{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/winrar/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["FrostyNeighbor"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cobalt Strike","WinRAR","Roundcube"],"_cs_severities":["high"],"_cs_tags":["frostyneighbor","cyberespionage","cobaltstrike","picassoloader","ukraine"],"_cs_type":"threat","_cs_vendors":["Microsoft","Cloudflare","Roundcube","WinRAR"],"content_html":"\u003cp\u003eESET researchers have identified new activity from FrostyNeighbor (aka Ghostwriter, UNC1151, UAC-0057, TA445, PUSHCHA, Storm-0257) targeting governmental organizations in Ukraine starting in March 2026. FrostyNeighbor, believed to be aligned with Belarus\u0026rsquo; interests, has been active since at least 2016, primarily targeting countries neighboring Belarus. The group employs spearphishing, disinformation campaigns, and credential harvesting to compromise various entities. This recent campaign utilizes malicious PDFs delivered via spearphishing emails, exploiting server-side validation to deliver a malicious payload only to victims with Ukrainian IP addresses. The group continually updates its toolset and compromise chains to evade detection, with a focus on Ukraine, Poland, and Lithuania. The attack culminates in the deployment of a Cobalt Strike beacon for persistent access and control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA spearphishing email delivers a malicious PDF file (e.g., 53_7.03.2026_R.pdf) impersonating Ukrtelecom, a Ukrainian telecommunications company.\u003c/li\u003e\n\u003cli\u003eIf the victim\u0026rsquo;s IP address is from Ukraine, the server delivers a RAR archive (e.g., 53_7.03.2026_R.rar) containing a JavaScript dropper (53_7.03.2026_R.js). Otherwise, a benign PDF is served.\u003c/li\u003e\n\u003cli\u003eThe JavaScript dropper (53_7.03.2026_R.js) executes and drops a decoy PDF file to the victim, simultaneously executing a second-stage JavaScript downloader (PicassoLoader) named Update.js, which is embedded in base64 within the first-stage script.\u003c/li\u003e\n\u003cli\u003eThe PicassoLoader script (Update.js) downloads a scheduled task template (config.xml) from a C\u0026amp;C server (book-happy.needbinding[.]icu) disguised as a JPG image (1GreenAM.jpg), but the server responds with text-based content, advertising an XML attachment.\u003c/li\u003e\n\u003cli\u003eThe script creates a scheduled task to achieve persistence. The scheduled task is configured to execute PicassoLoader (Update.js) periodically.\u003c/li\u003e\n\u003cli\u003eThe PicassoLoader script fingerprints the victim\u0026rsquo;s computer, sending data to a C\u0026amp;C server using a URL like \u003ca href=\"https://book-happy.needbinding\"\u003ehttps://book-happy.needbinding\u003c/a\u003e[.]icu/employment/documents-and-resources.\u003c/li\u003e\n\u003cli\u003eBased on the fingerprint, the C\u0026amp;C server may deliver a Cobalt Strike beacon.\u003c/li\u003e\n\u003cli\u003eThe Cobalt Strike beacon establishes persistence by copying rundll32.exe, writing a DLL to disk, and creating a registry entry to execute the copied rundll32.exe with the DLL.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eFrostyNeighbor\u0026rsquo;s campaigns primarily target governmental, military, and key sectors in Eastern Europe, with a focus on Ukraine, Poland, and Lithuania. A successful compromise allows the attacker to gain persistent access to the victim\u0026rsquo;s systems, enabling them to conduct cyberespionage activities, including data theft, surveillance, and potential disruption of critical infrastructure. While Ukrainian targeting focuses on military, defense, and governmental entities, victimology in Poland and Lithuania includes sectors like industrial and manufacturing, healthcare and pharmaceuticals, logistics, and governmental organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to the C\u0026amp;C server domains listed in the IOC table, specifically \u003ccode\u003ebook-happy.needbinding[.]icu\u003c/code\u003e and \u003ccode\u003enama-belakang.nebao[.]icu\u003c/code\u003e to identify potential Cobalt Strike beacon activity.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect the execution of JavaScript files dropping other JavaScript files, indicative of PicassoLoader activity.\u003c/li\u003e\n\u003cli\u003eInspect scheduled tasks for suspicious configurations that execute JavaScript files from the %AppData% directory to identify potentially compromised systems.\u003c/li\u003e\n\u003cli\u003eBlock the malicious URLs listed in the IOC table at the network level, particularly \u003ccode\u003ehttps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg\u003c/code\u003e, to prevent the download of malicious scheduled task templates.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T07:00:16Z","date_published":"2026-05-15T07:00:16Z","id":"https://feed.craftedsignal.io/briefs/2026-05-frostyneighbor-ukraine/","summary":"The FrostyNeighbor threat actor is targeting Ukrainian governmental organizations with spearphishing emails containing malicious PDFs that deliver a JavaScript dropper (PicassoLoader) and ultimately a Cobalt Strike beacon.","title":"FrostyNeighbor Targets Ukraine with Updated PicassoLoader Chain","url":"https://feed.craftedsignal.io/briefs/2026-05-frostyneighbor-ukraine/"}],"language":"en","title":"CraftedSignal Threat Feed — WinRAR","version":"https://jsonfeed.org/version/1.1"}