Seqrite Labs identified Operation FrostBeacon, a targeted malware campaign delivering Cobalt Strike beacons to Russian B2B enterprises since early November 2025. Targets include finance and legal departments within logistics, industrial production, and construction sectors. Attackers used phishing emails themed around contract payments and legal disputes to lure victims into opening malicious attachments.
The campaign employs two infection clusters:
- LNK Cluster: Phishing archives with malicious shortcut files disguised as PDFs, triggering PowerShell and mshta.exe for remote HTA execution.
- CVE Cluster: Weaponised DOCX files exploiting CVE-2017-0199 and CVE-2017-11882 vulnerabilities. Both chains lead to multi-layered obfuscated PowerShell loaders that decrypt and execute shellcode in memory, culminating in Cobalt Strike deployment. Infrastructure includes Russian-controlled domains and customised malleable profiles.
Organisations should enable Microsoft Defender Exploit Guard to block legacy Office exploits (CVE-2017-0199, CVE-2017-11882) and monitor for suspicious behaviours such as hidden PowerShell execution, mshta.exe invocation, and RWX memory allocations. Defender’s Attack Surface Reduction (ASR) rules and AMSI integration can help detect obfuscated scripts and prevent fileless attacks.
