Cobalt Strike Used Against Russian Organizations, Malware Hosted on GitHub and Social Media

📟 News

Date: 01/08/2025

Experts from Kaspersky Lab have discovered new attacks targeting Russian organizations using Cobalt Strike Beacons. To evade detection and execute the malware, attackers are hosting encrypted code in profiles on legitimate services, including GitHub and social media.

In their report, researchers note that such attacks were first observed in the second half of 2024 — at that time, they affected Russia, China, Japan, Malaysia, and Peru.

By 2025, the activity of malicious actors had declined, and experts continued to note only isolated incidents. However, in July 2025, experts discovered new malicious files targeting only Russian enterprises (primarily large and medium businesses).

The attacks begin with phishing emails that mimic messages from large state-owned companies (particularly in the oil and gas sector), purportedly expressing interest in the products or services of the victim organizations. The attachment contains a malicious archive with files disguised as PDF documents with requirement descriptions for review. In reality, these files include malicious .exe and .dll executable files.

To execute the malware, attackers use a common method of DLL (Dynamic Link Library) hijacking, along with a legitimate utility called Crash reporting Send Utility (original file name BsSndRpt.exe). This utility is part of the BugSplat solution, which is designed for sending crash reports. Initially, it was created for developers to receive real-time information about application issues. As a result of the attackers’ actions, the utility opened a malicious file instead of the legitimate one.

For the malware to continue functioning, it extracts and loads code stored in an encrypted form on public profiles of popular legitimate platforms.

Researchers discovered code in repositories on GitHub, while links to it were contained in encrypted form within profiles on GitHub, Microsoft Learn Challenge, Quora, as well as in Russian social media. All these profiles and pages were specifically created for this malicious campaign.

After executing the malicious code on the victims’ devices, a Cobalt Strike beacon is launched, meaning the systems were compromised.

“We have not found evidence that attackers hacked into real people’s accounts, and we believe that all accounts were specifically created for cyberattacks. However, it’s worth noting that they could have utilized digital platforms differently. For example, by posting malicious content in the comments of legitimate users’ posts. These examples confirm that attack schemes are becoming more complex, even though the tools remain the same. Therefore, it is crucial for companies to ensure reliable protection by keeping up with current cyber threat data and continuously monitoring the state of both their digital infrastructure and the entire perimeter of the organization,” comments Maxim Starodubov, a cyber threat expert at Kaspersky Lab.

Related posts:
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello

Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years

Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…

Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update

Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…

Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'

A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…

Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…

Full article →