""FrostyNeighbor has been running continual cyber operations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection - targeting victims located in Eastern Europe," ESET said in a report shared with The Hacker News."
"Previous attacks mounted by the hacking crew have leveraged a malware family known as PicassoLoader, which then acts as a conduit for Cobalt Strike Beacon and njRAT. In late 2023, the threat actor was also observed weaponizing a vulnerability in WinRAR ( CVE-2023-38831, CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike."
"As recently as last year, Polish entities were at the receiving end of a phishing campaign orchestrated by Ghostwriter that exploited a cross-site flaw in Roundcube ( CVE-2024-42009, CVSS score: 9.3) to run malicious JavaScript responsible for capturing email login credentials."
"In at least some cases, the threat actors are said to have leveraged the harvested credentials to analyze mailbox contents, download the contact list, and abuse the compromised account to propagate more phishing messages, per a report from CERT Polska in June 2025. Towards the end of 2025, the group also began to incorporate an anti-analysis technique where lure documents relied on dynamic CAPTCHA checks to trigger the attack chain."
Ghostwriter, also tracked under multiple aliases, has been active since at least 2016 and targets governmental organizations in Ukraine and neighboring countries. The activity includes cyber espionage and influence operations. The group regularly updates its toolset, compromise chain, and evasion methods while focusing on victims in Eastern Europe. Prior intrusions used PicassoLoader as a conduit for Cobalt Strike Beacon and njRAT. In late 2023, it weaponized WinRAR vulnerability CVE-2023-38831 to deploy PicassoLoader and Cobalt Strike. Polish organizations were targeted with phishing that exploited Roundcube vulnerability CVE-2024-42009 to capture email login credentials. Harvested credentials were used to inspect mailboxes, download contact lists, and send additional phishing messages. Later activity added anti-analysis behavior using dynamic CAPTCHA checks in lure documents.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]