216.73.217.22

Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia

· Published 08/12/2025 17:25 · Modified 21/12/2025 18:43

Export JSON

Essential information

Published
08/12/2025 17:25
Modified
21/12/2025 18:43
Tags
2025-12-08 CVE-2017-0199 CVE-2017-11882 cobalt strike hta lnk files phishing powershell russia
Related entities
2 vulnerabilities (cve), 60 observables, 12 techniques (mitre), 1 malware, 25 others

Description

Operation FrostBeacon is a targeted malware campaign delivering beacons to companies in . It uses two infection clusters: one leveraging malicious archive files with LNK shortcuts, and another exploiting and vulnerabilities. Both clusters lead to remote execution and deployment of an obfuscated loader that decrypts and runs shellcode in memory. The campaign targets finance and legal departments of B2B enterprises in logistics, industrial production, construction, and technical supply. It employs emails with Russian-language lures related to contracts, payments, and legal matters. The infrastructure uses multiple Russian-controlled domains as command-and-control servers.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (2)

CVE-2017-0199 KEV
7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector
LOCAL
Complexity
LOW
Published
12/04/2017
Modified
22/04/2026
CVE-2017-11882 KEV
7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector
Local
Complexity
Low
Published
15/11/2017
Modified
29/05/2026

Observables (60)

  • http://bti25.ru/china.hta
  • http://order.edrennikov.ru/jquery-3.3.1.min.js
  • https://iplogger.cn/forensicsas.png
  • http://zetag.ru/siro.doc
  • https://incident.zilab.ru:8443/jquery-3.3.1.slim.min.js
  • http://canature.su/ya.hta
  • https://ezstat.ru/flowersforlove.gif
  • http://zetag.ru/z.hta
  • https://bsprofi.ru/min.hta
  • https://ipgrabber.ru/penis.gif
  • https://iplis.ru/tramp.jpg
  • http://ecols.ru/ecols.hta
  • http://gemme-cotti.ru/cotti.docx
  • https://iplis.ru/laydowngrenade.jpeg
  • https://moscable77.ru:8443/jquery-3.3.1.slim.min.js
  • http://valisi.ru/first.rtf
  • http://vlasta-s.ru/logista.rtf
  • http://dosingpumps.ru/nciki.hta
  • http://gemme-cotti.ru/mida.hta
  • https://yip.su/certgovrufuck.gif
  • https://ezstat.ru/txttx.txt
  • http://ecols.ru/gogo.rtf
  • https://ekostroy33.ru/jquery-3.3.2.min.js
  • http://poopy.aarkhipov.ru:8080/jquery-3.3.1.slim.min.js
  • https://iplis.ru/lovers.jpeg
  • http://emec.su/bg.rtf
  • http://clack.su/fox.docx
  • http://gemme-cotti.ru/zibaba.hta
  • https://yip.su/ncikigovru.gif
  • https://bsprofi.ru/profit.hta
  • http://bti25.ru/openai.rtf
  • https://yip.su/txttxt.jpg
  • https://iplis.ru/camorra.gif
  • http://update.ecols.ru/jquery-3.3.1.slim.min.xn--js-02t
  • http://xn--e1ajbcejcefx.xn--p1ai/sflopytrgjklhfaseri
  • http://zetag.ru/tramp.rtf
  • http://ship-care.com/care.rtf
  • http://aquacomplect.ru/complex.hta
  • https://update.ecols.ru:8443/jquery-3.3.1.slim.min.js
  • https://cba.abc92.ru:8443/jquery-3.3.1.slim.min.js
  • https://valisi.ru/dosing.hta
  • https://mcnn.ru:8443/jquery-3.3.1.slim.min.js
  • https://ezstat.ru/kissmyass.gif
  • http://krona77.ru/edr.hta
  • http://vlasta-s.ru/logista.hta
  • https://iplis.ru/penises.jpg
  • http://aquacomplect.ru/aqua.docx
  • 900b32dac8335652db7243588dd01860d55a26b9b53376878bd7f73dd7abc564
  • 11577baef666fcf72f56fe5b47026ed6ece7b4ef63cbe593d888d01ac015fdbe
  • 5e68b88253e4f8bb83fc86b610390d28057d4656ec37e1ce3de5100129998df3
  • 4640c58e3c658d8178f4e9d9570566040ad162e25b61a46b0be989aeb69db679
  • 634b4bada49b67cada17ff361d45a6927ee69d3cc89fd197fa9a498b061a04bf
  • 57cd0102f13d317e70f7e91462d01b409146b42f4c8f929d14325ac5f91ff33e
  • d329c1bbe548a412d3cfe3ee5605397d2c7366073df87d5829d3d448073d132b
  • 9612ad321eeedc9dd8c9aee9ec7286dc7bdb8614952c92eb33de9eecbf136c0a
  • 90b613cebceb8fd9a735f0daa496a01e457d8215d511bc7864c75e646a2e27c7
  • 799b31f43fac21f429bf11d94567834be8c24a8c2fb87a41306ba64fa123cc9c
  • baa78cc8004de549b8ebe78ace9b5387a9870007694cf348ee6f2e8e81741d61
  • 4b39bce82f682c587ce0400c36e3502c10f1dc84e3a99875777b512cb48fec2a
  • 5ea495e5e401080510ee1b4a506a56c7a5cc24161277961949698c6738a5b3d0

Techniques (MITRE) (12)

Malware (1)

  • Cobalt Strike - S0154
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40

Others (25)

  • Russian Federation
  • Finance
  • Manufacturing
  • Transport
  • Construction
  • update.ecols.ru
  • gk-stst.ru
  • effectovent.ru
  • gemme-cotti.ru
  • order.edrennikov.ru
  • cba.abc92.ru
  • impex-him.ru
  • art.cse.ru
  • ipgrabber.ru
  • krona77.ru
  • ekostroy33.ru
  • toolhaus.ru
  • xn--e1ajbcejcefx.xn--p1ai
  • canature.su
  • esetnod64.ru
  • kzst45.ru
  • incident.zilab.ru
  • ship-care.com
  • poopy.aarkhipov.ru
  • bti25.ru

External references