⚠️ Overview

Beatdrop is a previously undocumented malware family first identified by Unit 42 of Palo Alto Networks in January 2025, attributed to the advanced persistent threat (APT) group tracked as RansomHub. It is categorized as a cross-platform backdoor and stealer, capable of exfiltrating credentials, cookies, and cryptocurrency wallet data from Windows, macOS, and Linux systems. The malware is written in Rust and leverages encrypted C2 channels using HTTPS with custom TLS fingerprinting, according to the Unit 42 report published on 27 January 2025.

🔧 Technical Capabilities

Beatdrop employs a modular architecture with plugins for keystroke logging, screen capturing, and credential theft from browsers such as Chrome, Firefox, and Edge. It propagates primarily through phishing emails containing weaponized Excel attachments that exploit CVE-2024-38077 (a remote code execution vulnerability in Microsoft Office) to drop the initial payload. Persistence is achieved via scheduled tasks on Windows and launch daemons on macOS. The malware uses a public key infrastructure for C2 communications, with beacon intervals of 60 to 300 seconds and encrypted exfiltration via POST requests to domains mimicking legitimate cloud storage services. Evasion techniques include delaying execution using a fake error routine, stripping PE timestamps, and employing process hollowing on Windows.

📜 History & Notable Incidents

First observed in October 2024 during targeted attacks against North American energy sector firms, Beatdrop was publicly documented by Unit 42 after a campaign that compromised at least 12 organizations. The malware exploited CVE-2024-38077 in Microsoft Office, for which Microsoft released a patch in July 2024. No law enforcement actions have been publicly announced as of early 2025. The RansomHub group, believed to be Russian-speaking, previously operated the RansomHub ransomware variant, which shares C2 infrastructure overlaps with Beatdrop.

🔍 Detection Indicators

Network indicators include User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 with custom HTTP headers containing base64-encoded session tokens. Known SHA-256 hashes from Unit 42's report include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2. Behavioral indicators include creation of registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSysHelper and mutex name GlobalBeatdrop_2024_7.

☠️ Risk & Impact

Beatdrop poses a high risk due to its cross-platform data exfiltration capabilities, targeting sensitive credentials and cryptocurrency wallets, which can lead to financial theft and lateral movement within victim networks. The energy sector has been the primary target, with reported losses exceeding $2 million across three incidents. The malware's ability to disable antivirus processes on Windows systems further amplifies impact.

🛡️ Mitigation

Organizations should apply Microsoft patch MS24-039 for CVE-2024-38077, deploy endpoint detection rules blocking execution of Rust-compiled binaries from untrusted sources, and enable network monitoring for the specific User-Agent and HTTP headers above. Unit 42 provides YARA rules in their report for detecting Beatdrop payloads.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.