Belarus-aligned FrostyNeighbor (Ghostwriter) running a new geofenced PDF phishing campaign against Ukrainian government - Ukrainian IPs get malware, everyone else gets a clean PDF
ESET researchers documented a new wave of activity from FrostyNeighbor (a.k.a. Ghostwriter, UNC1151, UAC-0057), the Belarus-aligned group that has been targeting Ukraine, Poland, and Lithuania since 2016. Since March 2026, the group has been sending spear-phishing PDFs impersonating Ukrainian telecom operator Ukrtelecom. The lure server checks the visitor's IP: Ukrainian addresses get a malicious RAR archive that drops a JavaScript version of PicassoLoader, which in turn pulls down a Cobalt Strike Beacon, while everyone else just sees a clean decoy PDF. Operators appear to manually approve which fingerprinted victims actually get the implant.
- Check
- Hunt email gateways and proxies for spear-phishing PDFs impersonating Ukrtelecom, search endpoint telemetry for JavaScript children of wscript.exe or cscript.exe running PicassoLoader behavior, and review outbound C2 callbacks from defense-sector users.
- Affected
- Ukrainian government, military, and defense organizations. Polish and Lithuanian industrial manufacturing, healthcare and pharma, logistics, and government bodies. Risk is highest for any organization with Eastern European operations.
- Fix
- Block known FrostyNeighbor domains and IPs from ESET's report at the network edge, deploy detections for JavaScript-stage PicassoLoader and Cobalt Strike, restrict execution of downloaded scripts via AppLocker, and brief Eastern European staff on the Ukrtelecom lure.