Cobalt Strike
Cobalt Strike is a widely used commercial adversary simulation and post-exploitation framework whose Beacon payload is frequently abused in real intrusions. In the provided reporting, it appears across multiple campaigns as a command-and-control framework, secondary payload, or beacon used to maintain persistence, support lateral movement, and blend traffic with legitimate web activity through malleable C2 profiles. Reported behaviors include deployment via malicious installers, DLL sideloading using rogue version.dll files loaded by legitimate applications, PowerShell-based in-memory loading, and use in conjunction with loaders and other tooling such as Godzilla, Sliver, Meterpreter, Mimikatz, SystemBC, PureRAT, RedLine, and Ravage. The content also notes Cobalt Strike profiles crafted to make beacon traffic resemble legitimate web requests and cases where beacon traffic used HTTPS, jitter, CDN-like destinations, or shared user-agent and sleep characteristics with related implants.
The malware/framework is associated in the content with a broad range of threat activity, including ransomware and espionage operations. Examples mentioned include Play ransomware actors; Bumblebee infections dropping Cobalt Strike beacons; KnowledgeDeliver LMS zero-day exploitation (CVE-2026-5426) leading to malicious installers that deployed a backdoor and a Cobalt Strike beacon; China-aligned activity in Southeast Asia where a cracked Cobalt Strike framework was delivered to Windows hosts after compromise of edge routers; NegativeGlimmer/Operation Dragon Weave-related reporting where later infections in Cambodia and South Korea replaced AdaptixC2 with Cobalt Strike; long-running phishing campaigns against Russian organizations that previously used Cobalt Strike before shifting to Ravage; TA505-linked intrusions involving DLLs with Cobalt Strike-like code; and Mustang Panda reporting noting use of Cobalt Strike alongside PlugX, custom stagers, reverse shells, and Meterpreter.
Targeting in the source material spans government, research, academia, technology, finance, manufacturing, critical infrastructure, enterprise environments, and Russian educational institutions, as well as ransomware victim networks more broadly. Infection vectors explicitly mentioned include phishing emails with XLL, LNK, ZIP, archive, and document lures; malicious installers downloaded from compromised or spoofed platforms; exploitation of public-facing ASP.NET applications via ViewState deserialization; and post-compromise deployment through sideloading or administrative shares. High-confidence indicators and artifacts directly mentioned include rogue version.dll sideloading, Cobalt Strike beacon traffic shaped to resemble legitimate web requests, use of admin shares, and one campaign hash for an NSIS installer used to deliver Cobalt Strike: A23837DEBDC8F0E9FCE308BFF036F18F.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
36 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS to install the Godzilla. The bug is a deserialization problem tracked as CVE-2026-5426 and can be abused without verification. It originates from the use of “shared hardcoded machine key in the web portal configuration.”
The initial access is followed by steps to conduct extensive reconnaissance of the entity's systems and network using living-off-the-land (LotL) tools, escalate privileges via CVE-2020-1472 (aka Zerologon), and lateral movement via RDP.
multiple ransomware groups, including initial access brokers with ties to Play ransomware operators, are also exploiting three vulnerabilities - CVE-2024-57727 - in remote monitoring and management tool SimpleHelp to conduct remote code execution at many U.S.-based entities
...який, в свою чергу, забезпечить ураження ЕОМ програмою Cobalt Strike Beacon (дата компіляції "regsvr.dll" : 2023-08-21 14:04:21). | CERT-UA reported a cyberattack by UAC-0057 involving the file "Збірник_тез_НУОУ_23.rar", which contains an exploit for CVE-2023-38831. Successful exploitation leads to execution of a BAT file, then an LNK file, then an HTA via mshta.exe, ultimately delivering Cobalt Strike Beacon. The notice also states there is active exploitation of CVE-2023-38831 in WinRAR and that a PoC for generating ZIP archives with the required structure is publicly available.
Check Point researchers said the tool is being discussed on underground forums, where hackers are exchanging instructions on how to deploy it against three Citrix NetScaler flaws disclosed last week: CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424. The most critical of these, CVE-2025-7775, allows unauthenticated remote code execution.
The threat actors leveraged the CVE‑2025‑55182 (React2Shell) vulnerability... React2Shell is a vulnerability in the Flight protocol, which facilitates client-server communication for React Server Components. The vulnerability stems from insecure deserialization... Under certain conditions, this can enable an attacker to execute arbitrary code on the server. | BI.ZONE Threat Intelligence also identified campaigns exploiting React2Shell that were not targeting Russia. In these attacks, threat actors deployed a wider range of malware, including the CrossC2 implant for Cobalt Strike.
Since 2021, UNC3569 has exploited popular n-day CVEs in widely used software, such as CVE-2021-44228 and CVE‑2022-21587, to gain access to target organizations. | This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
In February 2023, UNC3569 targeted a US media and entertainment company, exploiting CVE-2022-47986, which allowed the attackers to execute arbitrary commands on the Aspera Faspex server. | This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
Proxyshell-auto ... Exploit tool based on CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, CVE-2021-31207 ... proxyshell ... based on the Microsoft Exchange CVE-2021-34473, CVE-2021-34523, CVE-2021-31207. | This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
Download multiple ProxyShell exploit tools for testing: Proxyshell-auto ... Exploit tool based on CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, CVE-2021-31207 ... proxyshell ... based on the Microsoft Exchange CVE-2021-34473, CVE-2021-34523, CVE-2021-31207. | This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders. | These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders.
Proxyshell-auto ... Exploit tool based on CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, CVE-2021-31207 ... ProxyVulns ... [ProxyShell] CVE-2021-34473, CVE-2021-34523 & CVE-2021-31207 Exploit Chains. | This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials. | The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.
Attackers are actively targeting VMware Horizon servers vulnerable to Apache Log4j CVE-2021-44228 (Log4Shell) and related vulnerabilities that were patched in December 2021. | Another actor has used it to download a Cobalt Strike backdoor from http://185.112.83[.]116:8080/drv.
The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices. The Serv-U Managed File Transfer and Serv-U Secure FTP remote code execution vulnerability, tracked as CVE-2021-35211, allows a remote threat actor to execute commands on a vulnerable server with elevated privileges. | Another sign of exploitation is traces of PowerShell command execution, which is used to deploy a Cobalt Strike beacon on the vulnerable system.
ReliaQuest identified what we assess with medium confidence to be the first known exploitation of this vulnerability, spanning multiple environments between February and March 2026... CVE-2024-12802 is an authentication bypass vulnerability in SonicWall appliances that reduces VPN security to single-factor authentication... On Gen6 devices, the firmware patch alone doesn’t remediate the vulnerability. Six additional manual reconfiguration steps are required.
Version 4.0 includes 37 functions, high risk vulnerability detection MS17010... MS17010 (Using SMB Protocol to detect MS17010 hosts)... SMB scans C-segment eternal blue ms17010 vulnerable hosts
Kaspersky researchers revealed ... the attackers exploit Internet-exposed Fortigate SSL VPN servers unpatched against the CVE-2018-13379 vulnerability ... The FBI and CISA warned ... APT actors scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379 exploits ... Fortinet also warned customers to patch their appliances against the CVE-2018-13379 ... "CVE-2018-13379 is an old vulnerability resolved in May 2019"
This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
Les attaquants ont utilisé leur accès de bureau à distance afin d’exécuter deux portes dérobées : SystemBC et Cobalt Strike.
Les attaquants ont utilisé leur accès de bureau à distance afin d’exécuter deux portes dérobées : SystemBC et Cobalt Strike.
Les attaquants ont utilisé leur accès de bureau à distance afin d’exécuter deux portes dérobées : SystemBC et Cobalt Strike.
During the investigation of the second campaign, we collected multiple hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (custom standalone Mimikatz), and defense evasion (disablement of security products).
RTCore64.sys is a component of Afterburner. In 2019, this driver was assigned as CVE-2019-16098, which allows authenticated users to read/write any arbitrary address including kernel space. However, the outdated version of vulnerable driver still has a valid signature. As a result, the attacker can deliver the outdated version of the driver into the victim machine and abuse it for various purposes, such as for anti-antivirus or anti-EDR.
A weaponized Word document exploiting CVE-2026-21509 -- a zero-click vulnerability in Microsoft Office OLE object handling -- uses a procurement lure themed around Pakistan's Sindh Integrated Emergency and Health Services to deliver a ClickOnce payload hosted on compromised Pakistani government infrastructure.
Earth Baxia, a threat actor suspected to originate from China, has been targeting government organizations in Taiwan and other Asia-Pacific (APAC) countries, using spear-phishing emails and exploiting a vulnerability in GeoServer (CVE-2024-36401), a remote code execution (RCE) exploit. This exploit allowed the attackers to download or copy malicious components, which were then used to deploy customized Cobalt Strike payloads. | This exploit allowed the attackers to download or copy malicious components, which were then used to deploy customized Cobalt Strike payloads. Their modified Cobalt Strike version included altered signatures for evasion...
Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor. | Lotus Blossom exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor.
The second cluster leverages the legacy CVE-2017-0199 template injection vulnerability and even chains it with another old Equation Editor vulnerability CVE-2017-11882. By nesting these exploits within malicious DOCX and RTF documents, the attackers can execute code simply by convincing a user to open a file.
Groups observed using it
29 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Proofpoint observed Bumblebee dropping Cobalt Strike, shellcode, Sliver, and Meterpreter.
Cobalt Strike was also frequently used during the initial stage of an attack. Interestingly, we found that instead of the typical Cobalt Strike usage, Earth Krahang adds additional protection to their C&C server through the adoption of the open-source project RedGuard.
Tools: SpicyOmelette, Cobalt Strike, Meterpreter, Mimikatz, CobtInt, ATMSpitter, Carbanak, Buhtrap, Cyst, Metasploit.
----[ 2.3 Private Cobalt Strike Beacon Drop Location: mnt/hgfs/Desktop/111/beacon This is a custom Cobalt Strike C2 Beacon.
APT32 (aka OceanLotus) intrusion in April 2017... frequently uses the Invoke-Obfuscation PowerShell obfuscation framework to heavily obfuscate Cobalt Strike Beacon backdoor downloaders
...який, в свою чергу, забезпечить ураження ЕОМ програмою Cobalt Strike Beacon (дата компіляції "regsvr.dll" : 2023-08-21 14:04:21).
APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.
APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.
APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.
APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.
TEARDROP or RAINDROP backdoors would be deployed, which would install a customized Cobalt Strike beacon in the environment, enumerating the domain and allowing for the collection and exfiltration of information of value using hands-on-keyboard techniques.
APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.
APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.
APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.
APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.
Several Cobalt Strike framework capabilities were utilized by the threat actor throughout the course of the attack, including RDP tunnelling for lateral movement, and process injection for the purposes of execution and evasion.
These infection vectors deploy malware predominantly consisting of the PlugX remote access trojan (RAT) with custom stagers, reverse shells, meterpreter and Cobalt Strike, which act as another mechanism for achieving long term access into their targets.
This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks. Within this category ... attackers using off-the-shelf tools, such as Cobalt Strike...
This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks. Within this category ... attackers using off-the-shelf tools, such as Cobalt Strike...
This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks. Within this category ... attackers using off-the-shelf tools, such as Cobalt Strike...
This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks. Within this category ... attackers using off-the-shelf tools, such as Cobalt Strike...
This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks. Within this category ... attackers using off-the-shelf tools, such as Cobalt Strike...
This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks. Within this category ... attackers using off-the-shelf tools, such as Cobalt Strike...
Ultimately, the final stage drops a dangerous Cobalt Strike Beacon directly into memory . This implant establishes an outbound command-and-control connection to a remote server .
Before that, however, antivirus on HSE endpoints detected both Cobalt Strike and Mimikatz being deployed on the so-called Patient Zero workstation.
This is often followed by the deployment of Cobalt Strike BEACON on the compromised server to establish a foothold for further operations.
The weaponized tool used by Vice Society is Cobalt Strike, which allows the group to remotely access and control the infected endpoint.
The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesEarth Krahang delivers backdoors to establish access to victim machines. Cobalt Strike and two custom backdoors, RESHELL and XDealer, were employed during the initial stage of attack.
the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails.
Initial Access
2 techniquesThreat actors could modify a JavaScript file with code that asked users to run a ‘security authentication plugin’ and install a malicious script from a domain that hackers used.
Для первоначального проникновения злоумышленники рассылают фишинговые письма на корпоративные адреса. Вложения маскируются под документы Microsoft Excel: списки товаров, формы для заполнения и другие рабочие файлы.
Execution
3 techniquesThe loading method mirrors techniques used by advanced tools like Cobalt Strike, but executed fully from PowerShell.
Stage 2 uses the HTA to register a scheduled task via a COM object, spawning a 32-bit PowerShell process.
Experts said that the code on the platform lured users to download a malicious installer, which compromised the machine with a Cobalt Strike beacon by deploying a backdoor.
Persistence
1 techniqueUnknown hackers reportedly started flooding Cobalt Strike servers operated by former members of the Conti ransomware group with anti-Russian messages to disrupt their activity.
Stealth
3 techniquesThese included customized Cobalt Strike profiles designed to mimic legitimate web traffic... Python scripts capable of injecting shellcode into legitimate Windows executables while maintaining normal functionality.
The faultrep.dll file is a custom shellcode loader that will decode the encoded shellcode — which is Cobalt Strike — stored inside faultrep.dat.
The final stage is a reflective .NET infostealer that runs entirely within the existing PowerShell process address space.
Credential Access
4 techniquesIn one case, the downloaded Cobalt Strike beacon was executed in a sandbox environment and revealed the following commands were executed by the operator(s): ... execution of Mimikatz
We could now build long-running monitoring BOFs such as keyloggers, cliploggers, and a TGT monitor, which we will cover later.
At 3:48 AM, a Tier Zero service account logs in, runs its scheduled task, and logs out. You will never know it happened. The TGT was there for sixty seconds.
In this example, a Monitor TGT task waits for an admin logon, retrieves the ticket, and writes the result into a queue stored in unencrypted heap memory.
Discovery
1 techniqueIn one case, the downloaded Cobalt Strike beacon was executed in a sandbox environment and revealed the following commands were executed by the operator(s): net group “domain admins” /domain ipconfig /all netstat -anop tcp execution of Mimikatz
Lateral Movement
1 techniqueCobalt Strike targeted SMB shares for lateral movement
Collection
2 techniquesWe could now build long-running monitoring BOFs such as keyloggers, cliploggers, and a TGT monitor, which we will cover later.
We could now build long-running monitoring BOFs such as keyloggers, cliploggers, and a TGT monitor, which we will cover later.
Command and Control
8 techniquesThe malicious files suggested they were part of an attack framework that focused on evading detection: Cobalt Strike profiles designed to make beacon traffic resemble legitimate web requests; a Telegram bot API–based external command and control (C2) mechanism that routed communication through Telegram’s infrastructure rather than using direct connections; a Cloudflare Worker acting as a front-end redirector to obscure the actual backend C2 server. | Cobalt Strike profiles designed to make beacon traffic resemble legitimate web requests.
Web Protocols ( T1071.001 ) - маскировка C2 под HTTP/HTTPS
По MITRE ATT&CK это конкретные техники: Proxy ( T1090, Command and Control ) - маршрутизация C2-трафика через промежуточный узел
External Proxy ( T1090.002 ) - внешний прокси, прячущий адрес team server'а от netflow-анализа
Some of the beacons are configured to use “domain fronting”... Certain beacons have subdomains of fastly[.]net as their C2 server... However, the domains they connect to are admin.reddit[.]com or admin.wikihow[.]com, which are legitimate domains hosted on a CDN.
The loader then decrypts and runs the main payload, an AdaptixC2 agent codenamed AZUREVEIL owing to the use of Microsoft Azure Blob Storage for command-and-control (C2).
Encrypted Channel ( T1573 ) - TLS-шифрование канала между имплантом и redirector'ом
Hide Infrastructure ( T1665 ) - целенаправленное сокрытие инфраструктуры управления
Impact
1 techniqueThe messages cause the TeamServer’s Java application to be overloaded and the activity was disrupted similar to a DoS condition.
Other
2 techniquesSophos X-Ops analysts observed a threat actor using artificial intelligence (AI) technologies to test endpoint detection and response (EDR) evasion tactics in a “red team” post-exploitation framework.
The activity was detected when an anomalous endpoint registered within a customer tenant triggered alerts... indicative of a broader attack framework focused on evading detection... a lab that uses an iterative approach to developing and testing malware against the Sophos, CrowdStrike, and Windows Defender endpoint detection and response (EDR) agents.
IOCs tracked for this family
860 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a comparison point for the reflective in-memory loading technique used in the campaign. The content does not state Cobalt Strike itself was deployed in this incident.
Cobalt Strike beacon was delivered via a malicious installer after the web platform was compromised, providing backdoor access to the victim machine.
Used as a post-exploitation framework with customized beacon profiles to disguise command-and-control traffic as legitimate web requests and support stealthy activity.
A post-exploitation framework whose beacon traffic was configured to mimic legitimate web requests as part of EDR evasion testing.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.