Kaspersky Uncovers Stealthy Cyberespionage: Cobalt Strike Beacon Delivered Via Social Media Profiles
Kaspersky Lab has reported a renewed wave of cyberattacks leveraging Cobalt Strike Beacon—a legitimate remote administration tool frequently repurposed for system compromise and data exfiltration. The malware is disseminated through encrypted code embedded within user profiles on prominent digital platforms such as GitHub, Microsoft Learn Challenge, Quora, and various Russian social networks.
These attacks were first observed in the latter half of 2024, targeting organizations across Russia, China, Japan, Malaysia, and Peru. Although activity waned in 2025, researchers have recorded a resurgence, with fresh incidents in July focused exclusively on Russian enterprises, particularly those in the mid-sized and large business sectors.
The infection chain begins with phishing emails purportedly sent from major state-owned companies, often within the oil and gas industry. These messages encourage recipients to review technical specifications, with a malicious archive attached, concealing executable (EXE) and dynamic link library (DLL) files disguised as PDF documents.
The malware leverages DLL hijacking techniques in conjunction with a legitimate utility designed to collect application crash reports—though instead of transmitting diagnostics, it fetches and executes a malicious payload.
To proceed with its operations, the malware retrieves encrypted code hosted on external platforms. Analysts have uncovered such payloads hidden in public repositories and user profiles on GitHub, as well as within content on other platforms. The associated accounts appear to have been created specifically for the campaign. Alternative methods may include embedding malicious code in comments beneath genuine user posts.
Once executed, the malware activates the Cobalt Strike Beacon on the victim’s device, resulting in full system compromise. Security experts note that these attacks continue to grow in sophistication, even while relying on known tools. They urge organizations to stay abreast of emerging cyber threats and to conduct regular assessments of their digital infrastructure’s security posture.