Hackers Deploy Cobalt Strike Beacon Using GitHub and Social Media

A sophisticated cyberattack campaign disrupted the Russian IT industry and entities in several other countries, leveraging advanced evasion techniques to deploy the notorious Cobalt Strike Beacon.

Attackers ingeniously concealed payload information within user profiles on platforms like GitHub, Microsoft Learn Challenge, Quora, and Russian social networks, blending malicious data into legitimate user-generated content to bypass security detections.

This approach allowed them to construct a complex execution chain for Cobalt Strike, a widely used post-exploitation tool.

The campaign peaked in November and December 2024, persisted until April 2025, and resumed after a two-month hiatus with minimally altered malware variants.

Kaspersky’s security solutions identified the threats under verdicts such as HEUR:Trojan.Win64.Agent.gen, HEUR:Trojan.Win64.Kryptik.gen, HEUR:Trojan.WinLNK.Starter.gen, MEM:Trojan.Multi.Cobalt.gen, and HEUR:Trojan.Win32.CobaltStrike.gen.

Targets Russian IT Sector

The initial infection vector relied on spear-phishing emails masquerading as communications from major state-owned oil and gas companies, enticing victims with feigned interest in their products to prompt attachment openings.

These emails contained RAR archives structured with a malicious LNK file named “Требования.lnk,” decoy PDFs like “Company Profile.pdf” and “List of requirements.pdf,” and a hidden directory holding executables disguised as PDFs.

Upon execution, the LNK file copied and renamed these to “%public%Downloads” as “nau.exe” (a legitimate BugSplat crash reporting utility, originally BsSndRpt.exe) and “BugSplatRc64.dll” (the malicious DLL), then launched “nau.exe.”

This exploited DLL hijacking (MITRE T1574.001), forcing the utility to load the rogue DLL instead of its legitimate counterpart.

Payload Delivery

The malicious DLL employed dynamic API resolution (MITRE T1027.007) via a custom hashing algorithm akin to CRC, with hashes XOR-encrypted and addresses cleared post-call to evade static analysis.

It hooked API functions like MessageBoxW within the legitimate process, redirecting calls to a custom function that initiated a two-stage shellcode loading process.

This function fetched HTML from encrypted URLs, such as profiles on techcommunity.microsoft.com or quora.com, extracting base64-encoded, XOR-encrypted strings that revealed further download links from GitHub repositories.

The shellcode, a reflective loader (MITRE T1620), injected Cobalt Strike Beacon into memory, establishing communication with command-and-control servers like moeodincovo[.]com/divide/mail/SUVVJRQO8QRC.

Attribution links this campaign to patterns observed in the EastWind APT operation, including XOR-encrypted URLs in platform profiles and overlapping targets in Russian IT firms.

While primarily affecting large and medium-sized Russian businesses, infections extended to China, Japan, Malaysia, and Peru.

The attackers created dedicated accounts (MITRE T1585.001) but could exploit comments on legitimate posts for broader concealment.

This campaign highlights the growing use of DLL hijacking and legitimate platforms for malware staging, underscoring the need for robust defenses.

Organizations should monitor infrastructure, deploy advanced security solutions for email-based threats, conduct cybersecurity training, and use endpoint detection systems to block early-stage attacks. Detection indicators include unsigned “BugSplatRc64.dll” files or renamed BugSplat utilities.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!