GoKawiilA known Belarussian cyberespionage group is back with a threat campaign against targets in Eastern Europe that uses spearphishing to deliver malicious payloads to Eastern European government and military organizations. The campaign is unique in that the group appears to be particularly choosy about who it targets.
In a campaign that began in March and targets entities in Poland and Ukraine specifically, FrostyNeighbor — also tracked as Ghostwriter, UNC1151, TA445, PUSHCHA, and Storm-0257 — demonstrates a continued evolution of its cybercriminal activities on behalf of Belarus, according to a report by ESET research published Thursday.
Its latest attack wave targets Ukrainian and Polish government organizations, and demonstrates how the group is continuing to evolve its espionage toolkit and delivery infrastructure, according to ESET. The advanced persistent threat (APT) is using a fresh compromise chain with spear-phishing PDFs, server-side victim validation, and a JavaScript-based version of PicassoLoader, the group's main payload downloader, to ultimately deploy Cobalt Strike for post-compromise operations.
Related:Foxconn Attack Highlights Manufacturing's Cyber Crisis
"Since January 2026, the group seems to have abandoned the use of macro-based initial lure document ... to only use blurry PDFs containing a malicious link to the next stage," Damien Schaeffer, ESET senior malware researcher, tells Dark Reading.
That PDF lure impersonates Ukrainian telecom provider Ukrtelecom, and claims to provide secure customer data protection. It includes a download link hosted on attacker-controlled infrastructure.
FrostNeighbor's Cyber Evolution Beyond Disinformation
FrostyNeighbor, believed to be active since at least 2016, is known for combining cyberespionage with other malicious operations, including spearphishing, credential theft, malware deployment, and disinformation activity associated with the broader Ghostwriter influence operation.
That campaign — which began in 2021 and was first believed to be out of Russia — targeted several European countries, including Germany, Poland, Ukraine, and the Baltic states of Estonia, Latvia, and Lithuania, with phishing and misinformation. Eventually, researchers discovered that Ghostwriter/FrostyNeighbor had a more significant phishing infrastructure than first known, which figures prominently in its latest attack.
The latest iteration is highly targeted, with attackers fingerprinting the victim's computer to ensure targeting is specific. While this in an of itself is not unique, FrostyNeighbor operators appear to then be deciding manually whether or not the target will get the implant or not, Schaeffer says.
... continue reading