Cobalt Strike

Tool updated 9 months ago (2024-01-10T14:25:38.971Z)
Download STIX
Preview STIX
Cobalt Strike is a powerful malware tool that has been used extensively by cybercriminals and threat actors worldwide. It operates through a built-in reflective loader that leverages the kernel32.LoadLibraryA API for DLL loading, which allows the beacon DLL to be loaded into virtual memory. This process is facilitated by an Aggressor script, which writes reflective loader shellcode into the raw beacon DLL. A typical attack involves creating a "raw stageless" beacon DLL from the Cobalt Strike Client, as shown in various screenshots and diagrams of the process. In 2023, it was predicted that Cobalt Strike, along with botnets, would continue to dominate command-and-control (C2) observations, indicating their prevalence in cyberattacks. One common method of delivery involves using malicious macros embedded in documents. These macros create persistence on the compromised machine via two scheduled tasks designed to download secondary payloads, primarily the Cobalt Strike Beacon. Another method uses Javascript to execute a similar task. The use of other tools alongside Cobalt Strike is also common. For instance, Meterpreter, a component of the Metasploit framework, is often used to inject Cobalt Strike and other Metasploit payloads into the rundll32.exe process, further compromising the system. Similarly, SystemBC, another malware, is frequently found paired with Cobalt Strike in attacks. This pairing further enhances the ability of attackers to control compromised systems and perform various malicious activities.
Description last updated: 2023-08-16T06:35:08.008Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
pythonw.exe is a possible alias for Cobalt Strike. Pythonw.exe, a malware that exploits and damages your computer or device, has been identified to execute malicious code on Windows systems. This harmful program infiltrates your system through suspicious downloads, emails, or websites without your knowledge, with the potential to steal personal info
2
python310.dll is a possible alias for Cobalt Strike. Python310.dll is a malicious software (malware) that infiltrates systems by installing a trojanized version of itself and establishing persistence through a run key named "Python". This is achieved by manipulating the value to be "C:\Users\Public\Music\python\pythonw.exe". The malware can enter your
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Beacon
Ransomware
Exploit
Lateral Move...
Payload
Loader
exploitation
Phishing
Backdoor
Implant
Windows
Clop
Rat
Trojan
Encryption
Vulnerability
Proxy
Reconnaissance
russian
Microsoft
Linux
Apt
Tool
State Sponso...
T1018
Encrypt
Macos
Shellcode
CISA
Fbi
Remote Code ...
Microsoft’s
Health
Chinese
Sophos
Fortra
Botnet
Github
Infostealer
Decoy
Russia
Ransomware P...
Malware Loader
Vpn
Rmm
Evasive
Html
Exploits
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The IcedID Malware is associated with Cobalt Strike. IcedID is a type of malware, malicious software designed to exploit and damage computer systems. It has been identified in association with various other malwares such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, and Pikabot. The IcedID IntBot Loader (int-bot.dll) isUnspecified
9
The Brute Ratel Malware is associated with Cobalt Strike. Brute Ratel is a malicious software (malware) that has been increasingly used by cyber threat actors to exploit and damage computer systems. It is often delivered through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, Brute Ratel can sUnspecified
8
The Lockbit Malware is associated with Cobalt Strike. LockBit is a notorious malware that operates on a ransomware-as-a-service model, which has been responsible for significant cyber attacks across the globe. One of its most high-profile targets was Boeing, from whom the LockBit gang claimed to have stolen data. This incident not only disrupted operatUnspecified
6
The Batloader Malware is associated with Cobalt Strike. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personalUnspecified
6
The QakBot Malware is associated with Cobalt Strike. Qakbot is a potent piece of malware, or malicious software, that infiltrates computer systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware, built by various groups includinUnspecified
6
The Conti Malware is associated with Cobalt Strike. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware opUnspecified
5
The PlugX Malware is associated with Cobalt Strike. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
5
The Domino Malware is associated with Cobalt Strike. Domino is a malicious software (malware) that has been causing significant disruption and harm in recent times. The malware was first identified when it infiltrated the IBM Domino Server, a platform used widely for hosting critical applications and services. Despite security measures such as ESET MaUnspecified
4
The Qbot Malware is associated with Cobalt Strike. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fiUnspecified
4
The Truebot Malware is associated with Cobalt Strike. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dowUnspecified
4
The Black Basta Malware is associated with Cobalt Strike. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vulUnspecified
4
The Systembc Malware is associated with Cobalt Strike. SystemBC is a type of malware that has been heavily used in cyber-attacks, often alongside other malicious software. It was observed being used with Quicksand and BlackBasta in 2023, during attacks attributed to a team deploying BlackBasta. The Play ransomware group also utilized SystemBC as part ofUnspecified
3
The Vidar Malware is associated with Cobalt Strike. Vidar is a malicious software (malware) that operates as an infostealer, primarily targeting Windows-based systems. It's written in C++ and is based on the Arkei stealer. Vidar is part of a broader landscape of malware threats such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo,Unspecified
3
The REvil Malware is associated with Cobalt Strike. REvil is a notorious malware, specifically a type of ransomware, that gained prominence in the cybercrime world as part of the Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, establishing relationships between first-stage malwares and subsequent ransomware attacUnspecified
3
The Domino Backdoor Malware is associated with Cobalt Strike. The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or holUnspecified
3
The Emotet Malware is associated with Cobalt Strike. Emotet is a particularly dangerous and insidious type of malware that has reemerged as a significant threat. This malicious software, which infects systems through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, or even hold data for ransom. Emotet-infeUnspecified
3
The Bumblebee Malware is associated with Cobalt Strike. Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The samUnspecified
3
The ShadowPad Malware is associated with Cobalt Strike. ShadowPad is a malicious software (malware) that has been in use since at least 2017, particularly among Chinese threat actors. This modular backdoor malware is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data for ransom. It typUnspecified
3
The Carbanak Malware is associated with Cobalt Strike. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and Unspecified
3
The Meterpreter Malware is associated with Cobalt Strike. Meterpreter is a type of malware that is part of the Metasploit penetration testing software. It serves as an attack payload and provides an interactive shell, allowing threat actors to control and execute code on a compromised system. Advanced Persistent Threat (APT) actors have created and used a Unspecified
3
The FlawedGrace Malware is associated with Cobalt Strike. FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, TrueboUnspecified
3
The njRAT Malware is associated with Cobalt Strike. NjRAT is a remote-access Trojan (RAT) that has been in use since 2013, often deployed in both criminal and targeted attacks. This malware can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, NjRAT can steal personal information, dUnspecified
3
The Lizar Malware is associated with Cobalt Strike. Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operatiUnspecified
2
The IceFire Malware is associated with Cobalt Strike. IceFire is a malicious software (malware) that has been detected as part of the Linux ransomware family. It was initially known for attacking Windows systems, but recent developments have seen it expand its reach to both Linux and Windows systems. The shift by IceFire to target Linux systems worldwiUnspecified
2
The Bazarloader Malware is associated with Cobalt Strike. BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used BUnspecified
2
The NativeZone Malware is associated with Cobalt Strike. NativeZone is a malware identified as a custom Cobalt Strike Beacon loader. This malicious software was dubbed NativeZone by Microsoft and is typically loaded and executed through rundll32.exe to deliver follow-on payloads. The malware uses DLL files, such as Document.dll and NativeCacheSvc.dll, andUnspecified
2
The Redline Malware is associated with Cobalt Strike. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, RedLine can steal personal information, disrupt operations, or deliver further Unspecified
2
The Droxidat Malware is associated with Cobalt Strike. DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility cUnspecified
2
The Diceloader Malware is associated with Cobalt Strike. Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal inUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The FIN7 Threat Actor is associated with Cobalt Strike. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
4
The Ursnif/gozi Threat Actor is associated with Cobalt Strike. Ursnif/Gozi is a threat actor known for its malicious activities, particularly in the realm of data exfiltration. The group utilizes legitimate cyber penetration testing tools such as Cobalt Strike, and malware tools and derivatives like Ursnif/Gozi to aggregate and exfiltrate data from victim netwoUnspecified
3
The Winnti Threat Actor is associated with Cobalt Strike. Winnti, a notorious threat actor group, has been linked to several sophisticated cyber-espionage activities. First identified by Kaspersky in 2013, it is believed that the group has been active since at least 2007, primarily targeting software supply chains to spread malware. Winnti is part of the AUnspecified
3
The Lace Tempest Threat Actor is associated with Cobalt Strike. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. ThiUnspecified
3
The TA505 Threat Actor is associated with Cobalt Strike. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. CybersecUnspecified
3
The Cobalt Group Threat Actor is associated with Cobalt Strike. The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus oUnspecified
2
The Bl00dy Threat Actor is associated with Cobalt Strike. Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant iUnspecified
2
The Redgolf Threat Actor is associated with Cobalt Strike. RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of theUnspecified
2
The FIN6 Threat Actor is associated with Cobalt Strike. FIN6, also known as ITG08, Skelaton Spider, and MageCart, is a notorious threat actor group associated with significant cyber-attacks. The group initially gained notoriety for successfully stealing credit cards through point of sale (POS) systems in retail and hospitality establishments, notably cauUnspecified
2
The cl0p Threat Actor is associated with Cobalt Strike. Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for atUnspecified
2
The Rhysida Threat Actor is associated with Cobalt Strike. Rhysida, a threat actor active since May 2023, has been responsible for numerous high-profile ransomware attacks. The group is known for its use of various ransomware families, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin, and its own eponymous program, to aid in double extortiUnspecified
2
The Redhotel Threat Actor is associated with Cobalt Strike. RedHotel is a prolific threat actor group, known for its espionage activities targeting organizations of interest to the Chinese government. The group has been active since at least 2019 and operates alongside other threat groups such as RedAlpha and Poison Carp. Researchers at Recorded Future have Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2021-40444 is associated with Cobalt Strike. Unspecified
2
Source Document References
Information about the Cobalt Strike Tool was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Trend Micro
2 years ago
Securityaffairs
a year ago
CSO Online
2 years ago
Trend Micro
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
Malwarebytes
a year ago
Securityaffairs
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago