{ "iim_version": "1.1", "chain_id": "frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike", "title": "FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike", "description": "ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.", "actor_id": "UAC-0057", "observed_at": "2026-03-10T00:00:00Z", "confidence": "confirmed", "needs_review": false, "import_source": "manual-osint-report-to-iim-conversion", "entities": [ { "id": "e001", "type": "file", "value": "53_7.03.2026_R.pdf", "source": "ESET FrostyNeighbor report / IOC repo", "evidence": [ "SHA1 4F2C1856325372B9B7769D00141DBC1A23BDDD14; lure PDF observed in ESET report" ] }, { "id": "e002", "type": "file", "value": "53_7.03.2026_R.rar", "source": "ESET FrostyNeighbor report / IOC repo", "evidence": [ "SHA1 776A43E46C36A539C916ED426745EE96E2392B39; RAR archive delivered after PDF interaction" ] }, { "id": "e003", "type": "file", "value": "53_7.03.2026_R.js", "source": "ESET FrostyNeighbor report / IOC repo", "evidence": [ "SHA1 8D1F2A6DF51C7783F2EAF1A0FC0FF8D032E5B57F; JavaScript inside the RAR" ] }, { "id": "e004", "type": "url", "value": "hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg", "source": "ESET FrostyNeighbor report", "evidence": [ "URL used by the JavaScript stage to retrieve a task template" ], "observed_at": "2026-03-10T00:00:00Z" }, { "id": "e005", "type": "file", "value": "Update.js / PicassoLoader", "source": "ESET FrostyNeighbor report / IOC repo", "evidence": [ "SHA1 B65551D339AECE718EA1465BF3542C794C445EFC; PicassoLoader stage" ] }, { "id": "e006", "type": "url", "value": "hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources", "source": "ESET FrostyNeighbor report", "evidence": [ "PicassoLoader HTTP POST C2 path documented by ESET" ] }, { "id": "e007", "type": "file", "value": "Update.js / Cobalt Strike dropper", "source": "ESET FrostyNeighbor IOC repo", "evidence": [ "SHA1 E15ABEE1CFDE8BE7D87C7C0B510450BAD6BC0906; Cobalt Strike dropper" ] }, { "id": "e008", "type": "file", "value": "ViberPC.dll / Cobalt Strike Beacon", "source": "ESET FrostyNeighbor IOC repo", "evidence": [ "SHA1 43E30BE82D82B24A6496F6943ECB6877E83F88AB; Cobalt Strike Beacon" ] }, { "id": "e009", "type": "url", "value": "hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt", "source": "ESET FrostyNeighbor report / IOC repo", "evidence": [ "Cobalt Strike C2 path documented by ESET" ] } ], "chain": [ { "entity_id": "e001", "role": "entry", "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "techniques": [ "IIM-T019", "IIM-T021" ] }, { "entity_id": "e002", "role": "staging", "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "techniques": [ "IIM-T024", "IIM-T019" ] }, { "entity_id": "e003", "role": "staging", "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "techniques": [ "IIM-T024" ] }, { "entity_id": "e004", "role": "staging", "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "techniques": [ "IIM-T001", "IIM-T010" ] }, { "entity_id": "e005", "role": "payload", "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false }, { "entity_id": "e006", "role": "c2", "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "techniques": [ "IIM-T001", "IIM-T010", "IIM-T020", "IIM-T021" ] }, { "entity_id": "e007", "role": "payload", "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false }, { "entity_id": "e008", "role": "payload", "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false }, { "entity_id": "e009", "role": "c2", "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "techniques": [ "IIM-T001", "IIM-T010", "IIM-T011" ] } ], "relations": [ { "from": "e001", "to": "e002", "type": "download", "sequence_order": 1, "confidence": "confirmed" }, { "from": "e002", "to": "e003", "type": "drops", "sequence_order": 2, "confidence": "confirmed" }, { "from": "e003", "to": "e004", "type": "download", "sequence_order": 3, "confidence": "confirmed" }, { "from": "e004", "to": "e005", "type": "drops", "sequence_order": 4, "confidence": "confirmed" }, { "from": "e005", "to": "e006", "type": "connect", "sequence_order": 5, "confidence": "confirmed" }, { "from": "e005", "to": "e007", "type": "download", "sequence_order": 6, "confidence": "confirmed" }, { "from": "e007", "to": "e008", "type": "drops", "sequence_order": 7, "confidence": "confirmed" }, { "from": "e008", "to": "e009", "type": "connect", "sequence_order": 8, "confidence": "confirmed" } ], "x_report_published_month": "2026-05", "x_source_reports": [ "ESET WeLiveSecurity FrostyNeighbor report", "ESET malware-ioc FrostyNeighbor README" ], "x_source_urls": [ "https://www.welivesecurity.com/en/eset-research/frostyneighbor-uses-cobalt-strike-against-ukraine/", "https://github.com/eset/malware-ioc/blob/master/frostyneighbor/README.md" ], "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.", "x_scope_note": "Report was published in May 2026; some entities were first observed in March 2026 inside the campaign described by the May report.", "attack_annotations": [ { "technique_id": "T1204.002", "name": "Malicious File", "comment": "User opens lure PDF/RAR/JS chain." }, { "technique_id": "T1059.007", "name": "JavaScript", "comment": "JavaScript delivery and execution stage." }, { "technique_id": "T1071.001", "name": "Web Protocols", "comment": "HTTP(S) C2 for PicassoLoader and Cobalt Strike." } ] }