{"id":12892,"date":"2026-05-15T10:04:04","date_gmt":"2026-05-15T10:04:04","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/15\/hackers-abuse-scheduled-tasks-to-maintain-persistence-in-frostyneighbor-attacks\/"},"modified":"2026-05-15T10:04:04","modified_gmt":"2026-05-15T10:04:04","slug":"hackers-abuse-scheduled-tasks-to-maintain-persistence-in-frostyneighbor-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/15\/hackers-abuse-scheduled-tasks-to-maintain-persistence-in-frostyneighbor-attacks\/","title":{"rendered":"Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks"},"content":{"rendered":"<p>    Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A state-aligned hacking group known as FrostyNeighbor has resurfaced with a fresh wave of cyberattacks targeting government organizations in Ukraine, using a carefully designed infection chain that is harder than ever to detect. <\/p>\n<p>The group, active since at least 2016, has a long history of targeting countries neighboring Belarus, and its latest campaign shows just how far it has evolved. <\/p>\n<p>The new activity, detected starting in March 2026, blends deceptive documents, layered malware scripts, and server-side victim filtering into a single coordinated operation.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/875eb7b8-5e32-4177-8aa3-193475d2081b\/Hackers-Abuse-Scheduled-Tasks-to-Maintain-Persistence-in-FrostyNeighbor-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEX75N4F7N&amp;Signature=tPW5lKfhqjAkOAx6EFm8FI7zFmc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDLrJkignlqD7JbKRhI4GGusntbJJG0lbGR6DgqJXkLIAIhAJbedntzux2EYmpKFHu%2FjQvQgxexiOYccqh%2BKe7xXiBjKvMECHAQARoMNjk5NzUzMzA5NzA1IgwiYfJWcTKAJS6h1Woq0ARXv06XmKDKZLvaYRyqwMPpo5ePYDoAg7puwcORkb1Cmwfz%2F42QyPzwbaVaZd%2BkObbE7M5zcWTVuDCIXBU6d2hcJxbRePIuB4mGlD2wZyQb11%2BH8Wmlt1wQxQQxbSsrVVP%2FR%2BFg5sZzm%2B4x4wNnzhLjJ1j2PHf2jc0RCGa7m304ADzR3tbxMRcJIPdCMboOhvP%2BsZeCkImdpNY6%2F%2FkFAzksip7ak0c2Yb73tkO05z8P1OspHdXbNkfx3468VQPmcdL8nfVP9ewt6nO1icJ0U7Ivg35Ginr5m4%2BnHNVl4iKm%2BK0acqzaykPFZJcneLVyhIN1I3iouCnGBqfqAQAeK0ye5hClY1fe6sIkLBeCpFYMWp3BT6AYrEA%2F5NsOIXpHC8oD%2FxD504d5XSezwdTvtC2fWb823YYsQ01stXPSullSJHmmBNWN%2B9qLSTXXBsAqTPWp794DPOHSLxR72F9jDx2vmEaRq0M2hdd2EwW3JPvDzIeEfeTAkLOM5%2FSLmlkuHAKxaRLdZvz6LYiQa5BGv%2Fgy40nSfwQa8om6V7VL7mPXvNeh380rpwD3Pli%2FGrMX3JeujsA9R%2FFG%2B6Ep7cGB2CkzdFCKUoh6MTc9vq75h9JgSKjTRb4BccOugAdXwPlrABkANijkyQCkwtJ322ztHLzaGpZ78xD52Rbwkyibz60QMPSQlmvCCho0dw3HrDW2Fs0BkfWyKhQQ8xUxrGHaMGQof2CfpF%2Fpy5%2Ba1XvAMzqOpCnHbNou4BBor4BH58hbK16g3WiwKbI%2FKSTUQ%2BiSjMsMMIKKm9AGOpcB6j6VVJPupa0l1R8%2BcOQxiZitgihlJYtCk%2BjmTdMdE5jnGNvoW4mmZTbTQBKsoy6%2BcLIga1Uf26%2BCtrrPf6oMXbb6hIg2cAnXK7EAKiwbg4Kb07YzRlX2%2FabukjK3frOx9vBiiifPHro9F1mzSJoUk%2Bd0jFya%2BwT2RB9v3crDYiUUE0%2FW4OMwi9yynGaJW45Pe0jElBBiFw%3D%3D&amp;Expires=1778830906\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The <a href=\"https:\/\/cybersecuritynews.com\/new-phising-attack-targeting-travellers\/\" id=\"132677\" target=\"_blank\" rel=\"noreferrer noopener\">attacks begin with spearphishing emails carrying malicious PDF files<\/a> designed to look like legitimate government communications. <\/p>\n<p>One lure document impersonated Ukrtelecom, a Ukrainian telecommunications company, and appeared to offer assurances about customer data protection. <\/p>\n<p>When a recipient clicks the download button inside the PDF, they are directed to a server fully controlled by the attackers. What they receive next depends entirely on where they are connecting from.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/875eb7b8-5e32-4177-8aa3-193475d2081b\/Hackers-Abuse-Scheduled-Tasks-to-Maintain-Persistence-in-FrostyNeighbor-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEX75N4F7N&amp;Signature=tPW5lKfhqjAkOAx6EFm8FI7zFmc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDLrJkignlqD7JbKRhI4GGusntbJJG0lbGR6DgqJXkLIAIhAJbedntzux2EYmpKFHu%2FjQvQgxexiOYccqh%2BKe7xXiBjKvMECHAQARoMNjk5NzUzMzA5NzA1IgwiYfJWcTKAJS6h1Woq0ARXv06XmKDKZLvaYRyqwMPpo5ePYDoAg7puwcORkb1Cmwfz%2F42QyPzwbaVaZd%2BkObbE7M5zcWTVuDCIXBU6d2hcJxbRePIuB4mGlD2wZyQb11%2BH8Wmlt1wQxQQxbSsrVVP%2FR%2BFg5sZzm%2B4x4wNnzhLjJ1j2PHf2jc0RCGa7m304ADzR3tbxMRcJIPdCMboOhvP%2BsZeCkImdpNY6%2F%2FkFAzksip7ak0c2Yb73tkO05z8P1OspHdXbNkfx3468VQPmcdL8nfVP9ewt6nO1icJ0U7Ivg35Ginr5m4%2BnHNVl4iKm%2BK0acqzaykPFZJcneLVyhIN1I3iouCnGBqfqAQAeK0ye5hClY1fe6sIkLBeCpFYMWp3BT6AYrEA%2F5NsOIXpHC8oD%2FxD504d5XSezwdTvtC2fWb823YYsQ01stXPSullSJHmmBNWN%2B9qLSTXXBsAqTPWp794DPOHSLxR72F9jDx2vmEaRq0M2hdd2EwW3JPvDzIeEfeTAkLOM5%2FSLmlkuHAKxaRLdZvz6LYiQa5BGv%2Fgy40nSfwQa8om6V7VL7mPXvNeh380rpwD3Pli%2FGrMX3JeujsA9R%2FFG%2B6Ep7cGB2CkzdFCKUoh6MTc9vq75h9JgSKjTRb4BccOugAdXwPlrABkANijkyQCkwtJ322ztHLzaGpZ78xD52Rbwkyibz60QMPSQlmvCCho0dw3HrDW2Fs0BkfWyKhQQ8xUxrGHaMGQof2CfpF%2Fpy5%2Ba1XvAMzqOpCnHbNou4BBor4BH58hbK16g3WiwKbI%2FKSTUQ%2BiSjMsMMIKKm9AGOpcB6j6VVJPupa0l1R8%2BcOQxiZitgihlJYtCk%2BjmTdMdE5jnGNvoW4mmZTbTQBKsoy6%2BcLIga1Uf26%2BCtrrPf6oMXbb6hIg2cAnXK7EAKiwbg4Kb07YzRlX2%2FabukjK3frOx9vBiiifPHro9F1mzSJoUk%2Bd0jFya%2BwT2RB9v3crDYiUUE0%2FW4OMwi9yynGaJW45Pe0jElBBiFw%3D%3D&amp;Expires=1778830906\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>ESET\u2019s official threat research blog,\u00a0<a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/frostyneighbor-fresh-mischief-digital-shenanigans\/\" id=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/frostyneighbor-fresh-mischief-digital-shenanigans\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">WeLiveSecurity\u2019s analysts identified and said in a report shared with <\/a><a href=\"https:\/\/cybersecuritynews.com\/\" id=\"https:\/\/cybersecuritynews.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cyber Security News (CSN)<\/a> that FrostyNeighbor, also tracked as Ghostwriter, UNC1151, TA445, PUSHCHA, and Storm-0257, is a long-running cyber espionage actor apparently aligned with the interests of Belarus. <\/p>\n<p>ESET researchers noted that the group regularly updates its tools and methods specifically to avoid triggering security alerts.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/875eb7b8-5e32-4177-8aa3-193475d2081b\/Hackers-Abuse-Scheduled-Tasks-to-Maintain-Persistence-in-FrostyNeighbor-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEX75N4F7N&amp;Signature=tPW5lKfhqjAkOAx6EFm8FI7zFmc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDLrJkignlqD7JbKRhI4GGusntbJJG0lbGR6DgqJXkLIAIhAJbedntzux2EYmpKFHu%2FjQvQgxexiOYccqh%2BKe7xXiBjKvMECHAQARoMNjk5NzUzMzA5NzA1IgwiYfJWcTKAJS6h1Woq0ARXv06XmKDKZLvaYRyqwMPpo5ePYDoAg7puwcORkb1Cmwfz%2F42QyPzwbaVaZd%2BkObbE7M5zcWTVuDCIXBU6d2hcJxbRePIuB4mGlD2wZyQb11%2BH8Wmlt1wQxQQxbSsrVVP%2FR%2BFg5sZzm%2B4x4wNnzhLjJ1j2PHf2jc0RCGa7m304ADzR3tbxMRcJIPdCMboOhvP%2BsZeCkImdpNY6%2F%2FkFAzksip7ak0c2Yb73tkO05z8P1OspHdXbNkfx3468VQPmcdL8nfVP9ewt6nO1icJ0U7Ivg35Ginr5m4%2BnHNVl4iKm%2BK0acqzaykPFZJcneLVyhIN1I3iouCnGBqfqAQAeK0ye5hClY1fe6sIkLBeCpFYMWp3BT6AYrEA%2F5NsOIXpHC8oD%2FxD504d5XSezwdTvtC2fWb823YYsQ01stXPSullSJHmmBNWN%2B9qLSTXXBsAqTPWp794DPOHSLxR72F9jDx2vmEaRq0M2hdd2EwW3JPvDzIeEfeTAkLOM5%2FSLmlkuHAKxaRLdZvz6LYiQa5BGv%2Fgy40nSfwQa8om6V7VL7mPXvNeh380rpwD3Pli%2FGrMX3JeujsA9R%2FFG%2B6Ep7cGB2CkzdFCKUoh6MTc9vq75h9JgSKjTRb4BccOugAdXwPlrABkANijkyQCkwtJ322ztHLzaGpZ78xD52Rbwkyibz60QMPSQlmvCCho0dw3HrDW2Fs0BkfWyKhQQ8xUxrGHaMGQof2CfpF%2Fpy5%2Ba1XvAMzqOpCnHbNou4BBor4BH58hbK16g3WiwKbI%2FKSTUQ%2BiSjMsMMIKKm9AGOpcB6j6VVJPupa0l1R8%2BcOQxiZitgihlJYtCk%2BjmTdMdE5jnGNvoW4mmZTbTQBKsoy6%2BcLIga1Uf26%2BCtrrPf6oMXbb6hIg2cAnXK7EAKiwbg4Kb07YzRlX2%2FabukjK3frOx9vBiiifPHro9F1mzSJoUk%2Bd0jFya%2BwT2RB9v3crDYiUUE0%2FW4OMwi9yynGaJW45Pe0jElBBiFw%3D%3D&amp;Expires=1778830906\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>FrostyNeighbor\u2019s campaigns have historically focused on Ukraine, Poland, and Lithuania, with victims ranging from government and military bodies to industrial firms and healthcare organizations. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiP9684UF2TczzZ6m48K6_XDD1i0uXRLwy0i7qMBy5nclx1YKUYtjXr5Dd6QO66gfT4nbfggABx7j_qg_GrH9-2cK1ycyZerhlXAvqCrs8wVvwKqmGF4QXPof698HyFhSiZbMY9_NDLS006RVuKpjq5XKs6wg2teU0H-DYcI-HWh0yb8vl441AcMci_9ZA\/s16000\/Compromise%2520chain%2520overview%2520%28Source%2520-%2520Welivesecurity%29.webp?ssl=1\" alt=\"Compromise chain overview (Source - Welivesecurity)\"><figcaption class=\"wp-element-caption\">Compromise chain overview (Source \u2013 Welivesecurity)<\/figcaption><\/figure>\n<\/div>\n<p>In its newest campaign, the group demonstrates both patience and precision, delivering the final payload only after manually confirming that a target is worth pursuing. <\/p>\n<p>This selective approach makes the operation especially difficult to detect or replicate in a controlled environment.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/875eb7b8-5e32-4177-8aa3-193475d2081b\/Hackers-Abuse-Scheduled-Tasks-to-Maintain-Persistence-in-FrostyNeighbor-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEX75N4F7N&amp;Signature=tPW5lKfhqjAkOAx6EFm8FI7zFmc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDLrJkignlqD7JbKRhI4GGusntbJJG0lbGR6DgqJXkLIAIhAJbedntzux2EYmpKFHu%2FjQvQgxexiOYccqh%2BKe7xXiBjKvMECHAQARoMNjk5NzUzMzA5NzA1IgwiYfJWcTKAJS6h1Woq0ARXv06XmKDKZLvaYRyqwMPpo5ePYDoAg7puwcORkb1Cmwfz%2F42QyPzwbaVaZd%2BkObbE7M5zcWTVuDCIXBU6d2hcJxbRePIuB4mGlD2wZyQb11%2BH8Wmlt1wQxQQxbSsrVVP%2FR%2BFg5sZzm%2B4x4wNnzhLjJ1j2PHf2jc0RCGa7m304ADzR3tbxMRcJIPdCMboOhvP%2BsZeCkImdpNY6%2F%2FkFAzksip7ak0c2Yb73tkO05z8P1OspHdXbNkfx3468VQPmcdL8nfVP9ewt6nO1icJ0U7Ivg35Ginr5m4%2BnHNVl4iKm%2BK0acqzaykPFZJcneLVyhIN1I3iouCnGBqfqAQAeK0ye5hClY1fe6sIkLBeCpFYMWp3BT6AYrEA%2F5NsOIXpHC8oD%2FxD504d5XSezwdTvtC2fWb823YYsQ01stXPSullSJHmmBNWN%2B9qLSTXXBsAqTPWp794DPOHSLxR72F9jDx2vmEaRq0M2hdd2EwW3JPvDzIeEfeTAkLOM5%2FSLmlkuHAKxaRLdZvz6LYiQa5BGv%2Fgy40nSfwQa8om6V7VL7mPXvNeh380rpwD3Pli%2FGrMX3JeujsA9R%2FFG%2B6Ep7cGB2CkzdFCKUoh6MTc9vq75h9JgSKjTRb4BccOugAdXwPlrABkANijkyQCkwtJ322ztHLzaGpZ78xD52Rbwkyibz60QMPSQlmvCCho0dw3HrDW2Fs0BkfWyKhQQ8xUxrGHaMGQof2CfpF%2Fpy5%2Ba1XvAMzqOpCnHbNou4BBor4BH58hbK16g3WiwKbI%2FKSTUQ%2BiSjMsMMIKKm9AGOpcB6j6VVJPupa0l1R8%2BcOQxiZitgihlJYtCk%2BjmTdMdE5jnGNvoW4mmZTbTQBKsoy6%2BcLIga1Uf26%2BCtrrPf6oMXbb6hIg2cAnXK7EAKiwbg4Kb07YzRlX2%2FabukjK3frOx9vBiiifPHro9F1mzSJoUk%2Bd0jFya%2BwT2RB9v3crDYiUUE0%2FW4OMwi9yynGaJW45Pe0jElBBiFw%3D%3D&amp;Expires=1778830906\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/smarter-security-how-modern-surveillance-improves-business-decisions\/\" id=\"121090\" target=\"_blank\" rel=\"noreferrer noopener\">The group has been under active surveillance for years<\/a>, with past reports from CERT-UA, SentinelOne, HarfangLab, and StrikeReady all documenting its evolving tactics. <\/p>\n<p>The latest findings reveal a newer delivery mechanism using JavaScript to stage the attack across multiple steps, pulling in tools cleverly disguised as ordinary image or web files.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/875eb7b8-5e32-4177-8aa3-193475d2081b\/Hackers-Abuse-Scheduled-Tasks-to-Maintain-Persistence-in-FrostyNeighbor-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEX75N4F7N&amp;Signature=tPW5lKfhqjAkOAx6EFm8FI7zFmc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDLrJkignlqD7JbKRhI4GGusntbJJG0lbGR6DgqJXkLIAIhAJbedntzux2EYmpKFHu%2FjQvQgxexiOYccqh%2BKe7xXiBjKvMECHAQARoMNjk5NzUzMzA5NzA1IgwiYfJWcTKAJS6h1Woq0ARXv06XmKDKZLvaYRyqwMPpo5ePYDoAg7puwcORkb1Cmwfz%2F42QyPzwbaVaZd%2BkObbE7M5zcWTVuDCIXBU6d2hcJxbRePIuB4mGlD2wZyQb11%2BH8Wmlt1wQxQQxbSsrVVP%2FR%2BFg5sZzm%2B4x4wNnzhLjJ1j2PHf2jc0RCGa7m304ADzR3tbxMRcJIPdCMboOhvP%2BsZeCkImdpNY6%2F%2FkFAzksip7ak0c2Yb73tkO05z8P1OspHdXbNkfx3468VQPmcdL8nfVP9ewt6nO1icJ0U7Ivg35Ginr5m4%2BnHNVl4iKm%2BK0acqzaykPFZJcneLVyhIN1I3iouCnGBqfqAQAeK0ye5hClY1fe6sIkLBeCpFYMWp3BT6AYrEA%2F5NsOIXpHC8oD%2FxD504d5XSezwdTvtC2fWb823YYsQ01stXPSullSJHmmBNWN%2B9qLSTXXBsAqTPWp794DPOHSLxR72F9jDx2vmEaRq0M2hdd2EwW3JPvDzIeEfeTAkLOM5%2FSLmlkuHAKxaRLdZvz6LYiQa5BGv%2Fgy40nSfwQa8om6V7VL7mPXvNeh380rpwD3Pli%2FGrMX3JeujsA9R%2FFG%2B6Ep7cGB2CkzdFCKUoh6MTc9vq75h9JgSKjTRb4BccOugAdXwPlrABkANijkyQCkwtJ322ztHLzaGpZ78xD52Rbwkyibz60QMPSQlmvCCho0dw3HrDW2Fs0BkfWyKhQQ8xUxrGHaMGQof2CfpF%2Fpy5%2Ba1XvAMzqOpCnHbNou4BBor4BH58hbK16g3WiwKbI%2FKSTUQ%2BiSjMsMMIKKm9AGOpcB6j6VVJPupa0l1R8%2BcOQxiZitgihlJYtCk%2BjmTdMdE5jnGNvoW4mmZTbTQBKsoy6%2BcLIga1Uf26%2BCtrrPf6oMXbb6hIg2cAnXK7EAKiwbg4Kb07YzRlX2%2FabukjK3frOx9vBiiifPHro9F1mzSJoUk%2Bd0jFya%2BwT2RB9v3crDYiUUE0%2FW4OMwi9yynGaJW45Pe0jElBBiFw%3D%3D&amp;Expires=1778830906\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"scheduled-tasks-drive-persistence\"><strong>Hackers Abuse Scheduled Tasks<\/strong><\/h2>\n<p>Once a victim from Ukraine clicks the embedded link in the lure document, the attacker\u2019s server delivers a RAR archive named 53_7.03.2026_R.rar. <\/p>\n<p>Inside is a JavaScript file that drops a decoy PDF to keep the target occupied while quietly launching the next stage in the background. <\/p>\n<p>This second-stage script, called PicassoLoader, is a downloader the group has used across multiple campaigns and in several different programming languages.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/875eb7b8-5e32-4177-8aa3-193475d2081b\/Hackers-Abuse-Scheduled-Tasks-to-Maintain-Persistence-in-FrostyNeighbor-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEX75N4F7N&amp;Signature=tPW5lKfhqjAkOAx6EFm8FI7zFmc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDLrJkignlqD7JbKRhI4GGusntbJJG0lbGR6DgqJXkLIAIhAJbedntzux2EYmpKFHu%2FjQvQgxexiOYccqh%2BKe7xXiBjKvMECHAQARoMNjk5NzUzMzA5NzA1IgwiYfJWcTKAJS6h1Woq0ARXv06XmKDKZLvaYRyqwMPpo5ePYDoAg7puwcORkb1Cmwfz%2F42QyPzwbaVaZd%2BkObbE7M5zcWTVuDCIXBU6d2hcJxbRePIuB4mGlD2wZyQb11%2BH8Wmlt1wQxQQxbSsrVVP%2FR%2BFg5sZzm%2B4x4wNnzhLjJ1j2PHf2jc0RCGa7m304ADzR3tbxMRcJIPdCMboOhvP%2BsZeCkImdpNY6%2F%2FkFAzksip7ak0c2Yb73tkO05z8P1OspHdXbNkfx3468VQPmcdL8nfVP9ewt6nO1icJ0U7Ivg35Ginr5m4%2BnHNVl4iKm%2BK0acqzaykPFZJcneLVyhIN1I3iouCnGBqfqAQAeK0ye5hClY1fe6sIkLBeCpFYMWp3BT6AYrEA%2F5NsOIXpHC8oD%2FxD504d5XSezwdTvtC2fWb823YYsQ01stXPSullSJHmmBNWN%2B9qLSTXXBsAqTPWp794DPOHSLxR72F9jDx2vmEaRq0M2hdd2EwW3JPvDzIeEfeTAkLOM5%2FSLmlkuHAKxaRLdZvz6LYiQa5BGv%2Fgy40nSfwQa8om6V7VL7mPXvNeh380rpwD3Pli%2FGrMX3JeujsA9R%2FFG%2B6Ep7cGB2CkzdFCKUoh6MTc9vq75h9JgSKjTRb4BccOugAdXwPlrABkANijkyQCkwtJ322ztHLzaGpZ78xD52Rbwkyibz60QMPSQlmvCCho0dw3HrDW2Fs0BkfWyKhQQ8xUxrGHaMGQof2CfpF%2Fpy5%2Ba1XvAMzqOpCnHbNou4BBor4BH58hbK16g3WiwKbI%2FKSTUQ%2BiSjMsMMIKKm9AGOpcB6j6VVJPupa0l1R8%2BcOQxiZitgihlJYtCk%2BjmTdMdE5jnGNvoW4mmZTbTQBKsoy6%2BcLIga1Uf26%2BCtrrPf6oMXbb6hIg2cAnXK7EAKiwbg4Kb07YzRlX2%2FabukjK3frOx9vBiiifPHro9F1mzSJoUk%2Bd0jFya%2BwT2RB9v3crDYiUUE0%2FW4OMwi9yynGaJW45Pe0jElBBiFw%3D%3D&amp;Expires=1778830906\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>To lock in its presence on the victim\u2019s machine, PicassoLoader downloads a scheduled task template from the command-and-control server, disguised as a JPEG image file. <\/p>\n<p>The server actually delivers an XML configuration file, and the script fills in real execution parameters before registering the scheduled task on the system. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhpnuyvWlvAjd_NkY82mKdxkT_ZprRU1lQ6tB8_WOd9YgV1JTuzkWJhyphenhyphenEvH9d7EyetyI9GdkxUc2h07LXopKy2dqtrhSog5Ic6vnMTh6WFHNg17KA5Z14HOVtoTn8kbFinNtnnNTyfgSy-MU314cMsMADmBe3nscNmd_t0IeTNWfUDO9W0diG6Q65Ks790\/s16000\/Scheduled%2520task%2520template%2520downloaded%2520from%2520the%2520C%26C%2520server%2520%28Source%2520-%2520Welivesecurity%29.webp?ssl=1\" alt=\"Scheduled task template downloaded from the C&amp;C server (Source - Welivesecurity)\"><figcaption class=\"wp-element-caption\">Scheduled task template downloaded from the C&amp;C server (Source \u2013 Welivesecurity)<\/figcaption><\/figure>\n<\/div>\n<p>This ensures PicassoLoader runs automatically at every Windows startup, which is exactly how FrostyNeighbor maintains persistent access on compromised machines.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/875eb7b8-5e32-4177-8aa3-193475d2081b\/Hackers-Abuse-Scheduled-Tasks-to-Maintain-Persistence-in-FrostyNeighbor-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEX75N4F7N&amp;Signature=tPW5lKfhqjAkOAx6EFm8FI7zFmc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDLrJkignlqD7JbKRhI4GGusntbJJG0lbGR6DgqJXkLIAIhAJbedntzux2EYmpKFHu%2FjQvQgxexiOYccqh%2BKe7xXiBjKvMECHAQARoMNjk5NzUzMzA5NzA1IgwiYfJWcTKAJS6h1Woq0ARXv06XmKDKZLvaYRyqwMPpo5ePYDoAg7puwcORkb1Cmwfz%2F42QyPzwbaVaZd%2BkObbE7M5zcWTVuDCIXBU6d2hcJxbRePIuB4mGlD2wZyQb11%2BH8Wmlt1wQxQQxbSsrVVP%2FR%2BFg5sZzm%2B4x4wNnzhLjJ1j2PHf2jc0RCGa7m304ADzR3tbxMRcJIPdCMboOhvP%2BsZeCkImdpNY6%2F%2FkFAzksip7ak0c2Yb73tkO05z8P1OspHdXbNkfx3468VQPmcdL8nfVP9ewt6nO1icJ0U7Ivg35Ginr5m4%2BnHNVl4iKm%2BK0acqzaykPFZJcneLVyhIN1I3iouCnGBqfqAQAeK0ye5hClY1fe6sIkLBeCpFYMWp3BT6AYrEA%2F5NsOIXpHC8oD%2FxD504d5XSezwdTvtC2fWb823YYsQ01stXPSullSJHmmBNWN%2B9qLSTXXBsAqTPWp794DPOHSLxR72F9jDx2vmEaRq0M2hdd2EwW3JPvDzIeEfeTAkLOM5%2FSLmlkuHAKxaRLdZvz6LYiQa5BGv%2Fgy40nSfwQa8om6V7VL7mPXvNeh380rpwD3Pli%2FGrMX3JeujsA9R%2FFG%2B6Ep7cGB2CkzdFCKUoh6MTc9vq75h9JgSKjTRb4BccOugAdXwPlrABkANijkyQCkwtJ322ztHLzaGpZ78xD52Rbwkyibz60QMPSQlmvCCho0dw3HrDW2Fs0BkfWyKhQQ8xUxrGHaMGQof2CfpF%2Fpy5%2Ba1XvAMzqOpCnHbNou4BBor4BH58hbK16g3WiwKbI%2FKSTUQ%2BiSjMsMMIKKm9AGOpcB6j6VVJPupa0l1R8%2BcOQxiZitgihlJYtCk%2BjmTdMdE5jnGNvoW4mmZTbTQBKsoy6%2BcLIga1Uf26%2BCtrrPf6oMXbb6hIg2cAnXK7EAKiwbg4Kb07YzRlX2%2FabukjK3frOx9vBiiifPHro9F1mzSJoUk%2Bd0jFya%2BwT2RB9v3crDYiUUE0%2FW4OMwi9yynGaJW45Pe0jElBBiFw%3D%3D&amp;Expires=1778830906\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"cobalt-strike-deployed-after-victim-validation\"><strong>Cobalt Strike Deployed After Victim Validation<\/strong><\/h2>\n<p>What makes this attack chain particularly sharp is the server-side validation step that occurs before any serious payload is delivered. <\/p>\n<p>Every ten minutes, PicassoLoader sends a system fingerprint, including the username, computer name, operating system version, and list of running processes, to the command-and-control server. <\/p>\n<p>A human operator then reviews this information and decides whether the target is worth the next move.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/875eb7b8-5e32-4177-8aa3-193475d2081b\/Hackers-Abuse-Scheduled-Tasks-to-Maintain-Persistence-in-FrostyNeighbor-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEX75N4F7N&amp;Signature=tPW5lKfhqjAkOAx6EFm8FI7zFmc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDLrJkignlqD7JbKRhI4GGusntbJJG0lbGR6DgqJXkLIAIhAJbedntzux2EYmpKFHu%2FjQvQgxexiOYccqh%2BKe7xXiBjKvMECHAQARoMNjk5NzUzMzA5NzA1IgwiYfJWcTKAJS6h1Woq0ARXv06XmKDKZLvaYRyqwMPpo5ePYDoAg7puwcORkb1Cmwfz%2F42QyPzwbaVaZd%2BkObbE7M5zcWTVuDCIXBU6d2hcJxbRePIuB4mGlD2wZyQb11%2BH8Wmlt1wQxQQxbSsrVVP%2FR%2BFg5sZzm%2B4x4wNnzhLjJ1j2PHf2jc0RCGa7m304ADzR3tbxMRcJIPdCMboOhvP%2BsZeCkImdpNY6%2F%2FkFAzksip7ak0c2Yb73tkO05z8P1OspHdXbNkfx3468VQPmcdL8nfVP9ewt6nO1icJ0U7Ivg35Ginr5m4%2BnHNVl4iKm%2BK0acqzaykPFZJcneLVyhIN1I3iouCnGBqfqAQAeK0ye5hClY1fe6sIkLBeCpFYMWp3BT6AYrEA%2F5NsOIXpHC8oD%2FxD504d5XSezwdTvtC2fWb823YYsQ01stXPSullSJHmmBNWN%2B9qLSTXXBsAqTPWp794DPOHSLxR72F9jDx2vmEaRq0M2hdd2EwW3JPvDzIeEfeTAkLOM5%2FSLmlkuHAKxaRLdZvz6LYiQa5BGv%2Fgy40nSfwQa8om6V7VL7mPXvNeh380rpwD3Pli%2FGrMX3JeujsA9R%2FFG%2B6Ep7cGB2CkzdFCKUoh6MTc9vq75h9JgSKjTRb4BccOugAdXwPlrABkANijkyQCkwtJ322ztHLzaGpZ78xD52Rbwkyibz60QMPSQlmvCCho0dw3HrDW2Fs0BkfWyKhQQ8xUxrGHaMGQof2CfpF%2Fpy5%2Ba1XvAMzqOpCnHbNou4BBor4BH58hbK16g3WiwKbI%2FKSTUQ%2BiSjMsMMIKKm9AGOpcB6j6VVJPupa0l1R8%2BcOQxiZitgihlJYtCk%2BjmTdMdE5jnGNvoW4mmZTbTQBKsoy6%2BcLIga1Uf26%2BCtrrPf6oMXbb6hIg2cAnXK7EAKiwbg4Kb07YzRlX2%2FabukjK3frOx9vBiiifPHro9F1mzSJoUk%2Bd0jFya%2BwT2RB9v3crDYiUUE0%2FW4OMwi9yynGaJW45Pe0jElBBiFw%3D%3D&amp;Expires=1778830906\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>If the victim qualifies, <a href=\"https:\/\/cybersecuritynews.com\/javascript-loader-to-deliver-malware\/\" id=\"8093\" target=\"_blank\" rel=\"noreferrer noopener\">the server responds with a third-stage JavaScript dropper<\/a>. This script copies the legitimate Windows file rundll32.exe under a different name, likely to bypass security tools that flag unfamiliar executables. <\/p>\n<p>A Cobalt Strike beacon is then written to disk, and a registry entry ensures it launches automatically on every startup, giving the attackers full and persistent remote control over the compromised machine.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/875eb7b8-5e32-4177-8aa3-193475d2081b\/Hackers-Abuse-Scheduled-Tasks-to-Maintain-Persistence-in-FrostyNeighbor-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEX75N4F7N&amp;Signature=tPW5lKfhqjAkOAx6EFm8FI7zFmc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDLrJkignlqD7JbKRhI4GGusntbJJG0lbGR6DgqJXkLIAIhAJbedntzux2EYmpKFHu%2FjQvQgxexiOYccqh%2BKe7xXiBjKvMECHAQARoMNjk5NzUzMzA5NzA1IgwiYfJWcTKAJS6h1Woq0ARXv06XmKDKZLvaYRyqwMPpo5ePYDoAg7puwcORkb1Cmwfz%2F42QyPzwbaVaZd%2BkObbE7M5zcWTVuDCIXBU6d2hcJxbRePIuB4mGlD2wZyQb11%2BH8Wmlt1wQxQQxbSsrVVP%2FR%2BFg5sZzm%2B4x4wNnzhLjJ1j2PHf2jc0RCGa7m304ADzR3tbxMRcJIPdCMboOhvP%2BsZeCkImdpNY6%2F%2FkFAzksip7ak0c2Yb73tkO05z8P1OspHdXbNkfx3468VQPmcdL8nfVP9ewt6nO1icJ0U7Ivg35Ginr5m4%2BnHNVl4iKm%2BK0acqzaykPFZJcneLVyhIN1I3iouCnGBqfqAQAeK0ye5hClY1fe6sIkLBeCpFYMWp3BT6AYrEA%2F5NsOIXpHC8oD%2FxD504d5XSezwdTvtC2fWb823YYsQ01stXPSullSJHmmBNWN%2B9qLSTXXBsAqTPWp794DPOHSLxR72F9jDx2vmEaRq0M2hdd2EwW3JPvDzIeEfeTAkLOM5%2FSLmlkuHAKxaRLdZvz6LYiQa5BGv%2Fgy40nSfwQa8om6V7VL7mPXvNeh380rpwD3Pli%2FGrMX3JeujsA9R%2FFG%2B6Ep7cGB2CkzdFCKUoh6MTc9vq75h9JgSKjTRb4BccOugAdXwPlrABkANijkyQCkwtJ322ztHLzaGpZ78xD52Rbwkyibz60QMPSQlmvCCho0dw3HrDW2Fs0BkfWyKhQQ8xUxrGHaMGQof2CfpF%2Fpy5%2Ba1XvAMzqOpCnHbNou4BBor4BH58hbK16g3WiwKbI%2FKSTUQ%2BiSjMsMMIKKm9AGOpcB6j6VVJPupa0l1R8%2BcOQxiZitgihlJYtCk%2BjmTdMdE5jnGNvoW4mmZTbTQBKsoy6%2BcLIga1Uf26%2BCtrrPf6oMXbb6hIg2cAnXK7EAKiwbg4Kb07YzRlX2%2FabukjK3frOx9vBiiifPHro9F1mzSJoUk%2Bd0jFya%2BwT2RB9v3crDYiUUE0%2FW4OMwi9yynGaJW45Pe0jElBBiFw%3D%3D&amp;Expires=1778830906\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Security researchers recommend continuous and close monitoring of the group\u2019s infrastructure, toolset changes, and operational patterns as the most effective defense against future campaigns. <\/p>\n<p>Organizations across Eastern Europe, especially those in government, defense, and critical sectors, should treat any unsolicited PDF attachment as a potential threat and remain on high alert.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/875eb7b8-5e32-4177-8aa3-193475d2081b\/Hackers-Abuse-Scheduled-Tasks-to-Maintain-Persistence-in-FrostyNeighbor-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEX75N4F7N&amp;Signature=tPW5lKfhqjAkOAx6EFm8FI7zFmc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEKf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDLrJkignlqD7JbKRhI4GGusntbJJG0lbGR6DgqJXkLIAIhAJbedntzux2EYmpKFHu%2FjQvQgxexiOYccqh%2BKe7xXiBjKvMECHAQARoMNjk5NzUzMzA5NzA1IgwiYfJWcTKAJS6h1Woq0ARXv06XmKDKZLvaYRyqwMPpo5ePYDoAg7puwcORkb1Cmwfz%2F42QyPzwbaVaZd%2BkObbE7M5zcWTVuDCIXBU6d2hcJxbRePIuB4mGlD2wZyQb11%2BH8Wmlt1wQxQQxbSsrVVP%2FR%2BFg5sZzm%2B4x4wNnzhLjJ1j2PHf2jc0RCGa7m304ADzR3tbxMRcJIPdCMboOhvP%2BsZeCkImdpNY6%2F%2FkFAzksip7ak0c2Yb73tkO05z8P1OspHdXbNkfx3468VQPmcdL8nfVP9ewt6nO1icJ0U7Ivg35Ginr5m4%2BnHNVl4iKm%2BK0acqzaykPFZJcneLVyhIN1I3iouCnGBqfqAQAeK0ye5hClY1fe6sIkLBeCpFYMWp3BT6AYrEA%2F5NsOIXpHC8oD%2FxD504d5XSezwdTvtC2fWb823YYsQ01stXPSullSJHmmBNWN%2B9qLSTXXBsAqTPWp794DPOHSLxR72F9jDx2vmEaRq0M2hdd2EwW3JPvDzIeEfeTAkLOM5%2FSLmlkuHAKxaRLdZvz6LYiQa5BGv%2Fgy40nSfwQa8om6V7VL7mPXvNeh380rpwD3Pli%2FGrMX3JeujsA9R%2FFG%2B6Ep7cGB2CkzdFCKUoh6MTc9vq75h9JgSKjTRb4BccOugAdXwPlrABkANijkyQCkwtJ322ztHLzaGpZ78xD52Rbwkyibz60QMPSQlmvCCho0dw3HrDW2Fs0BkfWyKhQQ8xUxrGHaMGQof2CfpF%2Fpy5%2Ba1XvAMzqOpCnHbNou4BBor4BH58hbK16g3WiwKbI%2FKSTUQ%2BiSjMsMMIKKm9AGOpcB6j6VVJPupa0l1R8%2BcOQxiZitgihlJYtCk%2BjmTdMdE5jnGNvoW4mmZTbTQBKsoy6%2BcLIga1Uf26%2BCtrrPf6oMXbb6hIg2cAnXK7EAKiwbg4Kb07YzRlX2%2FabukjK3frOx9vBiiifPHro9F1mzSJoUk%2Bd0jFya%2BwT2RB9v3crDYiUUE0%2FW4OMwi9yynGaJW45Pe0jElBBiFw%3D%3D&amp;Expires=1778830906\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>SHA-1<\/td>\n<td>776A43E46C36A539C916ED426745EE96E2392B39<\/td>\n<td>53_7.03.2026_R.rar \u2014 JS\/TrojanDropper.FrostyNeighbor<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>8D1F2A6DF51C7783F2EAF1A0FC0FF8D032E5B57F<\/td>\n<td>53_7.03.2026_R.js \u2014 JS\/TrojanDropper.FrostyNeighbor<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>B65551D339AECE718EA1465BF3542C794C445EFC<\/td>\n<td>Update.js \u2014 JS\/TrojanDownloader.FrostyNeighbor<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>E15ABEE1CFDE8BE7D87C7C0B510450BAD6BC0906<\/td>\n<td>Update.js \u2014 JS\/TrojanDropper.FrostyNeighbor<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>43E30BE82D82B24A6496F6943ECB6877E83F88AB<\/td>\n<td>ViberPC.dll \u2014 Win32\/CobaltStrike.Beacon<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>4F2C1856325372B9B7769D00141DBC1A23BDDD14<\/td>\n<td>53_7.03.2026_R.pdf \u2014 PDF\/TrojanDownloader.FrostyNeighbor<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>D89E5524E49199B1C3B66C524E7A63C3F0A0C199<\/td>\n<td>Certificate.pdf \u2014 PDF\/TrojanDownloader.FrostyNeighbor<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>7E537D8E91668580A482BD77A5A4CABA26D6BDAC<\/td>\n<td>certificate.js \u2014 JS\/TrojanDownloader.FrostyNeighbor<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>FA6882672AD3654800987613310D7C3FBADE027E<\/td>\n<td>certificate.js \u2014 JS\/TrojanDownloader.FrostyNeighbor<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>3FA7D1B13542F1A9EB054111F9B69C250AF68643<\/td>\n<td>\u0421\u0435\u0442\u0438\u0444\u0456\u043a\u0430\u0442<em>CAF.rar \u2014 JS\/TrojanDropper.FrostyNeighbor<\/em>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>4E52C92709A918383E90534052AAA257ACE2780C<\/td>\n<td>\u0421\u0435\u0442\u0438\u0444\u0456\u043a\u0430\u0442<em>CAF.js \u2014 JS\/TrojanDropper.FrostyNeighbor<\/em>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>6FDED427A16D5314BA3E1EB9AFD120DC84449769<\/td>\n<td>EdgeTaskMachine.js \u2014 JS\/TrojanDropper.FrostyNeighbor<\/td>\n<\/tr>\n<tr>\n<td>SHA-1<\/td>\n<td>27FA11F6A1D653779974B6FB54DE4AF47F211232<\/td>\n<td>EdgeSystemConfig.dll \u2014 Win32\/CobaltStrike.Beacon<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>attachment-storage-asset-static.needbinding[.]icu<\/td>\n<td>C&amp;C server \u2014 PicassoLoader delivery<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>book-happy.needbinding[.]icu<\/td>\n<td>C&amp;C server \u2014 scheduled task template and fingerprint collection<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>nama-belakang.nebao[.]icu<\/td>\n<td>C&amp;C server \u2014 Cobalt Strike beacon C&amp;C<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>easiestnewsfromourpointofview.algsat[.]icu<\/td>\n<td>C&amp;C infrastructure<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>mickeymousegamesdealer.al[.]icu<\/td>\n<td>C&amp;C infrastructure<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>exavegas[.]icu<\/td>\n<td>C&amp;C infrastructure<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>hinesafar.sardk[.]icu<\/td>\n<td>C&amp;C infrastructure<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>shinesafar.sardk[.]icu<\/td>\n<td>C&amp;C infrastructure<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>best-seller.lavanille[.]buzz<\/td>\n<td>C&amp;C infrastructure<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>https:\/\/book-happy.needbinding[.]icu\/wp-content\/uploads\/2023\/10\/1GreenAM.jpg<\/td>\n<td>Scheduled task template delivery URL<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>https:\/\/book-happy.needbinding[.]icu\/employment\/documents-and-resources<\/td>\n<td>PicassoLoader fingerprint POST endpoint<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td>https:\/\/nama-belakang.nebao[.]icu\/statistics\/discover.txt<\/td>\n<td>Cobalt Strike beacon C&amp;C endpoint<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>53_7.03.2026_R.rar<\/td>\n<td>First-stage RAR archive lure<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>53_7.03.2026_R.js<\/td>\n<td>First-stage JavaScript dropper<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>53_7.03.2026_R.pdf<\/td>\n<td>Decoy PDF lure document<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>Update.js<\/td>\n<td>PicassoLoader second-stage downloader<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>WinUpdate.reg<\/td>\n<td>Registry file dropped by first-stage script<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>ViberPC.exe<\/td>\n<td>Renamed copy of rundll32.exe<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>ViberPC.dll<\/td>\n<td>Cobalt Strike beacon payload<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>ViberPC.reg<\/td>\n<td>Registry file for Cobalt Strike persistence<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>ViberPC.lnk<\/td>\n<td>Shortcut file for Cobalt Strike execution<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>EdgeTaskMachine.js<\/td>\n<td>Additional FrostyNeighbor dropper<\/td>\n<\/tr>\n<tr>\n<td>Filename<\/td>\n<td>EdgeSystemConfig.dll<\/td>\n<td>Additional Cobalt Strike beacon<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 92%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-abuse-scheduled-tasks-to-maintain-persistence\/\">Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-abuse-scheduled-tasks-to-maintain-persistence\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks A state-aligned hacking group known as FrostyNeighbor has resurfaced with a fresh wave of cyberattacks targeting government organizations in Ukraine, using a carefully designed infection chain that is harder than ever to detect. The group, active since at least 2016, has a long history of [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12892","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12892"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12892"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12892\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12892"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12892"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12892"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}