In a global environment where digital infrastructure underpins business activities and platforms, cybercriminals are leveraging increasingly sophisticated methods to bypass security measures.
Recent discoveries by Kaspersky’s Global Research and Analysis Team (GReAT) highlight the evolving nature of cyber threats, exposing how attackers exploit trusted platforms and persistent vulnerabilities to target organizations worldwide.
These findings underscore the urgent need for proper cybersecurity measures to protect against advanced persistent threats (APTs) and unpatched vulnerabilities.
Kaspersky’s researchers uncovered a complex attack campaign that exploits legitimate services such as GitHub, Microsoft Learn Challenge, Quora, and social networks to deliver malicious payloads.
Detected in the second half of 2024 and continuing into 2025, these attacks primarily targeted medium-to-large businesses in China, Japan, Malaysia, Peru, and Russia, with a focus on the oil and gas sector.
The attackers employed spear-phishing emails disguised as communications from state-owned companies to infiltrate victims’ devices.
By leveraging DLL hijacking techniques and exploiting the legitimate Crash Reporting Send Utility, the attackers avoided detection while deploying Cobalt Strike Beacon, a tool enabling remote control, data theft, and persistent network access.
The ingenuity of this campaign lies in its use of public platforms to host and distribute malicious code.
Encrypted malicious code was embedded in specially created profiles on GitHub, with links to this code hidden across other GitHub profiles, Q&A websites, and Russian social media platforms.
This approach allowed attackers to blend their activities with legitimate traffic, evading traditional security solutions.
Maxim Starodubov, Malware Analyst Team Lead at Kaspersky, noted that while the attackers used purpose-created accounts, there’s potential for future exploitation of legitimate users’ profiles, such as through malicious comments.
This campaign illustrates the growing complexity of social engineering tactics and the critical need for organizations to stay informed through up-to-date threat intelligence and deploy comprehensive security solutions like Kaspersky Next to detect and block such attacks early.
In a separate discovery, Kaspersky’s GReAT team revealed that the recently exploited ToolShell vulnerabilities in Microsoft SharePoint stem from an incomplete fix for CVE-2020-1147, first reported in 2020.
These vulnerabilities, identified as CVE-2025-49704 and CVE-2025-49706 (collectively dubbed “ToolShell”), have emerged as a significant cybersecurity threat in 2025, with exploitation attempts detected globally, including in Egypt, Jordan, Russia, and some other countries.
Targeting sectors such as government, finance, manufacturing, forestry, and agriculture, these attacks exploit unauthenticated access to gain full control over infected SharePoint servers.
Kaspersky’s analysis found that the ToolShell exploit closely resembles the 2020 CVE-2020-1147 exploit, indicating that the original patch was insufficient.
Microsoft responded with out-of-band patches (CVE-2025-53770 and CVE-2025-53771) in July 2025 to address bypass methods, but the window between initial exploitation and patch deployment allowed attackers to compromise numerous systems.
Boris Larin, principal security researcher at Kaspersky GReAT, warned that ToolShell’s ease of exploitation ensures its longevity, similar to other persistent vulnerabilities like ProxyLogon and EternalBlue.
Kaspersky’s proactive detection blocked these attacks before public disclosure, emphasizing the value of behavior-based detection tools like Kaspersky Next.
Organizations using SharePoint are urged to apply the latest patches immediately and deploy cybersecurity solutions capable of countering zero-day exploits.
Larin emphasized that unpatched systems remain vulnerable, and the exploit’s integration into penetration testing tools will likely perpetuate its use for years.
These discoveries highlight a dual challenge: attackers’ use of trusted platforms and the persistence of unpatched vulnerabilities.
The exploitation of legitimate services underscores the difficulty of distinguishing malicious activity from normal operations, while the SharePoint vulnerabilities reveal the long-term consequences of incomplete fixes.
Kaspersky’s findings align with broader trends, such as a 14% increase in daily malicious file detections in 2024 and a rise in long-lasting attacks, with 35.2% exceeding one month in duration.
To mitigate these threats, organizations must adopt a multi-layered approach.
Regular software updates, employee training on phishing detection, and advanced endpoint detection and response (EDR) solutions like Kaspersky Endpoint Detection and Response are critical.
Additionally, leveraging threat intelligence services and behavior-based detection can preemptively block sophisticated attacks.
As cybercriminals continue to exploit trusted relationships and unpatched systems, proactive cybersecurity measures are essential to safeguarding organizational assets in an increasingly hostile digital environment.