FrostyNeighbor: Fresh mischief and digital shenanigans

What Happened

A cyberespionage group known as FrostyNeighbor is targeting government organizations in Ukraine using deceptive emails and documents. When a victim clicks a link in a fake PDF, the attackers check their location and deliver a hidden malicious program if they are in Ukraine. This program secretly gathers information about the victim's computer and sends it to the attackers, who then decide whether to install a tool that gives them full control over the system. This matters because it allows attackers to steal sensitive government data or disrupt operations. Organizations should train employees to spot suspicious emails and ensure their security systems are updated to detect these hidden programs.

Key Takeaways

• FrostyNeighbor targets Ukrainian governmental organizations using a new compromise chain involving JavaScript droppers and PicassoLoader.
• The attack employs server-side validation based on IP geolocation to deliver malicious payloads only to targets in Ukraine.
• The final payload is a Cobalt Strike beacon, deployed after manual validation by the threat actors based on system fingerprinting.
• Persistence is achieved via scheduled tasks and registry Run keys using masqueraded legitimate binaries (e.g., copying rundll32.exe to ViberPC.exe).

Affected Systems

• Windows operating systems
• Governmental, military, and key sectors in Eastern Europe (Ukraine, Poland, Lithuania)

Vulnerabilities (CVEs)

• CVE-2023-38831
• CVE-2024-42009

Attack Chain

The attack begins with a spearphishing email containing a link to a malicious PDF. If the victim's IP is in Ukraine, they are served a RAR archive containing a JavaScript dropper. This dropper copies legitimate binaries (like wscript.exe) for proxy execution, establishes persistence via scheduled tasks and registry keys, and downloads the PicassoLoader payload. PicassoLoader fingerprints the system and sends the data to a C2 server; if the operators deem the target valuable, a Cobalt Strike beacon is deployed via a DLL sideloading-like technique using a copied rundll32.exe.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but it does provide a comprehensive list of file hashes, domains, and URLs that can be used to build custom detections.

Detection Engineering Assessment

EDR Visibility: High — The attack relies heavily on process creation (wscript.exe, rundll32.exe, schtasks.exe), file drops in %AppData% and %ProgramData%, and registry modifications, all of which are highly visible to modern EDR solutions. Network Visibility: Medium — While C2 communication occurs over HTTPS, the initial payload delivery involves specific URL patterns and the downloading of an XML file disguised as a JPG, which can be detected with SSL inspection or advanced network monitoring. Detection Difficulty: Moderate — The use of legitimate binaries (wscript.exe, rundll32.exe) copied to new locations and the manual validation step make automated detection slightly more challenging, but the behavioral patterns (e.g., JS dropping DLLs) are well-known.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• Registry Events (Sysmon 12, 13, 14)
• Network Connections (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for instances of wscript.exe or rundll32.exe being copied to and executed from unusual directories like %AppData% or %ProgramData%.	Process Creation, File Creation	Execution, Defense Evasion	Low
If you have visibility into scheduled tasks, look for tasks created via schtasks.exe referencing XML files dropped in user profile directories.	Process Creation, Scheduled Task Logs	Persistence	Low
Consider hunting for registry modifications in the HKCU Run key that point to LNK files or copied system binaries in %ProgramData%.	Registry Events	Persistence	Medium
Evaluate network logs for HTTP GET requests retrieving files with image extensions (e.g., .jpg) that return text/xml content types.	Network Traffic, Proxy Logs	Command and Control	Low

Control Gaps

• Lack of strict application control preventing execution of scripts (JS) from archive files
• Insufficient network filtering for newly registered or uncategorized domains (.icu, .buzz)

Key Behavioral Indicators

• Execution of wscript.exe with unusual command-line arguments (e.g., --update, --headless)
• Creation of .lnk files in %ProgramData% that execute DLLs via copied rundll32.exe
• WMI queries for Win32_OperatingSystem and Win32_Process originating from script interpreters

False Positive Assessment

• Low. The provided IOCs are highly specific to the FrostyNeighbor infrastructure and malware payloads. Behavioral detections involving copied system binaries in %ProgramData% also have a low false-positive rate.

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking the identified domains and IP addresses at the perimeter firewall or web proxy.
• If applicable, search EDR telemetry for the provided file hashes and file paths (e.g., %ProgramData%\ViberPC.exe).

Infrastructure Hardening

• Evaluate whether to block or restrict the execution of JavaScript (.js) and other script files originating from downloaded archives.
• Consider implementing application control policies to prevent the execution of copied system binaries (like rundll32.exe) from non-standard directories.
• If supported by your network appliances, inspect HTTP traffic for mismatched file extensions and content types (e.g., .jpg serving XML).

User Protection

• Consider configuring email gateways to quarantine or strip potentially dangerous attachment types, including RAR archives containing scripts.
• Evaluate whether to change default file associations for script files (like .js) to open in a text editor rather than executing via WScript.

Security Awareness

• Consider rolling into existing awareness programs the risks of clicking links in unsolicited PDFs, especially those impersonating government or telecommunications entities.
• Train users to be cautious of unexpected archive files (like .rar) downloaded from external links.

MITRE ATT&CK Mapping

• T1583 - Acquire Infrastructure
• T1608 - Stage Capabilities
• T1588.002 - Obtain Capabilities: Tool
• T1566.001 - Phishing: Spearphishing Attachment
• T1204.002 - User Execution: Malicious File
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1059 - Command and Scripting Interpreter
• T1060 - Registry Run Keys / Startup Folder
• T1027 - Obfuscated Files or Information
• T1027.009 - Obfuscated Files or Information: Embedded Payloads
• T1036.005 - Masquerading: Match Legitimate Resource Name or Location
• T1057 - Process Discovery
• T1082 - System Information Discovery
• T1071.001 - Application Layer Protocol: Web Protocols
• T1041 - Exfiltration Over C2 Channel

Additional IOCs

• Domains:
  • easiestnewsfromourpointofview[.]algsat[[.]]icu - PicassoLoader C&C server.
  • mickeymousegamesdealer[.]alexavegas[[.]]icu - PicassoLoader C&C server.
  • hinesafar[.]sardk[[.]]icu - PicassoLoader C&C server.
  • shinesafar[.]sardk[[.]]icu - PicassoLoader C&C server.
  • best-seller[.]lavanille[[.]]buzz - Cobalt Strike C&C server.
• File Hashes:
  • 8D1F2A6DF51C7783F2EAF1A0FC0FF8D032E5B57F (SHA1) - JavaScript dropper 53_7.03.2026_R.js.
  • B65551D339AECE718EA1465BF3542C794C445EFC (SHA1) - JavaScript PicassoLoader downloader Update.js.
  • E15ABEE1CFDE8BE7D87C7C0B510450BAD6BC0906 (SHA1) - Cobalt Strike dropper Update.js.
  • 4F2C1856325372B9B7769D00141DBC1A23BDDD14 (SHA1) - Lure PDF document 53_7.03.2026_R.pdf.
  • D89E5524E49199B1C3B66C524E7A63C3F0A0C199 (SHA1) - Lure PDF document Certificate.pdf.
  • 7E537D8E91668580A482BD77A5A4CABA26D6BDAC (SHA1) - JavaScript PicassoLoader downloader certificate.js.
  • FA6882672AD3654800987613310D7C3FBADE027E (SHA1) - JavaScript PicassoLoader downloader certificate.js.
  • 3FA7D1B13542F1A9EB054111F9B69C250AF68643 (SHA1) - Lure RAR archive Сетифікат_CAF.rar.
  • 4E52C92709A918383E90534052AAA257ACE2780C (SHA1) - JavaScript dropper Сетифікат_CAF.js.
  • 6FDED427A16D5314BA3E1EB9AFD120DC84449769 (SHA1) - JavaScript PicassoLoader downloader EdgeTaskMachine.js.
  • 27FA11F6A1D653779974B6FB54DE4AF47F211232 (SHA1) - Cobalt Strike beacon EdgeSystemConfig.dll.
• Registry Keys:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateService - Registry Run key created for PicassoLoader persistence.
• File Paths:
  • %AppData%\WinDataScope\Update.js - Dropped PicassoLoader script.
  • %AppData%\WinDataScope\WinUpdate.reg - Dropped registry file for persistence.
  • %ProgramData%\ViberPC.exe - Copied legitimate rundll32.exe used for proxy execution.
  • %ProgramData%\ViberPC.lnk - Shortcut created for Cobalt Strike persistence.
  • %ProgramData%\ViberPC.reg - Registry import file for Cobalt Strike persistence.
  • %AppData%\WinDataScope\svhost.exe - Copied legitimate wscript.exe used for proxy execution.
• Command Lines:
  • Purpose: Creates a scheduled task for persistence using a downloaded XML template. | Tools: schtasks.exe | Stage: Persistence | schtasks /create /xml <xmlPath> /tn "WindowsUpdate"
  • Purpose: Imports registry keys for persistence. | Tools: reg.exe | Stage: Persistence | reg import C:\ProgramData\ViberPC.reg
  • Purpose: Executes the Cobalt Strike shortcut via a chained command prompt. | Tools: cmd.exe, shell32.dll | Stage: Execution
  • Purpose: Executes the JavaScript dropper with specific flags. | Tools: wscript.exe | Stage: Execution