216.73.217.22

Fresh mischief and digital shenanigans

· Published 21/05/2026 05:47 · Modified 21/05/2026 17:12

Export JSON

Essential information

Published
21/05/2026 05:47
Modified
21/05/2026 17:12
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
belarus cobalt strike cve-2023-38831 cve-2024-42009 cyberespionage eastern europe governmental targeting picassoloader spearphishing ukraine
Tags
2026-05-21 CVE-2023-38831 CVE-2024-42009 belarus cobalt strike cyberespionage eastern europe governmental targeting picassoloader spearphishing ukraine
Related entities
2 vulnerabilities (cve), 21 indicators, 21 observables, 1 intrusion sets (apt), 14 techniques (mitre), 2 malware, 20 others

Description

FrostyNeighbor, a group allegedly operating from and active since at least 2016, continues targeting governmental, military, and key sectors in , particularly , Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (2)

Indicators (21)

Observables (21)

  • exavegas.icu
  • mickeymousegamesdealer.al
  • static.needbinding.icu
  • hinesafar.sardk.icu
  • best-seller.lavanille.buzz
  • shinesafar.sardk.icu
  • mickeymousegamesdealer.alexavegas.icu
  • easiestnewsfromourpointofview.algsat.icu
  • nama-belakang.nebao.icu
  • book-happy.needbinding.icu
  • view.algsat.icu
  • attachment-storage-asset-static.needbinding.icu
  • https://book-happy.needbinding.icu/employment/documents-and-resources
  • https://book-happy.needbinding.icu/wp-content/uploads/2023/10/1GreenAM.jpg
  • https://nama-belakang.nebao.icu/statistics/discover.txt
  • 904685ae9056856132b8a2837b41676fe67038558ce62b61008d31fbbf384feb
  • a1dab59c6952e58588bc3b237323b6c3009c96f94aef069025cfbdfe0bb2a191
  • 1db961084b72a94fda47caa7455e41a1ad3f0ea3088cd4874e3721840e4b84d9
  • 7b859ed1d379b5ecc4118df9f3de628e036c154dd69748b1505c38eaf2cf8e47
  • cf635a7a9753058eb92f839686149a1d8792d2f107e78c3175a157e7f4042385
  • 6861ccc49586bc4e41b0947ac23a47409a29569540abb4bbf35e1db23665e498

Intrusion sets (APT) (1)

  • FrostyNeighbor
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:03 · Modified 21/12/2025 15:03

Techniques (MITRE) (14)

Malware (2)

  • PicassoLoader
    Family
    Published 21/05/2026 03:47 · Modified 21/05/2026 03:47
  • Cobalt Strike - S0154
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40

Others (20)

  • Poland
  • Lithuania
  • Ukraine
  • Manufacturing
  • Health
  • Telecommunications
  • Defense
  • Government
  • exavegas.icu
  • hinesafar.sardk.icu
  • static.needbinding.icu
  • view.algsat.icu
  • mickeymousegamesdealer.alexavegas.icu
  • easiestnewsfromourpointofview.algsat.icu
  • best-seller.lavanille.buzz
  • shinesafar.sardk.icu
  • mickeymousegamesdealer.al
  • attachment-storage-asset-static.needbinding.icu
  • nama-belakang.nebao.icu
  • book-happy.needbinding.icu

External references