Cobalt Strike

Tool updated a year ago (2024-01-10T14:25:38.971Z)
Download STIX
Preview STIX
Cobalt Strike is a powerful malware tool that has been used extensively by cybercriminals and threat actors worldwide. It operates through a built-in reflective loader that leverages the kernel32.LoadLibraryA API for DLL loading, which allows the beacon DLL to be loaded into virtual memory. This process is facilitated by an Aggressor script, which writes reflective loader shellcode into the raw beacon DLL. A typical attack involves creating a "raw stageless" beacon DLL from the Cobalt Strike Client, as shown in various screenshots and diagrams of the process. In 2023, it was predicted that Cobalt Strike, along with botnets, would continue to dominate command-and-control (C2) observations, indicating their prevalence in cyberattacks. One common method of delivery involves using malicious macros embedded in documents. These macros create persistence on the compromised machine via two scheduled tasks designed to download secondary payloads, primarily the Cobalt Strike Beacon. Another method uses Javascript to execute a similar task. The use of other tools alongside Cobalt Strike is also common. For instance, Meterpreter, a component of the Metasploit framework, is often used to inject Cobalt Strike and other Metasploit payloads into the rundll32.exe process, further compromising the system. Similarly, SystemBC, another malware, is frequently found paired with Cobalt Strike in attacks. This pairing further enhances the ability of attackers to control compromised systems and perform various malicious activities.
Description last updated: 2023-08-16T06:35:08.008Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
pythonw.exe is a possible alias for Cobalt Strike. Pythonw.exe, a malware that exploits and damages your computer or device, has been identified to execute malicious code on Windows systems. This harmful program infiltrates your system through suspicious downloads, emails, or websites without your knowledge, with the potential to steal personal info
2
python310.dll is a possible alias for Cobalt Strike. Python310.dll is a malicious software (malware) that infiltrates systems by installing a trojanized version of itself and establishing persistence through a run key named "Python". This is achieved by manipulating the value to be "C:\Users\Public\Music\python\pythonw.exe". The malware can enter your
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Beacon
Ransomware
Exploit
Lateral Move...
Payload
Loader
exploitation
Phishing
Backdoor
Implant
Windows
Rat
Trojan
Encryption
Vulnerability
Proxy
Reconnaissance
russian
Microsoft
Linux
Apt
Tool
State Sponso...
T1018
Encrypt
Macos
Shellcode
CISA
Fbi
Remote Code ...
Microsoft’s
Health
Chinese
Sophos
Fortra
Botnet
Github
Infostealer
Decoy
Russia
Ransomware P...
Malware Loader
Vpn
Rmm
Evasive
Html
Exploits
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The IcedID Malware is associated with Cobalt Strike. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
9
The Brute Ratel Malware is associated with Cobalt Strike. Brute Ratel C4 (BRc4) is a potent malware that has been used in various cyber-attacks over the past 15 years. The malware infects systems through deceptive MSI installers, which deploy the BRc4 by disguising the payload as legitimate software such as vierm_soft_x64.dll under rundll32 execution. VariUnspecified
8
The Lockbit Malware is associated with Cobalt Strike. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
6
The Batloader Malware is associated with Cobalt Strike. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personalUnspecified
6
The QakBot Malware is associated with Cobalt Strike. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt opeUnspecified
6
The Clop Malware is associated with Cobalt Strike. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
5
The Conti Malware is associated with Cobalt Strike. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
5
The PlugX Malware is associated with Cobalt Strike. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
5
The Domino Malware is associated with Cobalt Strike. Domino is a malicious software that infiltrated various systems, most notably IBM Domino Server and ESET Mail Security for IBM Domino, causing significant disruptions and data breaches. The malware was particularly potent due to its ability to exploit vulnerabilities in one system and trigger a domiUnspecified
4
The Qbot Malware is associated with Cobalt Strike. Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23 Unspecified
4
The Truebot Malware is associated with Cobalt Strike. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dowUnspecified
4
The Black Basta Malware is associated with Cobalt Strike. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
4
The Systembc Malware is associated with Cobalt Strike. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage fUnspecified
3
The Vidar Malware is associated with Cobalt Strike. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malwUnspecified
3
The REvil Malware is associated with Cobalt Strike. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
3
The Domino Backdoor Malware is associated with Cobalt Strike. The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or holUnspecified
3
The Emotet Malware is associated with Cobalt Strike. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
3
The Bumblebee Malware is associated with Cobalt Strike. Bumblebee is a type of malware that has been linked to ITG23, a cyber threat group. Over the past year, it has been used in conjunction with other initial access malwares such as Emotet, IcedID, Qakbot, and Gozi during ITG23 attacks. The same values for self-signed certificates seen in Bumblebee havUnspecified
3
The ShadowPad Malware is associated with Cobalt Strike. ShadowPad is a sophisticated malware, known for its use in supply chain attacks, particularly against government entities in South Asia. This modular backdoor, which has been active for approximately seven years, is popular among Chinese threat actors. It was notably used as the payload in an attackUnspecified
3
The Carbanak Malware is associated with Cobalt Strike. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and Unspecified
3
The Meterpreter Malware is associated with Cobalt Strike. Meterpreter is a type of malware that acts as an attack payload within the Metasploit framework, providing threat actors with an interactive shell to control and execute code on a compromised system. The malware is often deployed covertly through suspicious downloads, emails, or websites. Once instaUnspecified
3
The FlawedGrace Malware is associated with Cobalt Strike. FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, TrueboUnspecified
3
The njRAT Malware is associated with Cobalt Strike. NjRAT is a remote-access Trojan (RAT) that has been in use since 2013, often deployed in both criminal and targeted attacks. This malware can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, NjRAT can steal personal information, dUnspecified
3
The Lizar Malware is associated with Cobalt Strike. Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operatiUnspecified
2
The IceFire Malware is associated with Cobalt Strike. IceFire is a malicious software (malware) that has been detected as part of the Linux ransomware family. It was initially known for attacking Windows systems, but recent developments have seen it expand its reach to both Linux and Windows systems. The shift by IceFire to target Linux systems worldwiUnspecified
2
The Bazarloader Malware is associated with Cobalt Strike. BazarLoader is a type of malware developed by the TrickBot group, primarily used to gain initial access to a victim's infrastructure in ransomware attacks. This malware has been associated with various threat groups, including ITG23, which has used BazarLoader alongside other malware like Trickbot aUnspecified
2
The NativeZone Malware is associated with Cobalt Strike. NativeZone is a malware identified as a custom Cobalt Strike Beacon loader. This malicious software was dubbed NativeZone by Microsoft and is typically loaded and executed through rundll32.exe to deliver follow-on payloads. The malware uses DLL files, such as Document.dll and NativeCacheSvc.dll, andUnspecified
2
The Redline Malware is associated with Cobalt Strike. RedLine is a type of malware, or malicious software, designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage forUnspecified
2
The Droxidat Malware is associated with Cobalt Strike. DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility cUnspecified
2
The Diceloader Malware is associated with Cobalt Strike. Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal inUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The FIN7 Threat Actor is associated with Cobalt Strike. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
4
The Ursnif/gozi Threat Actor is associated with Cobalt Strike. Ursnif/Gozi is a threat actor known for its malicious activities, particularly in the realm of data exfiltration. The group utilizes legitimate cyber penetration testing tools such as Cobalt Strike, and malware tools and derivatives like Ursnif/Gozi to aggregate and exfiltrate data from victim netwoUnspecified
3
The Winnti Threat Actor is associated with Cobalt Strike. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such Unspecified
3
The Lace Tempest Threat Actor is associated with Cobalt Strike. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. ThiUnspecified
3
The TA505 Threat Actor is associated with Cobalt Strike. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. CybersecUnspecified
3
The Cobalt Group Threat Actor is associated with Cobalt Strike. The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus oUnspecified
2
The Bl00dy Threat Actor is associated with Cobalt Strike. Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant iUnspecified
2
The Redgolf Threat Actor is associated with Cobalt Strike. RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of theUnspecified
2
The FIN6 Threat Actor is associated with Cobalt Strike. FIN6, also known as ITG08, Skelaton Spider, and MageCart, is a notorious threat actor group associated with significant cyber-attacks. The group initially gained notoriety for successfully stealing credit cards through point of sale (POS) systems in retail and hospitality establishments, notably cauUnspecified
2
The cl0p Threat Actor is associated with Cobalt Strike. Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for atUnspecified
2
The Rhysida Threat Actor is associated with Cobalt Strike. Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistencUnspecified
2
The Redhotel Threat Actor is associated with Cobalt Strike. RedHotel is a prolific threat actor group, known for its espionage activities targeting organizations of interest to the Chinese government. The group has been active since at least 2019 and operates alongside other threat groups such as RedAlpha and Poison Carp. Researchers at Recorded Future have Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2021-40444 is associated with Cobalt Strike. Unspecified
2
Source Document References
Information about the Cobalt Strike Tool was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Trend Micro
2 years ago
Securityaffairs
2 years ago
CSO Online
2 years ago
Trend Micro
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
InfoSecurity-magazine
2 years ago
Malwarebytes
2 years ago
Securityaffairs
2 years ago
DARKReading
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
DARKReading
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago