ESET researchers documented a new wave of activity from FrostyNeighbor (a.k.a. Ghostwriter, UNC1151, UAC-0057), the Belarus-aligned group that has been targeting Ukraine, Poland, and Lithuania since 2016. Since March 2026, the group has been sending spear-phishing PDFs impersonating Ukrainian telecom operator Ukrtelecom. The lure server checks the visitor's IP: Ukrainian addresses get a malicious RAR archive that drops a JavaScript version of PicassoLoader, which in turn pulls down a Cobalt Strike Beacon, while everyone else just sees a clean decoy PDF. Operators appear to manually approve which fingerprinted victims actually get the implant.
Polish intelligence service ABW announced Wednesday that hackers attacked the industrial control systems at multiple Polish water treatment plants. The Record reports the targeting profile is consistent with state-aligned activity - patient reconnaissance, careful access, no data destruction. Polish authorities have not formally attributed the attack but the timing (alongside Russia-Ukraine conflict and Russia's interest in Polish infrastructure as a NATO frontline state) is unmistakable. Similar incidents have been reported in Germany, Austria, and the Netherlands over the past 12 months. No service disruption was reported, but the access establishes pre-positioning.