Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: belarus (2 articles)Clear

Belarus-aligned FrostyNeighbor (Ghostwriter) running a new geofenced PDF phishing campaign against Ukrainian government - Ukrainian IPs get malware, everyone else gets a clean PDF

ESET researchers documented a new wave of activity from FrostyNeighbor (a.k.a. Ghostwriter, UNC1151, UAC-0057), the Belarus-aligned group that has been targeting Ukraine, Poland, and Lithuania since 2016. Since March 2026, the group has been sending spear-phishing PDFs impersonating Ukrainian telecom operator Ukrtelecom. The lure server checks the visitor's IP: Ukrainian addresses get a malicious RAR archive that drops a JavaScript version of PicassoLoader, which in turn pulls down a Cobalt Strike Beacon, while everyone else just sees a clean decoy PDF. Operators appear to manually approve which fingerprinted victims actually get the implant.

Check
Hunt email gateways and proxies for spear-phishing PDFs impersonating Ukrtelecom, search endpoint telemetry for JavaScript children of wscript.exe or cscript.exe running PicassoLoader behavior, and review outbound C2 callbacks from defense-sector users.
Affected
Ukrainian government, military, and defense organizations. Polish and Lithuanian industrial manufacturing, healthcare and pharma, logistics, and government bodies. Risk is highest for any organization with Eastern European operations.
Fix
Block known FrostyNeighbor domains and IPs from ESET's report at the network edge, deploy detections for JavaScript-stage PicassoLoader and Cobalt Strike, restrict execution of downloaded scripts via AppLocker, and brief Eastern European staff on the Ukrtelecom lure.

Chinese hackers slipped a backdoor into the official DAEMON Tools installer for a month - thousands of computers in 100+ countries running tainted software signed with the real developer certificate

Kaspersky disclosed yesterday that the official DAEMON Tools installer - a popular Windows disk-image utility - has been distributing a backdoor since April 8. The trojanized versions (12.5.0.2421 through 12.5.0.2434) are downloaded from the legitimate vendor website and signed with valid AVB Disc Soft certificates. Thousands of infections recorded across 100+ countries, but follow-on payloads went to about a dozen targets in retail, scientific, government, and manufacturing sectors in Russia, Belarus, and Thailand. Kaspersky attributes the attack to Chinese-speaking actors and says it remains active. Detection took roughly a month - similar timeline to the 2023 3CX supply-chain attack.

Check
Search Windows endpoints for DAEMON Tools versions 12.5.0.2421-12.5.0.2434, and verify file hashes of DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Search proxy logs for env-check.daemontools.cc since April 8.
Affected
Windows endpoints with DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 installed since April 8, 2026. Compromised binaries are DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe in the DAEMON Tools install directory. Acute risk for organizations in Russia, Belarus, and Thailand and in retail, scientific, government, or manufacturing sectors - Kaspersky observed targeted second-stage payloads only on these.
Fix
Uninstall trojanized DAEMON Tools versions and reinstall from a verified clean release. Block env-check.daemontools.cc at the DNS resolver. Treat machines that ran trojanized versions as compromised: rotate credentials, hunt for QUIC RAT, and reimage if any second-stage payload is found. Apply application allowlisting to prevent vendor-signed but compromised binaries from running.