FrostyNeighbor, the Belarus-aligned activity cluster also known in public reporting around Ghostwriter, is back with a Ukraine-focused spearphishing chain. ESET researchers say the latest activity has targeted Ukrainian governmental organizations since March 2026, using malicious PDF attachments that impersonate a telecom-related notice and lead to a JavaScript version of PicassoLoader before selected victims receive Cobalt Strike [1].
The campaign is useful to understand because it is not a simple “open attachment, run malware” case. The lure PDF points to a delivery server controlled by the attackers. If the visitor does not match the expected geographic profile, the server returns a benign PDF related to Ukrainian electronic communications regulation. If the victim appears interesting, the server serves a ZIP archive with a shortcut and JavaScript dropper. That split matters for defenders: sandboxing the link from the wrong region, or opening it after the operator has changed behavior, may show only a harmless decoy.
Why This Chain Is Harder To Triage
According to ESET, the second-stage JavaScript PicassoLoader fingerprints the machine by collecting the username, computer name, OS version, boot time, current time, and running processes. It then checks in every 10 minutes. Only when the operators decide the victim is worth pursuing does the server return the next JavaScript stage, which drops Cobalt Strike. That operator-controlled gap is the practical warning: a victim may have the loader running even when no obvious final payload has appeared yet.
For Ukrainian public-sector and contractor environments, the first checks should be concrete. Look for recently opened PDFs or archives tied to telecom, regulation, document-download, or “data protection” language; shortcut files extracted from ZIP archives; JavaScript launched by wscript.exe or cscript.exe; scheduled tasks created around the time of the lure; and outbound traffic to unusual document or resource paths. If a host has already executed the loader, response should include token and credential review, because Cobalt Strike access is often used for hands-on follow-up rather than a single automated action.
This follows the same pressure pattern Gridinsoft has covered in recent phishing stories: the lure is made to look routine, while the real test happens in the delivery logic. In Operation HookedWing, trusted-looking web infrastructure helped the campaign scale; in the FrostyNeighbor chain, geofencing and selective payload delivery are the parts most likely to mislead a quick investigation.
For another Ukraine-focused lure chain where a document-style prompt hides malware staging, see our coverage of Ghostwriter’s Prometheus-themed OYSTERFRESH campaign.
