Experts from Kaspersky Lab have discovered new attacks targeting Russian organizations using Cobalt Strike Beacons. To evade detection and execute the malware, attackers are hosting encrypted code in profiles on legitimate services, including GitHub and social media.
In their report, researchers note that such attacks were first observed in the second half of 2024 — at that time, they affected Russia, China, Japan, Malaysia, and Peru.
By 2025, the activity of malicious actors had declined, and experts continued to note only isolated incidents. However, in July 2025, experts discovered new malicious files targeting only Russian enterprises (primarily large and medium businesses).
The attacks begin with phishing emails that mimic messages from large state-owned companies (particularly in the oil and gas sector), purportedly expressing interest in the products or services of the victim organizations. The attachment contains a malicious archive with files disguised as PDF documents with requirement descriptions for review. In reality, these files include malicious .exe and .dll executable files.
To execute the malware, attackers use a common method of DLL (Dynamic Link Library) hijacking, along with a legitimate utility called Crash reporting Send Utility (original file name BsSndRpt.exe). This utility is part of the BugSplat solution, which is designed for sending crash reports. Initially, it was created for developers to receive real-time information about application issues. As a result of the attackers’ actions, the utility opened a malicious file instead of the legitimate one.
For the malware to continue functioning, it extracts and loads code stored in an encrypted form on public profiles of popular legitimate platforms.
Researchers discovered code in repositories on GitHub, while links to it were contained in encrypted form within profiles on GitHub, Microsoft Learn Challenge, Quora, as well as in Russian social media. All these profiles and pages were specifically created for this malicious campaign.
After executing the malicious code on the victims’ devices, a Cobalt Strike beacon is launched, meaning the systems were compromised.
“We have not found evidence that attackers hacked into real people’s accounts, and we believe that all accounts were specifically created for cyberattacks. However, it’s worth noting that they could have utilized digital platforms differently. For example, by posting malicious content in the comments of legitimate users’ posts. These examples confirm that attack schemes are becoming more complex, even though the tools remain the same. Therefore, it is crucial for companies to ensure reliable protection by keeping up with current cyber threat data and continuously monitoring the state of both their digital infrastructure and the entire perimeter of the organization,” comments Maxim Starodubov, a cyber threat expert at Kaspersky Lab.
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →