Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia

Operation FrostBeacon is a targeted, financially motivated campaign delivering Cobalt Strike beacons to Russian B2B organizations (finance and legal functions) via two infection clusters: (1) phishing archives containing LNK shortcuts that launch mshta/HTA and obfuscated PowerShell loaders, and (2) malicious DOCX files abusing CVE-2017-0199 (often chained with CVE-2017-11882) to fetch remote HTA payloads. The campaign uses layered encoding and in-memory shellcode execution to deploy Cobalt Strike with custom malleable C2 profiles; the report includes detailed IOCs, domains, URLs, proxy IPs, MITRE TTP mappings and vendor detections.