FrostBeacon Hits Russian B2B: Cobalt Strike Deployed via LNK and Chained Legacy Exploits
Ddos 
A new and sophisticated malware campaign dubbed “Operation FrostBeacon” is systematically targeting business-to-business (B2B) enterprises across the Russian Federation. A report from Seqrite Labs reveals that a financially motivated cybercrime group is deploying dual infection strategies to infiltrate legal and finance departments, ultimately planting Cobalt Strike beacons to gain persistent control over corporate networks.
The attackers have developed a multi-layered intrusion chain that leaves little to chance. According to the report, “More than 20 initial infection files have been observed where the intrusion relies on a multi-layered infection chain with two different clusters”.
The first method relies on classic deception. Attackers send phishing emails containing archive files (ZIP or RAR) that hide malicious shortcuts. “The LNK file is camouflaged to resemble a PDF document through double extension format,” the report notes. When clicked, these shortcuts trigger a hidden PowerShell command that reaches out to a remote server—often disguised as an image file like flowersforlove.gif—to download the next stage of the attack .
The second cluster is more technical, exploiting older security flaws that remain unpatched in many environments. “The second cluster leverages the legacy CVE-2017-0199 template injection vulnerability and even chains it with another old Equation Editor vulnerability CVE-2017-11882”. By nesting these exploits within malicious DOCX and RTF documents, the attackers can execute code simply by convincing a user to open a file.
Regardless of the entry point, both paths converge on a single objective: the execution of a remote HTML Application (HTA) file. This file launches a highly obfuscated PowerShell loader designed to evade antivirus detection.
“The loader uses three layers of encoding that executes shellcode to download stager and finally inject into a legitimate process, culminating in the stealthy deployment of a Cobalt Strike”.
Once the Cobalt Strike beacon is active, the attackers gain a powerful foothold, allowing them to move laterally through the network and exfiltrate sensitive data.
The campaign is not random; it is a calculated hunt for financial leverage. The phishing lures mimic critical business correspondence, such as legal claims, debt repayment demands, and reconciliation statements.
“The phishing emails indicat that the threat group is financially motivated which targets organization responsible for payments, contracts, reconciliation, legal risk”.
Victims, primarily in logistics, industrial production, and construction sectors, are tricked by localized, high-pressure emails threatening legal action if payments are not made by a specific date.
Evidence suggests the threat actors are operating from within the same region they are targeting. The infrastructure relies heavily on Russian-controlled domains and hosting providers.
“Based on our analysis, we assess that the threat actor is a Russian-speaking financially motivated cybercrime group based on the phishing emails and targets”. While their tactics overlap with other known groups, Operation FrostBeacon appears to be a distinct, focused campaign aimed at capitalizing on the bustling B2B economy of the region.
Donate