Cobaltstrike

Malware updated 23 days ago (2024-11-29T13:33:14.809Z)
Download STIX
Preview STIX
CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunction with various other malware such as IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. It operates by launching backdoor components, providing unauthorized remote access to the infected system. In recent years, there have been significant developments involving CobaltStrike. The threat group Earth Baku added two new loaders, CobaltStrike and SneakCross (also known as MoonWalk), to its arsenal. These loaders were used to launch backdoor components, further enhancing the group's cyber-attack capabilities. Additionally, infected versions of text editors VNote and Notepad were discovered containing a CobaltStrike agent loader, demonstrating the malware's ability to infiltrate and compromise commonly used applications. The CobaltStrike malware has also been linked to Linux and macOS-targeted apps carrying backdoors for unauthorized remote access, resembling the Geacon project. This similarity suggests that CobaltStrike may share common features or origins with the open-source implementation of the Geacon agent written in Go. In a notable incident involving the banking Trojan IcedID, a variant infection was identified with BackConnect, Anubis VNC, CobaltStrike, and ConnectWise ScreenConnect. After initial infection, "hands on the keyboard" activity was detected approximately 95 minutes later, indicating rapid escalation and exploitation following infiltration.
Description last updated: 2024-08-14T21:15:42.511Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Nokoyawa is a possible alias for Cobaltstrike. Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStri
3
IcedID is a possible alias for Cobaltstrike. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Beacon
Malware
Ransomware
Exploit
Trojan
Backdoor
Loader
Lateral Move...
Windows
Reconnaissance
Payload
Sysaid
Linux
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Gootloader Malware is associated with Cobaltstrike. Gootloader is a potent malware, often used as an infostealer or deployed prior to ransomware attacks. It's known for its unique approach of Search Engine Optimization (SEO) poisoning, where victims are deceived into clicking on malicious links disguised as legitimate resources. A significant campaigUnspecified
3
The Droxidat Malware is associated with Cobaltstrike. DroxiDat, a new variant of the SystemBC malware, was deployed in a series of attacks on critical infrastructure targets in Africa during the third and fourth weeks of March. The malware, which acts as a system profiler and simple SOCKS5-capable bot, was specifically detected at an electric utility cUnspecified
2
The Emotet Malware is associated with Cobaltstrike. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
2
The TrickBot Malware is associated with Cobaltstrike. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
2
The QakBot Malware is associated with Cobaltstrike. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt opeUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Earth Baku Threat Actor is associated with Cobaltstrike. Earth Baku, a threat actor linked to the China-associated APT group APT41, has emerged as a significant cybersecurity threat with operations extending beyond the Indo-Pacific region. Since late 2022, Earth Baku has expanded its malicious activities into Europe, the Middle East, and Africa. The groupUnspecified
2
Source Document References
Information about the Cobaltstrike Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
4 months ago
Trend Micro
4 months ago
SANS ISC
7 months ago
Securelist
7 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Securelist
9 months ago
Unit42
a year ago
CERT-EU
a year ago
MITRE
a year ago
BankInfoSecurity
a year ago
Checkpoint
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Yori
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago