frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike

FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike

ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.

confirmed IIM v1.1 UAC-0057

source ESET WeLiveSecurity FrostyNeighbor report ESET malware-ioc FrostyNeighbor README

Raw JSON

entities9

relations8

techniques7

published2026-05-26 13:26:34

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path

entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions

entry

file

53_7.03.2026_R.pdf

IIM-T019IIM-T021

staging

file

53_7.03.2026_R.rar

IIM-T024IIM-T019

staging

file

53_7.03.2026_R.js

IIM-T024

staging

url

hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg

IIM-T001IIM-T010

payload

file

Update.js / PicassoLoader

url

hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources

IIM-T001IIM-T010IIM-T020IIM-T021

payload

file

Update.js / Cobalt Strike dropper

payload

file

ViberPC.dll / Cobalt Strike Beacon

url

hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt

IIM-T001IIM-T010IIM-T011

Relations

directed infrastructure edges

e001downloade002 confirmed

e002dropse003 confirmed

e003downloade004 confirmed

e004dropse005 confirmed

e005connecte006 confirmed

e005downloade007 confirmed

e007dropse008 confirmed

e008connecte009 confirmed

Techniques

7 annotations

IIM-T001CDN Abuse

Serving adversary content from a legitimate CDN to gain reputation, TLS, and geographic distribution at no cost.

IIM-T010Disposable Domain Registration

Registering newly-created domains with short lifetimes specifically for a single campaign.

IIM-T011Domain Rotation

Continuous cycling through multiple hostnames within an active campaign to defeat IOC-based blocking.

IIM-T019Geofenced Delivery

Payload served only to requests originating from specific geographic regions.

IIM-T020User-Agent / Client Filtering

Payload served only to requests presenting specific User-Agent or client-fingerprint characteristics.

IIM-T021Request Fingerprinting Gate

Payload served only to requests whose headers, body, or sequence match a specific fingerprint known to the malware client.

IIM-T024Archive Container Delivery

Payload delivered inside a compressed archive (RAR, ZIP, 7z, ISO, IMG) to bypass transport-layer content inspection.

Entities & evidence

observable inventory

ID	Type	Value	Source / evidence
`e001`	file	53_7.03.2026_R.pdf	ESET WeLiveSecurity FrostyNeighbor report ESET malware-ioc FrostyNeighbor README SHA1 4F2C1856325372B9B7769D00141DBC1A23BDDD14; lure PDF observed in ESET report
`e002`	file	53_7.03.2026_R.rar	ESET WeLiveSecurity FrostyNeighbor report ESET malware-ioc FrostyNeighbor README SHA1 776A43E46C36A539C916ED426745EE96E2392B39; RAR archive delivered after PDF interaction
`e003`	file	53_7.03.2026_R.js	ESET WeLiveSecurity FrostyNeighbor report ESET malware-ioc FrostyNeighbor README SHA1 8D1F2A6DF51C7783F2EAF1A0FC0FF8D032E5B57F; JavaScript inside the RAR
`e004`	url	hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg	ESET WeLiveSecurity FrostyNeighbor report ESET malware-ioc FrostyNeighbor README URL used by the JavaScript stage to retrieve a task template
`e005`	file	Update.js / PicassoLoader	ESET WeLiveSecurity FrostyNeighbor report ESET malware-ioc FrostyNeighbor README SHA1 B65551D339AECE718EA1465BF3542C794C445EFC; PicassoLoader stage
`e006`	url	hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources	ESET WeLiveSecurity FrostyNeighbor report ESET malware-ioc FrostyNeighbor README PicassoLoader HTTP POST C2 path documented by ESET
`e007`	file	Update.js / Cobalt Strike dropper	ESET WeLiveSecurity FrostyNeighbor report ESET malware-ioc FrostyNeighbor README SHA1 E15ABEE1CFDE8BE7D87C7C0B510450BAD6BC0906; Cobalt Strike dropper
`e008`	file	ViberPC.dll / Cobalt Strike Beacon	ESET WeLiveSecurity FrostyNeighbor report ESET malware-ioc FrostyNeighbor README SHA1 43E30BE82D82B24A6496F6943ECB6877E83F88AB; Cobalt Strike Beacon
`e009`	url	hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt	ESET WeLiveSecurity FrostyNeighbor report ESET malware-ioc FrostyNeighbor README Cobalt Strike C2 path documented by ESET

ATT&CK annotations

optional complementary mapping

T1204.002Malicious File

User opens lure PDF/RAR/JS chain.

T1059.007JavaScript

JavaScript delivery and execution stage.

T1071.001Web Protocols

HTTP(S) C2 for PicassoLoader and Cobalt Strike.

Raw IIM JSON canonical body from MANTIS expand

{
  "iim_version": "1.1",
  "chain_id": "frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike",
  "title": "FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike",
  "description": "ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.",
  "actor_id": "UAC-0057",
  "observed_at": "2026-03-10T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "file",
      "value": "53_7.03.2026_R.pdf",
      "source": "ESET FrostyNeighbor report / IOC repo",
      "evidence": [
        "SHA1 4F2C1856325372B9B7769D00141DBC1A23BDDD14; lure PDF observed in ESET report"
      ]
    },
    {
      "id": "e002",
      "type": "file",
      "value": "53_7.03.2026_R.rar",
      "source": "ESET FrostyNeighbor report / IOC repo",
      "evidence": [
        "SHA1 776A43E46C36A539C916ED426745EE96E2392B39; RAR archive delivered after PDF interaction"
      ]
    },
    {
      "id": "e003",
      "type": "file",
      "value": "53_7.03.2026_R.js",
      "source": "ESET FrostyNeighbor report / IOC repo",
      "evidence": [
        "SHA1 8D1F2A6DF51C7783F2EAF1A0FC0FF8D032E5B57F; JavaScript inside the RAR"
      ]
    },
    {
      "id": "e004",
      "type": "url",
      "value": "hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg",
      "source": "ESET FrostyNeighbor report",
      "evidence": [
        "URL used by the JavaScript stage to retrieve a task template"
      ],
      "observed_at": "2026-03-10T00:00:00Z"
    },
    {
      "id": "e005",
      "type": "file",
      "value": "Update.js / PicassoLoader",
      "source": "ESET FrostyNeighbor report / IOC repo",
      "evidence": [
        "SHA1 B65551D339AECE718EA1465BF3542C794C445EFC; PicassoLoader stage"
      ]
    },
    {
      "id": "e006",
      "type": "url",
      "value": "hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources",
      "source": "ESET FrostyNeighbor report",
      "evidence": [
        "PicassoLoader HTTP POST C2 path documented by ESET"
      ]
    },
    {
      "id": "e007",
      "type": "file",
      "value": "Update.js / Cobalt Strike dropper",
      "source": "ESET FrostyNeighbor IOC repo",
      "evidence": [
        "SHA1 E15ABEE1CFDE8BE7D87C7C0B510450BAD6BC0906; Cobalt Strike dropper"
      ]
    },
    {
      "id": "e008",
      "type": "file",
      "value": "ViberPC.dll / Cobalt Strike Beacon",
      "source": "ESET FrostyNeighbor IOC repo",
      "evidence": [
        "SHA1 43E30BE82D82B24A6496F6943ECB6877E83F88AB; Cobalt Strike Beacon"
      ]
    },
    {
      "id": "e009",
      "type": "url",
      "value": "hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt",
      "source": "ESET FrostyNeighbor report / IOC repo",
      "evidence": [
        "Cobalt Strike C2 path documented by ESET"
      ]
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "techniques": [
        "IIM-T019",
        "IIM-T021"
      ]
    },
    {
      "entity_id": "e002",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "techniques": [
        "IIM-T024",
        "IIM-T019"
      ]
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "techniques": [
        "IIM-T024"
      ]
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "techniques": [
        "IIM-T001",
        "IIM-T010"
      ]
    },
    {
      "entity_id": "e005",
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e006",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "techniques": [
        "IIM-T001",
        "IIM-T010",
        "IIM-T020",
        "IIM-T021"
      ]
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e009",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "techniques": [
        "IIM-T001",
        "IIM-T010",
        "IIM-T011"
      ]
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "download",
      "sequence_order": 1,
      "confidence": "confirmed"
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "drops",
      "sequence_order": 2,
      "confidence": "confirmed"
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "download",
      "sequence_order": 3,
      "confidence": "confirmed"
    },
    {
      "from": "e004",
      "to": "e005",
      "type": "drops",
      "sequence_order": 4,
      "confidence": "confirmed"
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "connect",
      "sequence_order": 5,
      "confidence": "confirmed"
    },
    {
      "from": "e005",
      "to": "e007",
      "type": "download",
      "sequence_order": 6,
      "confidence": "confirmed"
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "drops",
      "sequence_order": 7,
      "confidence": "confirmed"
    },
    {
      "from": "e008",
      "to": "e009",
      "type": "connect",
      "sequence_order": 8,
      "confidence": "confirmed"
    }
  ],
  "x_report_published_month": "2026-05",
  "x_source_reports": [
    "ESET WeLiveSecurity FrostyNeighbor report",
    "ESET malware-ioc FrostyNeighbor README"
  ],
  "x_source_urls": [
    "https://www.welivesecurity.com/en/eset-research/frostyneighbor-uses-cobalt-strike-against-ukraine/",
    "https://github.com/eset/malware-ioc/blob/master/frostyneighbor/README.md"
  ],
  "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
  "x_scope_note": "Report was published in May 2026; some entities were first observed in March 2026 inside the campaign described by the May report.",
  "attack_annotations": [
    {
      "technique_id": "T1204.002",
      "name": "Malicious File",
      "comment": "User opens lure PDF/RAR/JS chain."
    },
    {
      "technique_id": "T1059.007",
      "name": "JavaScript",
      "comment": "JavaScript delivery and execution stage."
    },
    {
      "technique_id": "T1071.001",
      "name": "Web Protocols",
      "comment": "HTTP(S) C2 for PicassoLoader and Cobalt Strike."
    }
  ]
}