FrostyNeighbor (aka Ghostwriter): lineage and aliases
The group tracked as Ghostwriter in public reporting — described in ESET's analysis shared with The Hacker News — is "Belarus‑aligned" and active since at least 2016. The actor has been observed conducting both cyber espionage and influence operations, particularly against Ukraine. Public tracking lists a long set of aliases for the same activity: FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx.
March 2026 campaign: geofenced PDFs that impersonate Ukrtelecom
Since March 2026, ESET reports, the group has used spear‑phishing attachments containing malicious PDFs that impersonate the Ukrainian telecommunications company Ukrtelecom. The embedded links in those PDFs deliver RAR archives that contain a JavaScript variant of PicassoLoader, which in turn is used to drop Cobalt Strike Beacon.
Crucially, the campaign uses geofencing checks on the server side: victims whose IP addresses do not resolve to Ukraine are served a benign PDF, while requests from Ukrainian IPs receive the malicious archive. ESET highlighted that "the payload is only delivered after server-side victim validation, combining automated checks of the requesting user agent and IP address with the manual validation by the operators."
Compromise chain: profiling, staged JavaScript, and manual targeting
The observed infection sequence is multi‑stage and profile‑aware. After the RAR archive is opened, a JavaScript downloader displays a lure document to maintain the ruse while running PicassoLoader in the background. The downloader profiles and fingerprints the host and transmits that system fingerprint to attacker infrastructure every 10 minutes.
- Based on the collected fingerprint, operators may manually decide to send a third‑stage JavaScript dropper that deploys Cobalt Strike Beacon.
- The JavaScript PicassoLoader variant is consistent with Ghostwriter's prior use of PicassoLoader as a conduit for Cobalt Strike and njRAT; in late 2023 the actor also weaponized CVE‑2023‑38831 in WinRAR (CVSS 7.8) to deliver the same families.
- ESET further noted past anti‑analysis techniques in late 2025 where lure documents relied on dynamic CAPTCHA checks to trigger the attack chain.
Victimology: Ukraine as primary focus; broader targeting in Poland and Lithuania
The campaign's primary focus appears to be military, defense sector, and governmental organizations in Ukraine. By contrast, activity attributed to the same actor in Poland and Lithuania has shown broader targeting across industrial and manufacturing, healthcare and pharmaceuticals, logistics, and government sectors.
Earlier playbooks attributed to the group also included credential harvesting via web application flaws: in 2024 Ghostwriter used an exploit of Roundcube (CVE‑2024‑42009, CVSS 9.3) to run malicious JavaScript that captured email logins; CERT Polska reported in June 2025 that harvested credentials were sometimes used to analyze mailbox contents, download contact lists, and propagate further phishing.
Related campaigns: Gamaredon, BO Team/Head Mare, and Hive0117
The new Ghostwriter activity sits alongside several other campaigns affecting the same region. HarfangLab tied the Russia‑affiliated Gamaredon group to spear‑phishing against Ukrainian state institutions since September 2025, delivering GammaDrop and GammaLoad via RAR archives that exploit CVE‑2025‑8088. "These emails – spoofed or sent from compromised government accounts – deliver persistent, multi‑stage VBScript downloaders that profile the infected system," HarfangLab said.
Kaspersky reported that the pro‑Ukraine hacktivist BO Team (aka Black Owl) may be coordinating or sharing tooling with Head Mare (aka PhantomCore) against Russian organizations; observed malware included BrockenDoor, ZeronetKit (which can also compromise Linux), and a previously undocumented Go‑based backdoor called ZeroSSH. Kaspersky noted about the overlap: "The nature of the interaction between the groups remains unclear, but the recorded intersections of tools and infrastructure indicate at least the potential coordination of actions against Russian organizations."
Separately, F6 reported a financially motivated set of phishing attacks by a group called Hive0117 that targeted accountants to steal over 14 million rubles. Between February and March 2026 the group phishing‑messaged more than 3,000 Russian organizations using invoice lures that dropped RAR archives containing DarkWatchman; attackers then attempted payroll‑style transfers to mule accounts, F6 said.
What this means for the Ukrainian government, security teams, and international partners
- Ukrainian government and defense organizations: the campaign's geofenced decoys and manual validation steps indicate an operator intent on discriminating targets inside Ukraine; organizations impersonated by lures (for example, Ukrtelecom) should treat similar PDFs and links as high‑risk.
- Security operations teams: the multi‑stage JavaScript PicassoLoader, periodic 10‑minute fingerprinting, and manual staging of Cobalt Strike suggest defenders should prioritize detection of anomalous JavaScript execution, RAR archive extraction events, and outbound telemetry that could indicate repeated fingerprint uploads to unknown infrastructure.
- International partners and CERTs: prior use of web application exploits (Roundcube CVE‑2024‑42009) and WinRAR CVE‑2023‑38831 shows the actor adapts to available vectors; coordinated sharing of indicators and rapid patching of exposed services remain central to constraining this actor's options.
The picture painted by ESET and corroborating reports is of a persistent, adaptable actor that has refined both technical mechanisms and human‑in‑the‑loop validation to find and exploit targets of interest. Whether these efforts will expand beyond the current victimology or further harden their operational tradecraft remains a concrete question for defenders watching the region.




