Attack Chain Exploits Spearphishing and Server Side Filtering
A state aligned hacking group known as FrostyNeighbor has launched a new campaign targeting Ukrainian government organizations, first detected in March 2026. The operation begins with spearphishing emails that carry malicious PDF files designed to look like legitimate government communications. One lure document impersonated Ukrtelecom, a Ukrainian telecommunications company, and appeared to offer reassurances about customer data protection. When a recipient clicks the download button inside the PDF, they are directed to an attacker controlled server. What happens next depends entirely on the victim’s location, as the group uses server side filtering to manually confirm a target is worth pursuing before delivering the final payload. This selective approach makes the operation exceptionally difficult to detect or replicate in a controlled environment.
Persistence Through Abused Scheduled Tasks
The group, tracked as Ghostwriter, UNC1151, TA445, PUSHCHA, and Storm-0257, has been active since at least 2016 with a focus on targets in Ukraine, Poland, and Lithuania. Victims have included government bodies, military entities, industrial firms, and healthcare organizations. In this campaign, FrostyNeighbor demonstrates both patience and precision, using JavaScript to stage the attack across multiple steps. Tools are pulled in cleverly disguised as ordinary image or web files. Once a victim is fully compromised, the attackers abuse Windows Scheduled Tasks to maintain persistence on infected systems, ensuring their access survives reboots and security software scans. ESET researchers noted that the group regularly updates its tools and methods specifically to avoid triggering security alerts, making this campaign significantly harder to detect than previous ones.
Source: Cyber Security News
