Kaspersky Uncovers Stealthy Cyberespionage: Russia & Asia Targeted by DLL Hijacking & Social Media C2

Kaspersky Labs has revealed a highly obfuscated cyberespionage campaign targeting Russian IT companies and global businesses, employing a multi-stage delivery chain culminating in the deployment of the Cobalt Strike Beacon. What sets this campaign apart is its use of social media profiles, dynamic content masking, and stealthy DLL hijacking.

The attacks began in the second half of 2024 and escalated through April 2025. They started with spear-phishing emails impersonating major state-owned oil and gas firms, complete with decoy documents and RAR archives named to appear professional and credible.

“The attackers feigned interest in the victims’ products and services to create a convincing illusion of legitimacy,” Kaspersky noted.

The malicious archives contained .lnk shortcut files and hidden executables disguised as PDFs, ultimately launching nau.exe and a malicious DLL, BugSplatRc64.dll, through a DLL Hijacking technique (T1574.001).

At the heart of the chain was the legitimate utility BsSndRpt.exe (BugSplat crash reporter), renamed and repurposed to load the attacker’s malicious DLL. Once loaded, the DLL employed Dynamic API Resolution (T1027.007) and custom hashing to evade static detection and hide function calls.

“This technique involves obscuring API functions within the code, resolving them dynamically only during execution,” the report explains.

One of the intercepted functions, MessageBoxW, was redirected to a malicious version named NewMessageBox, which triggered the staged shellcode loader.

Kaspersky’s analysis exposed a tactic: the use of legitimate platforms like GitHub, Quora, and Microsoft Learn Challenge to store encrypted payload data in public profiles and posts—an abuse aligned with MITRE ATT&CK T1585.001 (Compromise Accounts).

“We’ve found malicious information hidden inside profiles on GitHub, Microsoft Learn Challenge, Q&A websites, and even Russian social media platforms,” the researchers stated.

The first stage involved downloading base64-encoded, XOR-encrypted shellcode from profiles like:

• https://www.quora[.]com/profile/Marieformach
• https://techcommunity.microsoft[.]com/t5/user/viewprofilepage/user-id/2631

This data ultimately led to the second-stage payload hosted on:

• https://raw.githubusercontent[.]com/Mariew14/kong/master/spec/fixtures/verify-prs

Once decrypted, the shellcode acted as a reflective loader, injecting Cobalt Strike Beacon into memory—without writing any files to disk.

“An analysis of the shellcode… reveals a reflective loader that injects Cobalt Strike Beacon into the process memory and then hands over control to it (T1620),” the report concluded.

The activated Beacon communicated with its command-and-control server:

• moeodincovo[.]com/divide/mail/SUVVJRQO8QRC

While the majority of victims were in Russia’s IT and energy sectors, Kaspersky also observed infections in China, Japan, Malaysia, and Peru—primarily medium to large enterprises.

The adversary’s behavior, especially its use of XOR-encrypted C2 URLs stored in social media profiles, strongly resembles tactics seen in the EastWind APT campaign.

Related Posts:

• Vulnerable Microsoft SQL Server are being targeted by hackers
• Cyberattackers Unleash LockBit Ransomware Using Cobalt Strike and Proxy Tools
• Excel File Unleashes Sophisticated Cobalt Strike Cyberattack
• Attackers Leveraging Public Cobalt Strike Profiles to Evade Detection
• The Cobalt hacker group is still active, although the leader was arrested