Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
ESET reports that the FrostyNeighbor APT group, also tracked as Ghostwriter, has resumed attacks against Ukrainian government organizations using spear-phishing PDFs that deliver a JavaScript-based downloader known as PicassoLoader, which ultimately deploys a Cobalt Strike beacon. The campaign relies on geo-based validation, scheduled-task persistence, and multiple file-dropping techniques to reduce visibility and evade detection. Its infrastructure is positioned behind Cloudflare and uses several needbinding.icu domains.
Investigation
Researchers reconstructed the full attack chain, starting with the malicious PDF lure, continuing through the JavaScript dropper and PicassoLoader downloader, and ending with the delivery of the Cobalt Strike payload. They extracted indicators including filenames, registry changes, and command-and-control URLs, then linked them to known FrostyNeighbor tradecraft. The report also highlights exploitation of CVE-2023-38831 in WinRAR and CVE-2024-42009 in Roundcube.
Mitigation
Organizations should block suspicious attachment types, enforce strict controls over macro and script execution, monitor for scheduled tasks created by unfamiliar binaries, and restrict outbound HTTPS traffic to known malicious domains. The referenced vulnerabilities should be patched promptly, and least-privilege restrictions should be applied to rundll32.exe usage.
Response
If any related indicators are detected, isolate the affected system immediately, collect forensic artifacts, and hunt for both the Cobalt Strike beacon and PicassoLoader components. Reset any exposed credentials and review scheduled tasks and Run key entries for signs of persistence.
"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef file fill:#c2f0c2 classDef tool fill:#cccccc classDef malware fill:#ff9999 %% Nodes – Actions attack_initial_access["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/>Malicious PDF email with link to a RAR archive."] class attack_initial_access action action_user_execution["<b>Action</b> – <b>T1204.002 User Execution</b><br/>Victim opens the PDF which runs a JavaScript dropper."] class action_user_execution action %% Nodes – Files file_malicious_pdf["<b>File</b> – <b>Name</b>: malicious.pdf<br/>Contains JavaScript dropper."] class file_malicious_pdf file file_rar["<b>File</b> – <b>Name</b>: payload.rar<br/>Delivered via link in the PDF."] class file_rar file file_scheduled_xml["<b>File</b> – <b>Name</b>: scheduled_task.xml<br/>XML used to register a scheduled task."] class file_scheduled_xml file file_reg["<b>File</b> – <b>Name</b>: persistence.reg<br/>Registry file that creates a Run key.""" class file_reg file file_lnk["<b>File</b> – <b>Name</b>: launcher.lnk<br/>Shortcut placed in Startup folder.""" class file_lnk file %% Nodes – Malware / Tools malware_javascript_dropper["<b>Malware</b> – <b>Name</b>: JavaScript Dropper<br/>Executes base64u2011encoded scripts and embeds secondu2011stage payloads."] class malware_javascript_dropper malware tool_picasso_loader["<b>Tool</b> – <b>Name</b>: PicassoLoader<br/>Collects system info, process list and victim identity data."] class tool_picasso_loader tool malware_cobalt_strike["<b>Malware</b> – <b>Name</b>: Cobalt Strike Beacon<br/>Provides remote control capabilities.""" class malware_cobalt_strike malware %% Nodes – Techniques technique_obfuscation["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/>Payloads are base64u2011encoded to avoid detection."] class technique_obfuscation technique technique_embedded_payload["<b>Technique</b> – <b>T1027.009 Embedded Payloads</b><br/>Downloader and beacon are hidden inside the JavaScript."] class technique_embedded_payload technique technique_gather_identity["<b>Technique</b> – <b>T1589 Gather Victim Identity Information</b><br/>Collects username, computer name, OS version and boot time."] class technique_gather_identity technique technique_system_info["<b>Technique</b> – <b>T1082 System Information Discovery</b><br/>Harvests detailed system specifications."] class technique_system_info technique technique_process_discovery["<b>Technique</b> – <b>T1057 Process Discovery</b><br/>Enumerates running processes on the host."] class technique_process_discovery technique technique_c2_https["<b>Technique</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/>Communicates with C2 over HTTPS POST.""" class technique_c2_https technique technique_scheduled_task["<b>Technique</b> – <b>T1053.005 Scheduled Task/Job</b><br/>Creates a scheduledu2011task XML for persistence.""" class technique_scheduled_task technique technique_run_key["<b>Technique</b> – <b>T1060 Registry Run Keys / Startup Folder</b><br/>Adds a Run key pointing to a malicious LNK.""" class technique_run_key technique technique_exfiltration["<b>Technique</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Sends collected data over the same HTTPS channel.""" class technique_exfiltration technique %% Connections – Attack Flow attack_initial_access –>|delivers| file_malicious_pdf file_malicious_pdf –>|opened_by| action_user_execution action_user_execution –>|executes| malware_javascript_dropper malware_javascript_dropper –>|uses| technique_obfuscation malware_javascript_dropper –>|contains| technique_embedded_payload technique_embedded_payload –>|drops| tool_picasso_loader tool_picasso_loader –>|gathers| technique_system_info tool_picasso_loader –>|gathers| technique_process_discovery tool_picasso_loader –>|collects| technique_gather_identity tool_picasso_loader –>|contacts| technique_c2_https technique_c2_https –>|delivers| malware_cobalt_strike malware_cobalt_strike –>|establishes| technique_scheduled_task technique_scheduled_task –>|creates| file_scheduled_xml malware_cobalt_strike –>|establishes| technique_run_key technique_run_key –>|creates| file_reg file_reg –>|adds| file_lnk technique_c2_https –>|exfiltrates via| technique_exfiltration "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
System Processes Execution from Untypical Paths (via process_creation)
View
Rundll32 Dll Suspicious Path Execution (via process_creation)
View
LOLBAS WScript / CScript (via process_creation)
View
IOCs (HashSha1) to detect: FrostyNeighbor: Fresh mischief and digital shenanigans
View
FrostyNeighbor C&C Communication Detection [Windows Network Connection]
View
FrostyNeighbor Cobalt Strike Deployment via Rundll32 and JavaScript [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The adversary has obtained a foothold on the victim host and wishes to deploy a Cobalt Strike beacon while staying under the radar. They:
- Copy
rundll32.exeto a non‑standard location (C:ProgramDataTemprundll32.exe) to evade simple whitelist alerts. - Drop the malicious DLL (
ViberPC.dll) into%ProgramData%. This DLL contains the bootstrapped Cobalt Strike payload. - Execute the copied
rundll32.exewith a command line that loads the malicious DLL (%ProgramData%ViberPC.dll). - Drop two JavaScript files (
53_7.03.2026_R.jsandUpdate.js) that contain JScript that contacts the C2 server and finalizes the beacon installation. - Run the JavaScript files using
cscript.exe, causing the creation of processes whoseImageends with.jsand whoseCommandLinecontains the exact filenames.
These steps generate the exact Sysmon process‑creation events matched by
selection1,selection2, andselection3in the Sigma rule. - Copy
-
Regression Test Script:
# FrostyNeighbor Cobalt Strike Deployment Simulation # ------------------------------------------------- # 1. Prepare paths $tempDir = "$env:ProgramDataTemp" $rundllCopy = Join-Path $tempDir "rundll32.exe" $malDll = "$env:ProgramDataViberPC.dll" $js1 = "$env:ProgramData53_7.03.2026_R.js" $js2 = "$env:ProgramDataUpdate.js" # 2. Ensure temp directory exists New-Item -Path $tempDir -ItemType Directory -Force | Out-Null # 3. Copy rundll32.exe to a non‑standard location Copy-Item -Path "$env:SystemRootSystem32rundll32.exe" -Destination $rundllCopy -Force # 4. Create a dummy malicious DLL (in real attack this would be the payload) $dummyDll = [IO.File]::ReadAllBytes("$env:SystemRootSystem32driversetchosts") # placeholder binary [IO.File]::WriteAllBytes($malDll, $dummyDll) # 5. Execute the copied rundll32 with the malicious DLL Start-Process -FilePath $rundllCopy -ArgumentList "`"$malDll`"" -WindowStyle Hidden # 6. Drop JavaScript payloads $jsContent = @" // Simple JScript that reaches out to a C2 endpoint (simulated) var xhr = new ActiveXObject("MSXML2.XMLHTTP"); xhr.open("GET", "http://127.0.0.1:8080/beacon", false); xhr.send(); "@ Set-Content -Path $js1 -Value $jsContent -Encoding ASCII Set-Content -Path $js2 -Value $jsContent -Encoding ASCII # 7. Execute the JavaScript files via cscript (this creates processes with .js image) Start-Process -FilePath "cscript.exe" -ArgumentList "//NoLogo `"$js1`"" -WindowStyle Hidden Start-Process -FilePath "cscript.exe" -ArgumentList "//NoLogo `"$js2`"" -WindowStyle Hidden # 8. Pause to allow SIEM ingestion Start-Sleep -Seconds 15 -
Cleanup Commands:
# Cleanup after simulation $paths = @( "$env:ProgramDataViberPC.dll", "$env:ProgramData53_7.03.2026_R.js", "$env:ProgramDataUpdate.js", "$env:ProgramDataTemprundll32.exe" ) foreach ($p in $paths) { if (Test-Path $p) { Remove-Item -Path $p -Force } } # Optionally stop any lingering cscript processes started by the test Get-Process -Name cscript -ErrorAction SilentlyContinue | Stop-Process -Force