Cobalt Strike Used Against Russian Organizations, Malware Hosted on GitHub and Social Media

📟 News

Date: 01/08/2025

Experts from Kaspersky Lab have discovered new attacks targeting Russian organizations using Cobalt Strike Beacons. To evade detection and execute the malware, attackers are hosting encrypted code in profiles on legitimate services, including GitHub and social media.

In their report, researchers note that such attacks were first observed in the second half of 2024 — at that time, they affected Russia, China, Japan, Malaysia, and Peru.

By 2025, the activity of malicious actors had declined, and experts continued to note only isolated incidents. However, in July 2025, experts discovered new malicious files targeting only Russian enterprises (primarily large and medium businesses).

The attacks begin with phishing emails that mimic messages from large state-owned companies (particularly in the oil and gas sector), purportedly expressing interest in the products or services of the victim organizations. The attachment contains a malicious archive with files disguised as PDF documents with requirement descriptions for review. In reality, these files include malicious .exe and .dll executable files.

To execute the malware, attackers use a common method of DLL (Dynamic Link Library) hijacking, along with a legitimate utility called Crash reporting Send Utility (original file name BsSndRpt.exe). This utility is part of the BugSplat solution, which is designed for sending crash reports. Initially, it was created for developers to receive real-time information about application issues. As a result of the attackers’ actions, the utility opened a malicious file instead of the legitimate one.

For the malware to continue functioning, it extracts and loads code stored in an encrypted form on public profiles of popular legitimate platforms.

Researchers discovered code in repositories on GitHub, while links to it were contained in encrypted form within profiles on GitHub, Microsoft Learn Challenge, Quora, as well as in Russian social media. All these profiles and pages were specifically created for this malicious campaign.

After executing the malicious code on the victims’ devices, a Cobalt Strike beacon is launched, meaning the systems were compromised.

“We have not found evidence that attackers hacked into real people’s accounts, and we believe that all accounts were specifically created for cyberattacks. However, it’s worth noting that they could have utilized digital platforms differently. For example, by posting malicious content in the comments of legitimate users’ posts. These examples confirm that attack schemes are becoming more complex, even though the tools remain the same. Therefore, it is crucial for companies to ensure reliable protection by keeping up with current cyber threat data and continuously monitoring the state of both their digital infrastructure and the entire perimeter of the organization,” comments Maxim Starodubov, a cyber threat expert at Kaspersky Lab.

Related posts:
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer

Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…

Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →