FrostyNeighbor Uses Scheduled Tasks to Maintain Access in Ukraine Attacks

FrostyNeighbor has launched a new cyberespionage campaign against Ukrainian government organizations using malicious PDF lures, JavaScript malware, scheduled tasks, and Cobalt Strike.

ESET researchers said the activity started in March 2026 and shows continued changes in the group’s compromise chain. The attackers now use server-side validation before delivering the final payload, which makes the campaign harder to reproduce in sandboxes and research environments.

FrostyNeighbor is also tracked as Ghostwriter, UNC1151, UAC-0057, TA445, PUSHCHA, and Storm-0257. The group has been active since at least 2016 and is widely associated with cyberespionage activity aligned with Belarusian interests.

FrostyNeighbor targets Ukraine with malicious PDF lures

The latest campaign begins with spearphishing emails that carry PDF attachments. One lure impersonates Ukrtelecom, a Ukrainian telecommunications provider, and uses a message about customer data protection to look legitimate.

The PDF contains a download button that sends the victim to infrastructure controlled by the attackers. The server then decides what to deliver based on the victim’s location and other request details.

If the visitor does not appear to be in Ukraine, the server returns a benign PDF. If the visitor uses a Ukrainian IP address, the server delivers a RAR archive named 53_7.03.2026_R.rar that contains the first-stage JavaScript payload.

Attack stage	What happens
Initial lure	The victim receives a spearphishing email with a malicious PDF attachment.
Geofencing check	The delivery server checks whether the visitor appears to be in Ukraine.
Archive delivery	Ukrainian targets receive a RAR archive containing JavaScript malware.
PicassoLoader execution	The second-stage downloader fingerprints the system and contacts C2.
Cobalt Strike delivery	Selected victims receive a third-stage dropper that installs a beacon.

PicassoLoader handles persistence and victim profiling

The first-stage JavaScript opens a decoy PDF to keep the victim occupied. At the same time, it drops and launches a JavaScript version of PicassoLoader, the downloader family previously linked to FrostyNeighbor operations.

PicassoLoader collects the username, computer name, operating system version, boot time, current time, and running processes. It sends this fingerprint to the command-and-control server every 10 minutes.

The payload is not always delivered immediately. ESET said the operators likely review the system fingerprint manually before deciding whether the victim is valuable enough for the next stage.

• The lure impersonates Ukrtelecom.
• The server uses geofencing before delivering the malicious archive.
• The first-stage script opens a decoy PDF.
• PicassoLoader collects host and process information.
• The C2 server sends the Cobalt Strike stage only after victim validation.

Scheduled tasks keep the malware running

FrostyNeighbor uses Windows scheduled tasks to keep PicassoLoader active after reboot. The first-stage script downloads what looks like a JPEG file from attacker infrastructure, but the server actually returns an XML scheduled task template.

The script replaces placeholder values inside the template with real execution details and registers the task on the victim’s machine. This lets PicassoLoader run automatically at Windows startup.

This persistence method helps the attackers keep access without relying only on a single script launch. It also blends into a Windows feature that administrators and legitimate software commonly use.

Persistence method	Purpose
Scheduled task template	Registers PicassoLoader to run automatically.
Registry file	Supports later persistence activity in the infection chain.
HKCU Run key	Launches the Cobalt Strike stage after victim approval.
LNK shortcut	Executes the copied rundll32.exe loader path.

Cobalt Strike arrives after target validation

If the operators approve the infected system, the command-and-control server returns a third-stage JavaScript dropper. This stage deploys Cobalt Strike, a legitimate red-team framework often abused by threat actors for remote access.

The script copies the legitimate Windows rundll32.exe file to ProgramData under the name ViberPC.exe. This technique may help the attackers avoid simple detections that look for unknown executable names or suspicious launch paths.

The dropper then writes the Cobalt Strike beacon to disk as ViberPC.dll and creates a registry-based persistence path that launches the beacon through the copied rundll32 executable.

Why the campaign is harder to detect

The campaign uses several layers to reduce exposure. The delivery server filters victims by location, the final payload arrives only after operator review, and the malware hides malicious content behind files that appear to be ordinary PDFs, images, or Windows components.

This means defenders may not see the full chain when they test the lure from the wrong location or from a research environment. A sandbox may receive only the benign document instead of the malicious archive.

The manual validation step also reduces noisy payload delivery. Attackers can avoid deploying Cobalt Strike to systems that look like security tools, test machines, or low-value targets.

• Block or inspect suspicious PDF attachments from unknown senders.
• Monitor JavaScript execution from user profile and temporary directories.
• Review new scheduled tasks created by scripts or unusual parent processes.
• Investigate rundll32.exe copies running from non-standard paths.
• Watch for Cobalt Strike-like network traffic to suspicious domains.
• Hunt for unexpected Run key entries and LNK files under ProgramData.

FrostyNeighbor has a long history in Eastern Europe

FrostyNeighbor has targeted countries near Belarus for years. ESET said its activity has focused on Ukraine, Poland, and Lithuania, with victims across government, military, defense, industrial, logistics, healthcare, and other important sectors.

The group has used many lure types over time, including CHM, XLS, PPT, DOC, PDF, and archive-based delivery chains. It has also used different versions of PicassoLoader written in .NET, PowerShell, JavaScript, and C++.

Past reporting has linked the group to credential harvesting, spearphishing, disinformation, payload delivery through legitimate services, and exploitation of vulnerabilities such as CVE-2023-38831 in WinRAR and CVE-2024-42009 in Roundcube.

Key indicators from the latest campaign

Indicator	Type	Description
53_7.03.2026_R.rar	Filename	RAR archive used in the first stage.
53_7.03.2026_R.js	Filename	JavaScript dropper inside the archive.
Update.js	Filename	PicassoLoader second-stage downloader.
ViberPC.exe	Filename	Copied rundll32.exe used in the Cobalt Strike stage.
ViberPC.dll	Filename	Cobalt Strike beacon payload.
book-happy.needbinding.icu	Domain	C2 server used for scheduled task delivery and fingerprint collection.
nama-belakang.nebao.icu	Domain	C2 infrastructure used by the Cobalt Strike beacon.

What organizations should do now

Government, defense, telecom, and critical-sector organizations in Ukraine and Eastern Europe should treat unsolicited PDF attachments as high-risk, especially when they contain external download buttons or links to archive files.

Security teams should hunt for the listed filenames, domains, scheduled task creation events, JavaScript execution from AppData paths, and rundll32.exe copies placed under ProgramData.

They should also review proxy logs for connections to FrostyNeighbor infrastructure and inspect endpoints for Cobalt Strike indicators. If compromise is suspected, defenders should isolate the host, collect forensic data, remove persistence mechanisms, and rotate exposed credentials.

1. Search mail gateways for PDF lures that impersonate Ukrainian organizations.
2. Check endpoints for 53_7.03.2026_R.rar and related JavaScript files.
3. Review scheduled tasks created around the suspected infection time.
4. Investigate ViberPC.exe, ViberPC.dll, and ViberPC.lnk under ProgramData.
5. Block known FrostyNeighbor command-and-control domains.
6. Reset credentials used on systems that show Cobalt Strike activity.
7. Patch exposed mail, archive, and document-handling software.

Server-side validation raises the response challenge

FrostyNeighbor’s latest activity shows how targeted intrusion campaigns can avoid broad exposure while still delivering serious payloads to selected victims.

The group does not simply send the same malware to every visitor. It filters by location, profiles the system, and appears to involve a human decision before Cobalt Strike arrives.

That approach makes traditional sample collection harder. Defenders need email telemetry, endpoint logs, network visibility, and threat intelligence together to reconstruct the full chain and stop the attack before the final stage runs.

FAQ