Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia
Dec. 21, 2025, 6:43 p.m.
Description
Operation FrostBeacon is a targeted malware campaign delivering Cobalt Strike beacons to companies in Russia. It uses two infection clusters: one leveraging malicious archive files with LNK shortcuts, and another exploiting CVE-2017-0199 and CVE-2017-11882 vulnerabilities. Both clusters lead to remote HTA execution and deployment of an obfuscated PowerShell loader that decrypts and runs Cobalt Strike shellcode in memory. The campaign targets finance and legal departments of B2B enterprises in logistics, industrial production, construction, and technical supply. It employs phishing emails with Russian-language lures related to contracts, payments, and legal matters. The infrastructure uses multiple Russian-controlled domains as command-and-control servers.
Tags
Date
- Created: Dec. 8, 2025, 5:25 p.m.
- Published: Dec. 8, 2025, 5:25 p.m.
- Modified: Dec. 21, 2025, 6:43 p.m.
Indicators
- 900b32dac8335652db7243588dd01860d55a26b9b53376878bd7f73dd7abc564
- 11577baef666fcf72f56fe5b47026ed6ece7b4ef63cbe593d888d01ac015fdbe
- 5e68b88253e4f8bb83fc86b610390d28057d4656ec37e1ce3de5100129998df3
- 4640c58e3c658d8178f4e9d9570566040ad162e25b61a46b0be989aeb69db679
- 634b4bada49b67cada17ff361d45a6927ee69d3cc89fd197fa9a498b061a04bf
- 57cd0102f13d317e70f7e91462d01b409146b42f4c8f929d14325ac5f91ff33e
- d329c1bbe548a412d3cfe3ee5605397d2c7366073df87d5829d3d448073d132b
- 9612ad321eeedc9dd8c9aee9ec7286dc7bdb8614952c92eb33de9eecbf136c0a
- 90b613cebceb8fd9a735f0daa496a01e457d8215d511bc7864c75e646a2e27c7
- 799b31f43fac21f429bf11d94567834be8c24a8c2fb87a41306ba64fa123cc9c
- baa78cc8004de549b8ebe78ace9b5387a9870007694cf348ee6f2e8e81741d61
- 4b39bce82f682c587ce0400c36e3502c10f1dc84e3a99875777b512cb48fec2a
- 5ea495e5e401080510ee1b4a506a56c7a5cc24161277961949698c6738a5b3d0
- http://bti25.ru/china.hta
- http://order.edrennikov.ru/jquery-3.3.1.min.js
- https://iplogger.cn/forensicsas.png
- http://zetag.ru/siro.doc
- https://incident.zilab.ru:8443/jquery-3.3.1.slim.min.js
- http://canature.su/ya.hta
- https://ezstat.ru/flowersforlove.gif
- http://zetag.ru/z.hta
- https://bsprofi.ru/min.hta
- https://ipgrabber.ru/penis.gif
- https://iplis.ru/tramp.jpg
- http://ecols.ru/ecols.hta
- http://gemme-cotti.ru/cotti.docx
- https://iplis.ru/laydowngrenade.jpeg
- https://moscable77.ru:8443/jquery-3.3.1.slim.min.js
- http://valisi.ru/first.rtf
- http://vlasta-s.ru/logista.rtf
- http://dosingpumps.ru/nciki.hta
- http://gemme-cotti.ru/mida.hta
- https://yip.su/certgovrufuck.gif
- https://ezstat.ru/txttx.txt
- http://ecols.ru/gogo.rtf
- https://ekostroy33.ru/jquery-3.3.2.min.js
- http://poopy.aarkhipov.ru:8080/jquery-3.3.1.slim.min.js
- https://iplis.ru/lovers.jpeg
- http://emec.su/bg.rtf
- http://clack.su/fox.docx
- http://gemme-cotti.ru/zibaba.hta
- https://yip.su/ncikigovru.gif
- https://bsprofi.ru/profit.hta
- http://bti25.ru/openai.rtf
- https://yip.su/txttxt.jpg
- https://iplis.ru/camorra.gif
- http://update.ecols.ru/jquery-3.3.1.slim.min.xn--js-02t
- http://xn--e1ajbcejcefx.xn--p1ai/sflopytrgjklhfaseri
- http://zetag.ru/tramp.rtf
- http://ship-care.com/care.rtf
- http://aquacomplect.ru/complex.hta
- https://update.ecols.ru:8443/jquery-3.3.1.slim.min.js
- https://cba.abc92.ru:8443/jquery-3.3.1.slim.min.js
- https://valisi.ru/dosing.hta
- https://mcnn.ru:8443/jquery-3.3.1.slim.min.js
- https://ezstat.ru/kissmyass.gif
- http://krona77.ru/edr.hta
- http://vlasta-s.ru/logista.hta
- https://iplis.ru/penises.jpg
- http://aquacomplect.ru/aqua.docx
Additional Informations
- Finance
- Manufacturing
- Transport
- Construction
- update.ecols.ru
- gk-stst.ru
- effectovent.ru
- gemme-cotti.ru
- order.edrennikov.ru
- cba.abc92.ru
- impex-him.ru
- art.cse.ru
- ipgrabber.ru
- krona77.ru
- ekostroy33.ru
- toolhaus.ru
- xn--e1ajbcejcefx.xn--p1ai
- canature.su
- esetnod64.ru
- kzst45.ru
- incident.zilab.ru
- ship-care.com
- poopy.aarkhipov.ru
- bti25.ru
- Russian Federation