution parameters and registers the scheduled task on the victim’s machine. This strategic use of scheduled tasks ensures that PicassoLoader automatically executes with every Windows startup, providing FrostyNeighbor with reliable and persistent access to the compromised endpoint.

Cobalt Strike Deployed After Victim Validation

A distinctive and highly effective aspect of this attack chain is the server-side validation that precedes the deployment of any high-impact payload. Every ten minutes, PicassoLoader transmits a system fingerprint to the C2 server. This fingerprint includes critical information such as the username, computer name, operating system version, and a list of currently running processes. A human operator then meticulously reviews this data to determine if the target warrants further exploitation.

Should the victim be deemed valuable, the C2 server responds by delivering a third-stage JavaScript dropper. This script takes an additional measure to evade detection by copying the legitimate Windows executable rundll32.exe under an altered filename. This tactic aims to bypass security solutions that might flag unfamiliar executables. Subsequently, a Cobalt Strike beacon is written to disk, and a corresponding registry entry is created to ensure its automatic launch at every system startup. This final stage grants the attackers full, persistent remote control over the compromised machine.

What You Should Do

  • Educate Users: Conduct regular training on identifying spearphishing attempts, especially those involving unsolicited PDF attachments or links that lead to external downloads.
  • Implement Email Security: Deploy advanced email gateway solutions with robust attachment scanning, URL sandboxing, and DMARC, DKIM, and SPF authentication to filter out malicious emails.
  • Endpoint Detection and Response (EDR): Utilize EDR solutions to monitor for suspicious activities like the creation of new scheduled tasks, unusual process execution (e.g., rundll32.exe renamed), and beaconing activity to known C2 infrastructure.
  • Network Segmentation and Filtering: Implement network segmentation to limit lateral movement and deploy robust network filtering to block connections to known malicious domains and IP addresses.
  • Monitor Scheduled Tasks and Registry: Regularly audit scheduled tasks and registry entries for unauthorized modifications, especially those configured for automatic startup.
  • Threat Intelligence Integration: Integrate the provided Indicators of Compromise (IoCs) into your security information and event management (SIEM) systems, firewalls, and endpoint protection platforms for proactive detection and blocking.

Indicators of Compromise (IoCs):-

Type Indicator Description
SHA-1 776A43E46C36A539C916ED426745EE96E2392B39 53_7.03.2026_R.rar — JS/TrojanDropper.FrostyNeighbor
SHA-1 8D1F2A6DF51C7783F2EAF1A0FC0FF8D032E5B57F 53_7.03.2026_R.js — JS/TrojanDropper.FrostyNeighbor
SHA-1 B65551D339AECE718EA1465BF3542C794C445EFC Update.js — JS/TrojanDownloader.FrostyNeighbor
SHA-1 E15ABEE1CFDE8BE7D87C7C0B510450BAD6BC0906 Update.js — JS/TrojanDropper.FrostyNeighbor
SHA-1 43E30BE82D82B24A6496F6943ECB6877E83F88AB ViberPC.dll — Win32/CobaltStrike.Beacon
SHA-1 4F2C1856325372B9B7769D00141DBC1A23BDDD14 53_7.03.2026_R.pdf — PDF/TrojanDownloader.FrostyNeighbor
SHA-1 D89E5524E49199B1C3B66C524E7A63C3F0A0C199 Certificate.pdf — PDF/TrojanDownloader.FrostyNeighbor
SHA-1 7E537D8E91668580A482BD77A5A4CABA26D6BDAC certificate.js — JS/TrojanDownloader.FrostyNeighbor
SHA-1 FA6882672AD3654800987613310D7C3FBADE027E certificate.js — JS/TrojanDownloader.FrostyNeighbor
SHA-1 3FA7D1B13542F1A9EB054111F9B69C250AF68643 Сетифікат_CAF.rar — JS/TrojanDropper.FrostyNeighbor
SHA-1 4E52C92709A918383E90534052AAA257ACE2780C Сетифікат_CAF.js — JS/TrojanDropper.FrostyNeighbor
SHA-1 6FDED427A16D5314BA3E1EB9AFD120DC84449769 EdgeTaskMachine.js — JS/TrojanDropper.FrostyNeighbor
SHA-1 27FA11F6A1D653779974B6FB54DE4AF47F211232 EdgeSystemConfig.dll — Win32/CobaltStrike.Beacon
Domain attachment-storage-asset-static.needbinding[.]icu C&C server — PicassoLoader delivery
Domain book-happy.needbinding[.]icu C&C server — scheduled task template and fingerprint collection
Domain nama-belakang.nebao[.]icu C&C server — Cobalt Strike beacon C&C
Domain easiestnewsfromourpointofview.algsat[.]icu C&C infrastructure
Domain mickeymousegamesdealer.al[.]icu C&C infrastructure
Domain exavegas[.]icu C&C infrastructure
Domain hinesafar.sardk[.]icu C&C infrastructure
Domain shinesafar.sardk[.]icu C&C infrastructure
Domain best-seller.lavanille[.]buzz C&C infrastructure
URL https://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg Scheduled task template delivery URL
URL https://book-happy.needbinding[.]icu/employment/documents-and-resources PicassoLoader fingerprint POST endpoint
URL https://nama-belakang.nebao[.]icu/statistics/discover.txt Cobalt Strike beacon C&C endpoint
Filename 53_7.03.2026_R.rar First-stage RAR archive lure
Filename 53_7.03.2026_R.js First-stage JavaScript dropper
Filename 53_7.03.2026_R.pdf Decoy PDF lure document
Filename Update.js PicassoLoader second-stage downloader
Filename WinUpdate.reg Registry file dropped by first-stage script
Filename ViberPC.exe Renamed copy of rundll32.exe
Filename ViberPC.dll Cobalt Strike beacon payload
Filename ViberPC.reg Registry file for Cobalt Strike persistence
Filename ViberPC.lnk Shortcut file for Cobalt Strike execution
Filename EdgeTaskMachine.js Additional FrostyNeighbor dropper
Filename EdgeSystemConfig.dll Additional Cobalt Strike beacon

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwarephishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Google Chrome Updates Patch 79 Vulnerabilities, Including 14 Critical Flaws

Next Post

Critical VMware Fusion CVE-2024-22267 Allows Root Privilege Escalation

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us