Experts from Kaspersky Lab have discovered new attacks targeting Russian organizations using Cobalt Strike Beacons. To evade detection and execute the malware, attackers are hosting encrypted code in profiles on legitimate services, including GitHub and social media.
In their report, researchers note that such attacks were first observed in the second half of 2024 — at that time, they affected Russia, China, Japan, Malaysia, and Peru.
By 2025, the activity of malicious actors had declined, and experts continued to note only isolated incidents. However, in July 2025, experts discovered new malicious files targeting only Russian enterprises (primarily large and medium businesses).
The attacks begin with phishing emails that mimic messages from large state-owned companies (particularly in the oil and gas sector), purportedly expressing interest in the products or services of the victim organizations. The attachment contains a malicious archive with files disguised as PDF documents with requirement descriptions for review. In reality, these files include malicious .exe and .dll executable files.
To execute the malware, attackers use a common method of DLL (Dynamic Link Library) hijacking, along with a legitimate utility called Crash reporting Send Utility (original file name BsSndRpt.exe). This utility is part of the BugSplat solution, which is designed for sending crash reports. Initially, it was created for developers to receive real-time information about application issues. As a result of the attackers’ actions, the utility opened a malicious file instead of the legitimate one.
For the malware to continue functioning, it extracts and loads code stored in an encrypted form on public profiles of popular legitimate platforms.
Researchers discovered code in repositories on GitHub, while links to it were contained in encrypted form within profiles on GitHub, Microsoft Learn Challenge, Quora, as well as in Russian social media. All these profiles and pages were specifically created for this malicious campaign.
After executing the malicious code on the victims’ devices, a Cobalt Strike beacon is launched, meaning the systems were compromised.
“We have not found evidence that attackers hacked into real people’s accounts, and we believe that all accounts were specifically created for cyberattacks. However, it’s worth noting that they could have utilized digital platforms differently. For example, by posting malicious content in the comments of legitimate users’ posts. These examples confirm that attack schemes are becoming more complex, even though the tools remain the same. Therefore, it is crucial for companies to ensure reliable protection by keeping up with current cyber threat data and continuously monitoring the state of both their digital infrastructure and the entire perimeter of the organization,” comments Maxim Starodubov, a cyber threat expert at Kaspersky Lab.