Over the past years, we closely monitored and tracked the evolution of FrostyNeighbor, also known as UNC1151. Aligned with the interests of an Eastern European country, this APT group has demonstrated since 2016 technical sophistication and strategic intent, mixing cyberespionage with political influence operations, highlighting how this group evolved from targeting military and governmental entities to interfering in democratic processes.
Initially focused on intelligence collection against Ukrainian defense and governmental organizations, the group expanded its scope to other countries, aligning its operations with geopolitical interests, like the Polish parliamentary elections in 2023 and presidential election in 2025. The group uses spearphishing and credential theft alongside narratives to shake up public opinion on sensitive political issues.
FrostyNeighbor has continually refined its methods to thwart defenders. Over time, it went from relatively simple lure documents to complex compromise chains, using custom malware implemented in multiple programming languages. Its modular toolset enabled FrostyNeighbor to deliver payloads only to selected targets, hidden inside seemingly benign files such as images or style sheets. The group also ran many phishing campaigns, using spoofed login pages to target victims, and by exploiting vulnerabilities in widely used webmail platforms, notably Roundcube.
This dual approach, espionage for strategic advantage and political disruption to sow discord, highlights the growing complexity of modern cyberconflict. FrostyNeighbor’s operations illustrate how state-linked threat actors exploit digital ecosystems not only to steal secrets but also to shape narratives and erode trust in democratic institutions. In this presentation, we describe the most interesting tools in FrostyNeighbor’s arsenal, including advanced compromise chains and multistage malware. Finally, we highlight the group’s victimology and post-compromise activities.