Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks

A state-aligned hacking group known as FrostyNeighbor has resurfaced with a fresh wave of cyberattacks targeting government organizations in Ukraine, using a carefully designed infection chain that is harder than ever to detect.

The group, active since at least 2016, has a long history of targeting countries neighboring Belarus, and its latest campaign shows just how far it has evolved.

The new activity, detected starting in March 2026, blends deceptive documents, layered malware scripts, and server-side victim filtering into a single coordinated operation.

The attacks begin with spearphishing emails carrying malicious PDF files designed to look like legitimate government communications.

One lure document impersonated Ukrtelecom, a Ukrainian telecommunications company, and appeared to offer assurances about customer data protection.

When a recipient clicks the download button inside the PDF, they are directed to a server fully controlled by the attackers. What they receive next depends entirely on where they are connecting from.

ESET’s official threat research blog, WeLiveSecurity’s analysts identified and said in a report shared with Cyber Security News (CSN) that FrostyNeighbor, also tracked as Ghostwriter, UNC1151, TA445, PUSHCHA, and Storm-0257, is a long-running cyber espionage actor apparently aligned with the interests of Belarus.

ESET researchers noted that the group regularly updates its tools and methods specifically to avoid triggering security alerts.

FrostyNeighbor’s campaigns have historically focused on Ukraine, Poland, and Lithuania, with victims ranging from government and military bodies to industrial firms and healthcare organizations.

In its newest campaign, the group demonstrates both patience and precision, delivering the final payload only after manually confirming that a target is worth pursuing.

This selective approach makes the operation especially difficult to detect or replicate in a controlled environment.

The group has been under active surveillance for years, with past reports from CERT-UA, SentinelOne, HarfangLab, and StrikeReady all documenting its evolving tactics.

The latest findings reveal a newer delivery mechanism using JavaScript to stage the attack across multiple steps, pulling in tools cleverly disguised as ordinary image or web files.

Hackers Abuse Scheduled Tasks

Once a victim from Ukraine clicks the embedded link in the lure document, the attacker’s server delivers a RAR archive named 53_7.03.2026_R.rar.

Inside is a JavaScript file that drops a decoy PDF to keep the target occupied while quietly launching the next stage in the background.

This second-stage script, called PicassoLoader, is a downloader the group has used across multiple campaigns and in several different programming languages.

To lock in its presence on the victim’s machine, PicassoLoader downloads a scheduled task template from the command-and-control server, disguised as a JPEG image file.

The server actually delivers an XML configuration file, and the script fills in real execution parameters before registering the scheduled task on the system.

This ensures PicassoLoader runs automatically at every Windows startup, which is exactly how FrostyNeighbor maintains persistent access on compromised machines.

Cobalt Strike Deployed After Victim Validation

What makes this attack chain particularly sharp is the server-side validation step that occurs before any serious payload is delivered.

Every ten minutes, PicassoLoader sends a system fingerprint, including the username, computer name, operating system version, and list of running processes, to the command-and-control server.

A human operator then reviews this information and decides whether the target is worth the next move.

If the victim qualifies, the server responds with a third-stage JavaScript dropper. This script copies the legitimate Windows file rundll32.exe under a different name, likely to bypass security tools that flag unfamiliar executables.

A Cobalt Strike beacon is then written to disk, and a registry entry ensures it launches automatically on every startup, giving the attackers full and persistent remote control over the compromised machine.

Security researchers recommend continuous and close monitoring of the group’s infrastructure, toolset changes, and operational patterns as the most effective defense against future campaigns.

Organizations across Eastern Europe, especially those in government, defense, and critical sectors, should treat any unsolicited PDF attachment as a potential threat and remain on high alert.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA-1	776A43E46C36A539C916ED426745EE96E2392B39	53_7.03.2026_R.rar — JS/TrojanDropper.FrostyNeighbor
SHA-1	8D1F2A6DF51C7783F2EAF1A0FC0FF8D032E5B57F	53_7.03.2026_R.js — JS/TrojanDropper.FrostyNeighbor
SHA-1	B65551D339AECE718EA1465BF3542C794C445EFC	Update.js — JS/TrojanDownloader.FrostyNeighbor
SHA-1	E15ABEE1CFDE8BE7D87C7C0B510450BAD6BC0906	Update.js — JS/TrojanDropper.FrostyNeighbor
SHA-1	43E30BE82D82B24A6496F6943ECB6877E83F88AB	ViberPC.dll — Win32/CobaltStrike.Beacon
SHA-1	4F2C1856325372B9B7769D00141DBC1A23BDDD14	53_7.03.2026_R.pdf — PDF/TrojanDownloader.FrostyNeighbor
SHA-1	D89E5524E49199B1C3B66C524E7A63C3F0A0C199	Certificate.pdf — PDF/TrojanDownloader.FrostyNeighbor
SHA-1	7E537D8E91668580A482BD77A5A4CABA26D6BDAC	certificate.js — JS/TrojanDownloader.FrostyNeighbor
SHA-1	FA6882672AD3654800987613310D7C3FBADE027E	certificate.js — JS/TrojanDownloader.FrostyNeighbor
SHA-1	3FA7D1B13542F1A9EB054111F9B69C250AF68643	СетифікатCAF.rar — JS/TrojanDropper.FrostyNeighbor
SHA-1	4E52C92709A918383E90534052AAA257ACE2780C	СетифікатCAF.js — JS/TrojanDropper.FrostyNeighbor
SHA-1	6FDED427A16D5314BA3E1EB9AFD120DC84449769	EdgeTaskMachine.js — JS/TrojanDropper.FrostyNeighbor
SHA-1	27FA11F6A1D653779974B6FB54DE4AF47F211232	EdgeSystemConfig.dll — Win32/CobaltStrike.Beacon
Domain	attachment-storage-asset-static.needbinding[.]icu	C&C server — PicassoLoader delivery
Domain	book-happy.needbinding[.]icu	C&C server — scheduled task template and fingerprint collection
Domain	nama-belakang.nebao[.]icu	C&C server — Cobalt Strike beacon C&C
Domain	easiestnewsfromourpointofview.algsat[.]icu	C&C infrastructure
Domain	mickeymousegamesdealer.al[.]icu	C&C infrastructure
Domain	exavegas[.]icu	C&C infrastructure
Domain	hinesafar.sardk[.]icu	C&C infrastructure
Domain	shinesafar.sardk[.]icu	C&C infrastructure
Domain	best-seller.lavanille[.]buzz	C&C infrastructure
URL	https://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg	Scheduled task template delivery URL
URL	https://book-happy.needbinding[.]icu/employment/documents-and-resources	PicassoLoader fingerprint POST endpoint
URL	https://nama-belakang.nebao[.]icu/statistics/discover.txt	Cobalt Strike beacon C&C endpoint
Filename	53_7.03.2026_R.rar	First-stage RAR archive lure
Filename	53_7.03.2026_R.js	First-stage JavaScript dropper
Filename	53_7.03.2026_R.pdf	Decoy PDF lure document
Filename	Update.js	PicassoLoader second-stage downloader
Filename	WinUpdate.reg	Registry file dropped by first-stage script
Filename	ViberPC.exe	Renamed copy of rundll32.exe
Filename	ViberPC.dll	Cobalt Strike beacon payload
Filename	ViberPC.reg	Registry file for Cobalt Strike persistence
Filename	ViberPC.lnk	Shortcut file for Cobalt Strike execution
Filename	EdgeTaskMachine.js	Additional FrostyNeighbor dropper
Filename	EdgeSystemConfig.dll	Additional Cobalt Strike beacon

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.