FrostyNeighbor / Ghostwriter (UNC1151, Belarus state-aligned) — March–May 2026 campaign confirmed [SINGLE-SOURCE: ESET]

ESET's May 2026 analysis documented an ongoing campaign targeting Ukrainian government organisations with spear-phishing — PDF lures impersonating Ukrtelecom delivering PicassoLoader and Cobalt Strike as initial foothold. The campaign overlaps with the historical Ghostwriter disinformation operations against Ukrainian and EU audiences. Swiss and EU government and media entities with Ukraine-related policy exposure should treat FrostyNeighbor as an active threat. No developments beyond the ESET disclosure surfaced in the W21 research window.