UNC2452 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

UNC2452 (Back to overview)

aka: DarkHalo, StellarParticle, NOBELIUM, Solar Phoenix

Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.

Associated Families

win.ceeloader win.raindrop win.sunburst win.teardrop win.goldmax win.cobalt_strike

References

2023-11-19 ⋅ Twitter (@embee_research) ⋅ Embee_research
Combining Pivot Points to Identify Malware Infrastructure - Redline, Smokeloader and Cobalt Strike
Amadey Cobalt Strike RedLine Stealer SmokeLoader

2023-11-10 ⋅ NSFOCUS ⋅ NSFOCUS
The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
Cobalt Strike Konni

2023-11-07 ⋅ SOCRadar ⋅ SOCRadar
New Gootloader Variant “GootBot” Changes the Game in Malware Tactics
GootLoader Cobalt Strike

2023-11-06 ⋅ Twitter (@embee_research) ⋅ Embee_research
Unpacking Malware With Hardware Breakpoints - Cobalt Strike
Cobalt Strike

2023-11-01 ⋅ nccgroup ⋅ Mick Koomen
Popping Blisters for research: An overview of past payloads and exploring recent developments
Blister Cobalt Strike

2023-10-23 ⋅ Twitter (@embee_research) ⋅ Embee_research
Cobalt Strike .VBS Loader - Decoding with Advanced CyberChef and Emulation
Cobalt Strike

2023-10-20 ⋅ Twitter (@embee_research) ⋅ Embee_research
Decoding a Cobalt Strike .hta Loader Using CyberChef and Emulation
Cobalt Strike

2023-10-18 ⋅ Twitter (@embee_research) ⋅ Embee_research
Ghidra Tutorial - Using Entropy To Locate a Cobalt Strike Decryption Function
Cobalt Strike

2023-10-12 ⋅ Netresec ⋅ Erik Hjelmvik
Forensic Timeline of an IcedID Infection
Cobalt Strike IcedID IcedID Downloader

2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar

2023-10-10 ⋅ Symantec ⋅ Threat Hunter Team
Grayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan
Cobalt Strike Havoc MimiKatz Grayling

2023-10-03 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2023-10-03 (Tuesday) - PikaBot infection with Cobalt Strike
Cobalt Strike Pikabot

2023-09-22 ⋅ Mandiant ⋅ Luke Jenkins, Josh Atkins, Dan Black
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)

2023-09-12 ⋅ ANSSI ⋅ ANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC

2023-08-28 ⋅ The DFIR Report ⋅ The DFIR Report
HTML Smuggling Leads to Domain Wide Ransomware
Cobalt Strike IcedID Nokoyawa Ransomware

2023-08-18 ⋅ d01a ⋅ Mohamed Adel
Understanding Syscalls: Direct, Indirect, and Cobalt Strike Implementation
Cobalt Strike

2023-08-18 ⋅ TEAMT5 ⋅ Still Hsu, Zih-Cing Liao
Unmasking CamoFei: An In-depth Analysis of an Emerging APT Group Focused on Healthcare Sectors in East Asia
CatB Cobalt Strike DoorMe GIMMICK

2023-08-17 ⋅ SentinelOne ⋅ Aleksandar Milenkoski, Tom Hegel
Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector
Cobalt Strike HUI Loader

2023-08-07 ⋅ Recorded Future ⋅ Insikt Group
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca

2023-07-29 ⋅ Google ⋅ Google Cybersecurity Action Team
Threat Horizons August 2023 Threat Horizons Report
SharkBot Cobalt Strike

2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee

2023-07-07 ⋅ Lab52 ⋅ Lab52
Beyond appearances: unknown actor using APT29’s TTP against Chinese users
Cobalt Strike

2023-06-30 ⋅ K7 Security ⋅ Dhanush
Cobalt Strike’s Deployment with Hardware Breakpoint for AMSI Bypass
Cobalt Strike

2023-06-15 ⋅ eSentire ⋅ RussianPanda
eSentire Threat Intelligence Malware Analysis: Resident Campaign
Cobalt Strike Rhadamanthys

2023-06-08 ⋅ VMRay ⋅ Patrick Staubmann
Busy Bees - The Transformation of BumbleBee
BumbleBee Cobalt Strike Conti Meterpreter Sliver

2023-06-08 ⋅ Twitter (@embee_research) ⋅ Embee_research
Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries
Amadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker

2023-05-19 ⋅ YouTube (NorthSec) ⋅ Ivan Kwiatkowski
Go reverse-engineering workshop
GoldMax

2023-05-11 ⋅ cocomelonc ⋅ cocomelonc
Malware development trick - part 28: Dump lsass.exe. Simple C++ example.
Cobalt Strike APT3 Keylogger

2023-04-24 ⋅ Kaspersky Labs ⋅ Pierre Delcher, Ivan Kwiatkowski
Tomiris called, they want their Turla malware back
KopiLuwak Andromeda Ave Maria GoldMax JLORAT Kazuar Meterpreter QUIETCANARY RATel Roopy Telemiris tomiris Topinambour

2023-04-20 ⋅ Github (dodo-sec) ⋅ dodo-sec
An analysis of syscall usage in Cobalt Strike Beacons
Cobalt Strike

2023-04-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Bumblebee Malware Distributed Via Trojanized Installer Downloads
BumbleBee Cobalt Strike

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-04-13 ⋅ CERT.PL ⋅ CERT.PL
CERT Polska and SKW warn against the activities of Russian spies
BOOMBOX EnvyScout SUNBURST

2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar

2023-04-03 ⋅ The DFIR Report ⋅ The DFIR Report
Malicious ISO File Leads to Domain Wide Ransomware
Cobalt Strike IcedID Mount Locker

2023-03-30 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar

2023-03-30 ⋅ Recorded Future ⋅ Insikt Group
With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets
KEYPLUG Cobalt Strike PlugX

2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Microsoft, Fortra, HEALTH-ISAC
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader

2023-03-28 ⋅ ExaTrack ⋅ ExaTrack
Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
HelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY

2023-03-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia

2023-03-01 ⋅ Zscaler ⋅ Meghraj Nandanwar, Shatak Jain
OneNote: A Growing Threat for Malware Distribution
AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer

2023-02-23 ⋅ Bitdefender ⋅ Martin Zugec, Bitdefender Team
Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966
Cobalt Strike DarkComet QuiteRAT RATel

2023-02-22 ⋅ Symantec ⋅ Symantec Threat Hunter Team
Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia
Cobalt Strike

2023-02-14 ⋅ Cybereason ⋅ Cybereason Incident Response (IR) team
GootLoader - SEO Poisoning and Large Payloads Leading to Compromise
GootLoader Cobalt Strike SystemBC

2023-02-13 ⋅ Kroll ⋅ Laurie Iacono, Stephen Green
Royal Ransomware Deep Dive
Cobalt Strike Royal Ransom

2023-02-13 ⋅ AhnLab ⋅ kingkimgim
Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign
Godzilla Webshell ASPXSpy BlueShell CHINACHOPPER Cobalt Strike Ladon MimiKatz

2023-02-08 ⋅ Trend Micro ⋅ Ted Lee
Earth Zhulong: Familiar Patterns Target Southeast Asian Firms
Cobalt Strike MACAMAX

2023-02-03 ⋅ Mandiant ⋅ Kimberly Goody, Genevieve Stark
Float Like a Butterfly Sting Like a Bee
BazarBackdoor BumbleBee Cobalt Strike

2023-02-02 ⋅ Kroll ⋅ Stephen Green, Elio Biasiotto
Hive Ransomware Technical Analysis and Initial Access Discovery
BATLOADER Cobalt Strike Hive

2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot

2023-01-24 ⋅ Fortinet ⋅ Geri Revay
The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar

2023-01-23 ⋅ Kroll ⋅ Stephen Green, Elio Biasiotto
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC

2023-01-16 ⋅ Intrinsec ⋅ Intrinsec
ProxyNotShell – OWASSRF – Merry Xchange
Cobalt Strike SystemBC

2023-01-05 ⋅ Symantec ⋅ Threat Hunter Team
Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa
CloudEyE Cobalt Strike MimiKatz NetWire RC POORTRY Quasar RAT

2022-12-15 ⋅ Mandiant ⋅ Mandiant
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
Cobalt Strike STOWAWAY

2022-12-08 ⋅ Cisco Talos ⋅ Tiago Pereira
Breaking the silence - Recent Truebot activity
Clop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport

2022-12-06 ⋅ EuRepoC ⋅ Kerstin Zettl-Schabath, Lena Rottinger, Camille Borrett
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER

2022-12-02 ⋅ Palo Alto Networks Unit 42 ⋅ Dominik Reichel, Esmid Idrizovic, Bob Jung
Blowing Cobalt Strike Out of the Water With Memory Analysis
Cobalt Strike

2022-11-29 ⋅ Mandiant ⋅ Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock
Suspected Russian Activity Targeting Government and Business Entities Around the Globe
CEELOADER

2022-11-03 ⋅ Github (chronicle) ⋅ Chronicle
GCTI Open Source Detection Signatures
Cobalt Strike Sliver

2022-11-03 ⋅ Group-IB ⋅ Rustam Mirkasymov
Financially motivated, dangerously activated: OPERA1ER APT in Africa
Cobalt Strike Common Raven

2022-11-03 ⋅ paloalto Netoworks: Unit42 ⋅ Durgesh Sangvikar, Chris Navarrete, Matthew Tennis, Yanhui Jia, Yu Fu, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild
Cobalt Strike

2022-10-31 ⋅ Cynet ⋅ Max Malyutin
Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware
Black Basta Cobalt Strike QakBot

2022-10-13 ⋅ Microsoft ⋅ MSRC Team, Microsoft Threat Hunting
Hunting for Cobalt Strike: Mining and plotting for fun and profit
Cobalt Strike

2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm

2022-10-12 ⋅ Trend Micro ⋅ Ian Kenefick, Lucas Silva, Nicole Hernandez
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot

2022-10-03 ⋅ Check Point ⋅ Marc Salinas Fernandez
Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar

2022-10-03 ⋅ Trend Micro ⋅ Joseph Chen, Jaromír Hořejší
Water Labbu Abuses Malicious DApps to Steal Cryptocurrency
Cobalt Strike

2022-09-26 ⋅ The DFIR Report ⋅ The DFIR Report
BumbleBee: Round Two
BumbleBee Cobalt Strike Meterpreter

2022-09-25 ⋅ YouTube (Arda Büyükkaya) ⋅ Arda Büyükkaya
Cobalt Strike Shellcode Loader With Rust (YouTube)
Cobalt Strike

2022-09-13 ⋅ AdvIntel ⋅ Advanced Intelligence
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot

2022-09-12 ⋅ The DFIR Report ⋅ The DFIR Report
Dead or Alive? An Emotet Story
Cobalt Strike Emotet

2022-09-10 ⋅ cocomelonc
Malware development: persistence - part 10. Using Image File Execution Options. Simple C++ example.
SUNBURST

2022-09-07 ⋅ cyble ⋅ Cyble
Bumblebee Returns With New Infection Technique
BumbleBee Cobalt Strike

2022-09-07 ⋅ Google ⋅ Pierre-Marc Bureau, Google Threat Analysis Group
Initial access broker repurposing techniques in targeted attacks against Ukraine
AnchorMail Cobalt Strike IcedID

2022-09-06 ⋅ INCIBE-CERT ⋅ INCIBE
Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage

2022-09-06 ⋅ cocomelonc ⋅ cocomelonc
Malware development tricks: parent PID spoofing. Simple C++ example.
Cobalt Strike Konni

2022-09-06 ⋅ CISA ⋅ US-CERT, FBI, CISA, MS-ISAC
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin

2022-09-06 ⋅ Didier Stevens ⋅ Didier Stevens
An Obfuscated Beacon – Extra XOR Layer
Cobalt Strike

2022-09-01 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver

2022-09-01 ⋅ Trend Micro ⋅ Trend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot

2022-08-25 ⋅ SentinelOne ⋅ Jim Walter
BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar
BlueSky Cobalt Strike JuicyPotato

2022-08-22 ⋅ Microsoft ⋅ Microsoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk

2022-08-19 ⋅ nccgroup ⋅ Ross Inman
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
FAKEUPDATES Cobalt Strike LockBit

2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket

2022-08-18 ⋅ NSFOCUS ⋅ NSFOCUS
New APT group MURENSHARK investigative report: Torpedoes hit Turkish Navy
Cobalt Strike

2022-08-18 ⋅ Group-IB ⋅ Nikita Rostovtsev
APT41 World Tour 2021 on a tight schedule
Cobalt Strike

2022-08-18 ⋅ Sophos ⋅ Sean Gallagher
Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT

2022-08-17 ⋅ Cybereason ⋅ Cybereason Global SOC Team
Bumblebee Loader – The High Road to Enterprise Domain Control
BumbleBee Cobalt Strike

2022-08-17 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
DarkTortilla Malware Analysis
Agent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer

2022-08-12 ⋅ SANS ISC ⋅ Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID

2022-08-11 ⋅ SecurityScorecard ⋅ Robert Ames
The Increase in Ransomware Attacks on Local Governments
BlackCat BlackCat Cobalt Strike LockBit

2022-08-11 ⋅ Malcat ⋅ malcat team
LNK forensic and config extraction of a cobalt strike beacon
Cobalt Strike

2022-08-10 ⋅ Weixin ⋅ Red Raindrop Team
Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe
BumbleBee Cobalt Strike

2022-08-08 ⋅ The DFIR Report ⋅ The DFIR Report
BumbleBee Roasts Its Way to Domain Admin
BumbleBee Cobalt Strike

2022-08-04 ⋅ YouTube (Arda Büyükkaya) ⋅ Arda Büyükkaya
LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit

2022-08-03 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti

2022-08-02 ⋅ Cisco Talos ⋅ Asheer Malhotra, Vitor Ventura
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka Cobalt Strike Manjusaka

2022-07-31 ⋅ BushidoToken Blog ⋅ BushidoToken
Space Invaders: Cyber Threats That Are Out Of This World
Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker

2022-07-30 ⋅ cocomelonc
Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector

2022-07-28 ⋅ SentinelOne ⋅ Júlio Dantas, James Haughom, Julien Reisdorffer
Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit

2022-07-27 ⋅ cyble ⋅ Cyble Research Labs
Targeted Attacks Being Carried Out Via DLL SideLoading
Cobalt Strike QakBot

2022-07-27 ⋅ ReversingLabs ⋅ Joseph Edwards
Threat analysis: Follina exploit fuels 'live-off-the-land' attacks
Cobalt Strike MimiKatz

2022-07-27 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt

2022-07-22 ⋅ Binary Ninja ⋅ Xusheng Li
Reverse Engineering a Cobalt Strike Dropper With Binary Ninja
Cobalt Strike

2022-07-20 ⋅ NVISO Labs ⋅ Sasja Reynaert
Analysis of a trojanized jQuery script: GootLoader unleashed
GootLoader Cobalt Strike

2022-07-20 ⋅ U.S. Cyber Command ⋅ Cyber National Mission Force Public Affairs
Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor

2022-07-20 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy, Marley Smith
Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion
Cobalt Strike

2022-07-20 ⋅ Mandiant ⋅ Mandiant Threat Intelligence
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor

2022-07-19 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Peter Renals
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive
Cobalt Strike EnvyScout Gdrive

2022-07-18 ⋅ Censys ⋅ Censys
Russian Ransomware C2 Network Discovered in Censys Data
Cobalt Strike MimiKatz PoshC2

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Solar Phoenix
SUNBURST TEARDROP UNC2452

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Obscure Serpens
Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus

2022-07-13 ⋅ Malwarebytes Labs ⋅ Roberto Santos, Hossein Jazi
Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
Cobalt Strike

2022-07-13 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption
Cobalt Strike

2022-07-11 ⋅ Cert-UA ⋅ Cert-UA
UAC-0056 attack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4941)
Cobalt Strike

2022-07-07 ⋅ SANS ISC ⋅ Brad Duncan
Emotet infection with Cobalt Strike
Cobalt Strike Emotet

2022-07-07 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond, Kat Weinberger
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter

2022-07-06 ⋅ Cert-UA ⋅ Cert-UA
UAC-0056 cyberattack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4914)
Cobalt Strike

2022-06-30 ⋅ Trend Micro ⋅ Kenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot

2022-06-28 ⋅ Lumen ⋅ Black Lotus Labs
ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
ZuoRAT Cobalt Strike

2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad

2022-06-26 ⋅ BushidoToken
Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022
Cobalt Strike CredoMap EnvyScout

2022-06-23 ⋅ cyble ⋅ Cyble Research Labs
Matanbuchus Loader Resurfaces
Cobalt Strike Matanbuchus

2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster

2022-06-21 ⋅ Cisco Talos ⋅ Flavio Costa, Chris Neal, Guilherme Venere
Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz

2022-06-20 ⋅ Cert-UA ⋅ Cert-UA
UAC-0098 group cyberattack on critical infrastructure of Ukraine (CERT-UA#4842)
Cobalt Strike

2022-06-18 ⋅ R136a1 ⋅ Dominik Reichel
Using dotnetfile to get a Sunburst timeline for intelligence gathering
SUNBURST

2022-06-17 ⋅ SANS ISC ⋅ Brad Duncan
Malspam pushes Matanbuchus malware, leads to Cobalt Strike
Cobalt Strike Matanbuchus

2022-06-07 ⋅ cyble ⋅ Cyble
Bumblebee Loader on The Rise
BumbleBee Cobalt Strike

2022-06-07 ⋅ AdvIntel ⋅ Vitali Kremez, Marley Smith, Yelisey Boguslavskiy
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
BlackCat BlackCat Cobalt Strike

2022-06-06 ⋅ Trellix ⋅ Trelix
Growling Bears Make Thunderous Noise
Cobalt Strike HermeticWiper WhisperGate NB65

2022-06-04 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien
[QuickNote] CobaltStrike SMB Beacon Analysis
Cobalt Strike

2022-06-03 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team
Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group
Cobalt Strike MimiKatz

2022-06-02 ⋅ Mandiant ⋅ Mandiant
TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot

2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker

2022-06-01 ⋅ Elastic ⋅ Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC

2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT

2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot

2022-05-24 ⋅ BitSight ⋅ João Batista, Pedro Umbelino, BitSight
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC

2022-05-22 ⋅ R136a1 ⋅ Dominik Reichel
Introduction of a PE file extractor for various situations
Cobalt Strike Matanbuchus

2022-05-20 ⋅ AhnLab ⋅ ASEC
Why Remediation Alone Is Not Enough When Infected by Malware
Cobalt Strike DarkSide

2022-05-20 ⋅ sonatype ⋅ Ax Sharma
New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux
Cobalt Strike

2022-05-20 ⋅ Cybleinc ⋅ Cyble
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon
Cobalt Strike

2022-05-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike

2022-05-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
Wizard Spider In-Depth Analysis
Cobalt Strike Conti WIZARD SPIDER

2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot

2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber
Gootloader and Cobalt Strike malware analysis
GootLoader Cobalt Strike

2022-05-12 ⋅ Intel 471 ⋅ Intel 471
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver

2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu

2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber
The Goot cause: Detecting Gootloader and its follow-on activity
GootLoader Cobalt Strike

2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader

2022-05-11 ⋅ NTT ⋅ Ryu Hiyoshi
Operation RestyLink: Targeted attack campaign targeting Japanese companies
Cobalt Strike

2022-05-10 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
A Malware Analysis in RU-AU conflict
Cobalt Strike

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-09 ⋅ The DFIR Report ⋅ The DFIR Report
SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit

2022-05-09 ⋅ TEAMT5 ⋅ TeamT5
Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services
Cobalt Strike

2022-05-09 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu

2022-05-08 ⋅ IronNet ⋅ Michael Leardi, Joey Fitzpatrick, Brent Eskridge
Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine
Cobalt Strike

2022-05-06 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding
Cobalt Strike

2022-05-06 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity
FAKEUPDATES Blister Cobalt Strike LockBit

2022-05-06 ⋅ The Hacker News ⋅ Ravie Lakshmanan
This New Fileless Malware Hides Shellcode in Windows Event Logs
Cobalt Strike

2022-05-05 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Justin Thattil, Aliza Berk, Kendall McKay
Mustang Panda deploys a new wave of malware targeting Europe
Cobalt Strike Meterpreter PlugX Unidentified 094

2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader

2022-05-04 ⋅ Kaspersky ⋅ Denis Legezo
A new secret stash for “fileless” malware
Cobalt Strike

2022-05-03 ⋅ Recorded Future ⋅ Insikt Group
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike

2022-05-03 ⋅ Cluster25 ⋅ Cluster25
The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet
Cobalt Strike IsaacWiper PyXie

2022-05-03 ⋅ Recorded Future ⋅ Insikt Group®
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike EnvyScout

2022-05-02 ⋅ Cisco Talos ⋅ Kendall McKay, Paul Eubanks, JAIME FILSON
Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive

2022-05-02 ⋅ Macnica ⋅ Hiroshi Takeuchi
Attack Campaigns that Exploit Shortcuts and ISO Files
Cobalt Strike

2022-04-28 ⋅ Mandiant ⋅ John Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby
Trello From the Other Side: Tracking APT29 Phishing Campaigns
Cobalt Strike

2022-04-28 ⋅ PWC ⋅ PWC UK
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen

2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Júlio Dantas, Jim Walter
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit BRONZE STARLIGHT

2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Júlio Dantas, Jim Walter
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit

2022-04-27 ⋅ Mandiant ⋅ Mandiant
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
Cobalt Strike Raindrop SUNBURST TEARDROP

2022-04-27 ⋅ Trendmicro ⋅ Trendmicro
IOCs for Earth Berberoka - Windows
AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka

2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka

2022-04-27 ⋅ ANSSI ⋅ ANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot

2022-04-26 ⋅ Intel 471 ⋅ Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot

2022-04-26 ⋅ Trend Micro ⋅ Ryan Flores, Stephen Hilt, Lord Alfred Remorin
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT

2022-04-25 ⋅ Morphisec ⋅ Morphisec Labs
New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader

2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report
Quantum Ransomware
Cobalt Strike IcedID

2022-04-21 ⋅ ZeroSec ⋅ Andy Gill
Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6
Cobalt Strike

2022-04-20 ⋅ CISA ⋅ CISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader

2022-04-20 ⋅ CISA ⋅ CISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet

2022-04-19 ⋅ Varonis ⋅ Nadav Ovadia
Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz

2022-04-19 ⋅ Blake's R&D ⋅ bmcder02
Extracting Cobalt Strike from Windows Error Reporting
Cobalt Strike

2022-04-18 ⋅ vanmieghem ⋅ Vincent Van Mieghem
A blueprint for evading industry leading endpoint protection in 2022
Cobalt Strike

2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive

2022-04-18 ⋅ SentinelOne ⋅ James Haughom
From the Front Lines | Peering into A PYSA Ransomware Attack
Chisel Chisel Cobalt Strike Mespinoza

2022-04-14 ⋅ Cynet ⋅ Max Malyutin
Orion Threat Alert: Flight of the BumbleBee
BumbleBee Cobalt Strike

2022-04-13 ⋅ ESET Research ⋅ Jean-Ian Boutin, Tomáš Procházka
ESET takes part in global operation to disrupt Zloader botnets
Cobalt Strike Zloader

2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader

2022-04-08 ⋅ Infinitum Labs ⋅ Arda Büyükkaya
Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
Cobalt Strike MimiKatz

2022-04-07 ⋅ InQuest ⋅ Will MacArthur, Nick Chalard
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate

2022-04-07 ⋅ splunk ⋅ Splunk Threat Research Team
You Bet Your Lsass: Hunting LSASS Access
Cobalt Strike MimiKatz

2022-04-06 ⋅ Github (infinitumlabs) ⋅ Arda Büyükkaya
Karakurt Hacking Team Indicators of Compromise (IOC)
Cobalt Strike

2022-04-04 ⋅ Mandiant ⋅ Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite

2022-03-31 ⋅ nccgroup ⋅ Nikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot

2022-03-31 ⋅ SC Media ⋅ SC Staff
Novel obfuscation leveraged by Hive ransomware
Cobalt Strike Hive

2022-03-30 ⋅ Prevailion ⋅ Prevailion
Wizard Spider continues to confound
BazarBackdoor Cobalt Strike Emotet

2022-03-30 ⋅ Bleeping Computer ⋅ Bill Toulas
Phishing campaign targets Russian govt dissidents with Cobalt Strike
Unidentified PS 002 (RAT) Cobalt Strike

2022-03-29 ⋅ SentinelOne ⋅ James Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, Shai Tilias
From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Cobalt Strike Hive

2022-03-29 ⋅ Malwarebytes Labs ⋅ Hossein Jazi
New spear phishing campaign targets Russian dissidents
Unidentified PS 002 (RAT) Cobalt Strike

2022-03-28 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
CobaltStrike UUID stager
Cobalt Strike

2022-03-25 ⋅ nccgroup ⋅ Yun Zheng Hu
Mining data from Cobalt Strike beacons
Cobalt Strike

2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT

2022-03-22 ⋅ Red Canary ⋅ Red Canary
2022 Threat Detection Report
FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT

2022-03-22 ⋅ NVISO Labs ⋅ Didier Stevens
Cobalt Strike: Overview – Part 7
Cobalt Strike

2022-03-21 ⋅ Threat Post ⋅ Lisa Vaas
Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2022-03-17 ⋅ Google ⋅ Vladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti

2022-03-16 ⋅ SANS ISC ⋅ Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot

2022-03-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot

2022-03-16 ⋅ paloalto Netoworks: Unit42 ⋅ Chris Navarrete, Durgesh Sangvikar, Andrew Guan, Yu Fu, Yanhui Jia, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect
Cobalt Strike

2022-03-15 ⋅ SentinelOne ⋅ Amitai Ben Shushan Ehrlich
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear

2022-03-15 ⋅ Prevailion ⋅ Matt Stafford, Sherman Smith
What Wicked Webs We Un-weave
Cobalt Strike Conti

2022-03-14 ⋅ Bleeping Computer ⋅ Bill Toulas
Fake antivirus updates used to deploy Cobalt Strike in Ukraine
Cobalt Strike

2022-03-12 ⋅ Arash's Blog ⋅ Arash Parsa
Analyzing Malware with Hooks, Stomps, and Return-addresses
Cobalt Strike

2022-03-11 ⋅ Cert-UA
Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)
Cobalt Strike

2022-03-09 ⋅ BreachQuest ⋅ Marco Figueroa, Napoleon Bing, Bernard Silvestrini
The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot

2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot

2022-03-08 ⋅ Mandiant ⋅ Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram
Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
KEYPLUG Cobalt Strike LOWKEY

2022-03-07 ⋅ The DFIR Report ⋅ The DFIR Report
2021 Year In Review
Cobalt Strike

2022-03-04 ⋅ Telsy ⋅ Telsy
Legitimate Sites Used As Cobalt Strike C2s Against Indian Government
Cobalt Strike

2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate

2022-03 ⋅ VirusTotal ⋅ VirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT

2022-02-24 ⋅ Fortinet ⋅ Fred Gutierrez
Nobelium Returns to the Political World Stage
Cobalt Strike

2022-02-24 ⋅ Cynet ⋅ Max Malyutin
New Wave of Emotet – When Project X Turns Into Y
Cobalt Strike Emotet

2022-02-23 ⋅ SophosLabs Uncut ⋅ Andrew Brandt
Dridex bots deliver Entropy ransomware in recent attacks
Cobalt Strike Dridex Entropy

2022-02-23 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)
Cobalt Strike Conti

2022-02-23 ⋅ cyber.wtf blog ⋅ Luca Ebach
What the Pack(er)?
Cobalt Strike Emotet

2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader

2022-02-22 ⋅ Bleeping Computer ⋅ Bill Toulas
Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck

2022-02-21 ⋅ ASEC
Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
Cobalt Strike Lemon Duck

2022-02-21 ⋅ The DFIR Report
Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot

2022-02-20 ⋅ Medium SOCFortress ⋅ SOCFortress
Detecting Cobalt Strike Beacons
Cobalt Strike

2022-02-18 ⋅ Huntress Labs ⋅ Matthew Brennan
Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection
Cobalt Strike

2022-02-16 ⋅ Security Onion ⋅ Doug Burks
Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08
Cobalt Strike Emotet

2022-02-15 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Increase in Emotet Activity and Cobalt Strike Deployment
Cobalt Strike Emotet

2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot

2022-02-09 ⋅ vmware ⋅ VMWare
Exposing Malware in Linux-Based Multi-Cloud Environments
ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike

2022-01-31 ⋅ CyberArk ⋅ Arash Parsa
Analyzing Malware with Hooks, Stomps and Return-addresses
Cobalt Strike

2022-01-28 ⋅ Morphisec ⋅ Morphisec Labs
Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk
Cobalt Strike

2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru
What We Can Do against the Chaotic A41APT Campaign
CHINACHOPPER Cobalt Strike HUI Loader SodaMaster

2022-01-27 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign
GoldMax

2022-01-26 ⋅ Blackberry ⋅ Ryan Gibson, Codi Starks, Will Ikard
Log4U, Shell4Me
Cobalt Strike

2022-01-25 ⋅ Cynet ⋅ Orion Threat Research and Intelligence Team
Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky

2022-01-24 ⋅ The DFIR Report ⋅ The DFIR Report
Cobalt Strike, a Defender’s Guide – Part 2
Cobalt Strike

2022-01-20 ⋅ Morphisec ⋅ Michael Gorelik
Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk
Cobalt Strike

2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin
Extracting Cobalt Strike Beacon Configurations
Cobalt Strike

2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk

2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin
Collecting Cobalt Strike Beacons with the Elastic Stack
Cobalt Strike

2022-01-19 ⋅ Sophos ⋅ Colin Cowie, Mat Gangwer, Stan Andic, Sophos MTR Team
Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike
Cobalt Strike Zloader

2022-01-18 ⋅ Recorded Future ⋅ Insikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot

2022-01-17 ⋅ Trend Micro ⋅ Joseph Chen, Kenney Lu, Gloria Chen, Jaromír Hořejší, Daniel Lunghi, Cedric Pernet
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca

2022-01-16 ⋅ forensicitguy ⋅ Tony Lambert
Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
CACTUSTORCH Cobalt Strike

2022-01-15 ⋅ Huntress Labs ⋅ Team Huntress
Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401)
Cobalt Strike

2022-01-11 ⋅ Cybereason ⋅ Omri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2022-01-11 ⋅ Twitter (@cglyer) ⋅ Christopher Glyer
Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware
Cobalt Strike NightSky

2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
Signed DLL campaigns as a service
BATLOADER Cobalt Strike ISFB Zloader

2022-01-09 ⋅ forensicitguy ⋅ Tony Lambert
Inspecting a PowerShell Cobalt Strike Beacon
Cobalt Strike

2022-01-06 ⋅ Sekoia ⋅ sekoia
NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies
Cobalt Strike EnvyScout

2022 ⋅ Silent Push ⋅ Silent Push
Consequences- The Conti Leaks and future problems
Cobalt Strike Conti

2021-12-29 ⋅ Palo Alto Networks Unit 42 ⋅ Zhanhao Chen, Daiping Liu, Wanjin Li, Jielong Xu
Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends
Chrysaor SUNBURST

2021-12-29 ⋅ CrowdStrike ⋅ Benjamin Wiley, Falcon OverWatch Team
OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt
Cobalt Strike

2021-12-29 ⋅ Blake's R&D ⋅ Blake
Cobalt Strike DFIR: Listening to the Pipes
Cobalt Strike

2021-12-28 ⋅ Morphus Labs ⋅ Renato Marinho
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
Cobalt Strike

2021-12-22 ⋅ Telsy ⋅ Telsy Research Team
Phishing Campaign targeting citizens abroad using COVID-19 theme lures
Cobalt Strike

2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle

2021-12-16 ⋅ TEAMT5 ⋅ Charles Li, Aragorn Tseng, Peter Syu, Tom Lai
Winnti is Coming - Evolution after Prosecution
Cobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder

2021-12-10 ⋅ Accenture ⋅ Accenture
Karakurt rises from its lair
Cobalt Strike

2021-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Cobalt Strike Emotet

2021-12-06 ⋅ Mandiant ⋅ Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock, Luis Rocha, Marius Fodoreanu, Mitchell Clarke, Manfred Erjak, Josh Madeley, Ashraf Abdalhalim, Juraj Sucik, Wojciech Ledzion, Gabriella Roncone, Jonathan Leathery, Ben Read, Microsoft Threat Intelligence Center (MSTIC), Microsoft Detection and Response Team (DART)
Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot

2021-12-06 ⋅ CERT-FR ⋅ CERT-FR
Phishing campaigns by the Nobelium intrusion set
Cobalt Strike

2021-12-02 ⋅ CERT-FR ⋅ CERT-FR
Phishing Campaigns by the Nobelium Intrusion Set
Cobalt Strike

2021-11-30 ⋅ Symantec ⋅ Symantec Threat Hunter Team
Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands

2021-11-29 ⋅ Mandiant ⋅ Tyler McLellan, Brandan Schondorfer
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
Cobalt Strike ROLLCOAST

2021-11-29 ⋅ The DFIR Report ⋅ The DFIR Report
CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti

2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle

2021-11-17 ⋅ Trend Micro ⋅ Mohamed Fahmy, Abdelrhman Sharshar, Sherif Magdy, Ryan Maglaque
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT

2021-11-17 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Decrypting Obfuscated Traffic – Part 4
Cobalt Strike

2021-11-17 ⋅ Black Hills Information Security ⋅ Kyle Avery
DNS Over HTTPS for Cobalt Strike
Cobalt Strike

2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot

2021-11-16 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer, Asheer Malhotra
Attackers use domain fronting technique to target Myanmar with Cobalt Strike
Cobalt Strike

2021-11-16 ⋅ Blackberry ⋅ T.J. O'Leary, Tom Bonner, Marta Janus, Dean Given, Eoin Wickens, Jim Simpson
Finding Beacons in the dark
Cobalt Strike

2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil

2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot

2021-11-13 ⋅ Just Still ⋅ Still Hsu
Threat Spotlight - Domain Fronting
Cobalt Strike

2021-11-12 ⋅ Malwarebytes ⋅ Hossein Jazi
A multi-stage PowerShell based attack targets Kazakhstan
Cobalt Strike

2021-11-11 ⋅ Cynet ⋅ Max Malyutin
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot

2021-11-10 ⋅ AT&T ⋅ Josh Gomez
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti

2021-11-10 ⋅ Sekoia ⋅ Cyber Threat Intelligence team
Walking on APT31 infrastructure footprints
Rekoobe Unidentified ELF 004 Cobalt Strike

2021-11-09 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Eli Salem
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti

2021-11-05 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops
BazarBackdoor Cobalt Strike

2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity

2021-11-03 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3
Cobalt Strike

2021-11-03 ⋅ Didier Stevens ⋅ Didier Stevens
New Tool: cs-extract-key.py
Cobalt Strike

2021-11-02 ⋅ boschko.ca blog ⋅ Olivier Laflamme
Cobalt Strike Process Injection
Cobalt Strike

2021-11-02 ⋅ Intel 471 ⋅ Intel 471
Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti

2021-11-02 ⋅ unh4ck ⋅ Cyb3rSn0rlax
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti

2021-11-01 ⋅ The DFIR Report ⋅ @iiamaleks, @samaritan_o
From Zero to Domain Admin
Cobalt Strike Hancitor

2021-11-01 ⋅ Accenture ⋅ Heather Larrieu, Curt Wilson, Katrina Hill
Diving into double extortion campaigns
Cobalt Strike MimiKatz

2021-10-29 ⋅ Національна поліція України ⋅ Національна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-29 ⋅ Europol ⋅ Europol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-27 ⋅ Kaspersky ⋅ Ivan Kwiatkowski
Extracting type information from Go binaries
GoldMax

2021-10-27 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2
Cobalt Strike

2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy

2021-10-26 ⋅ ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil

2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2021-10-26 ⋅ unh4ck ⋅ Hamza OUADIA
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti

2021-10-21 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1
Cobalt Strike

2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet

2021-10-18 ⋅ paloalto Netoworks: Unit42 ⋅ Brad Duncan
Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike

2021-10-18 ⋅ Symantec ⋅ Threat Hunter Team
Harvester: Nation-state-backed group uses new toolset to target victims in South Asia
Cobalt Strike Graphon

2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker

2021-10-14 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)

2021-10-13 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book
Cobalt Strike

2021-10-12 ⋅ Mandiant ⋅ Alyssa Rahman
Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
Cobalt Strike

2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil

2021-10-08 ⋅ 0ffset Blog ⋅ Chuong Dong
SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle

2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle

2021-10-07 ⋅ Mandiant ⋅ Mandiant Research Team
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot

2021-10-06 ⋅ Blackberry ⋅ Blackberry Research
Finding Beacons in the Dark
Cobalt Strike

2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT

2021-10-04 ⋅ Sophos ⋅ Sean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike

2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report
BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti

2021-10-03 ⋅ Github (0xjxd) ⋅ Joel Dönne
SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-10-01 ⋅ 0ffset Blog ⋅ Chuong Dong
SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle

2021-09-30 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense
Cobalt Strike

2021-09-30 ⋅ PT Expert Security Center
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike

2021-09-30 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike

2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor

2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
Hancitor with Cobalt Strike
Cobalt Strike Hancitor

2021-09-29 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti

2021-09-28 ⋅ Zscaler ⋅ Avinash Kumar, Brett Stone-Gross
Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-09-27 ⋅ Cynet ⋅ Max Malyutin
A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle

2021-09-26 ⋅ NSFOCUS ⋅ Jie Ji
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile

2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas
Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz

2021-09-22 ⋅ CISA ⋅ US-CERT
Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti

2021-09-21 ⋅ Medium elis531989 ⋅ Eli Salem
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle

2021-09-21 ⋅ GuidePoint Security ⋅ Drew Schmitt
A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike
Cobalt Strike

2021-09-21 ⋅ skyblue.team blog ⋅ skyblue team
Scanning VirusTotal's firehose
Cobalt Strike

2021-09-21 ⋅ Sophos ⋅ Andrew Brandt, Vikas Singh, Shefali Gupta, Krisztián Diriczi, Chaitanya Ghorpade
Cring ransomware group exploits ancient ColdFusion server
Cobalt Strike Cring

2021-09-17 ⋅ Medium inteloperator ⋅ Intel Operator
The default: 63 6f 62 61 6c 74 strike
Cobalt Strike

2021-09-17 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike

2021-09-17 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-09-16 ⋅ Medium Shabarkin ⋅ Pavel Shabarkin
Pointer: Hunting Cobalt Strike globally
Cobalt Strike

2021-09-16 ⋅ Twitter (@GossiTheDog) ⋅ Kevin Beaumont
Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell
Cobalt Strike MgBot

2021-09-16 ⋅ RiskIQ ⋅ RiskIQ
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk

2021-09-15 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
Cobalt Strike

2021-09-14 ⋅ Recorded Future ⋅ Insikt Group®
Full-Spectrum Cobalt Strike Detection
Cobalt Strike

2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report
BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti

2021-09-12 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444
Cobalt Strike

2021-09-10 ⋅ Gigamon ⋅ Joe Slowik
Rendering Threats: A Network Perspective
BumbleBee Cobalt Strike

2021-09-09 ⋅ Trend Micro ⋅ Trend Micro
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
BumbleBee Cobalt Strike

2021-09-08 ⋅ Arash's Blog ⋅ Arash Parsa
Hook Heaps and Live Free
Cobalt Strike

2021-09-07 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Cobalt Strike C2 Hunting with Shodan
Cobalt Strike

2021-09-06 ⋅ kienmanowar Blog ⋅ m4n0w4r
Quick analysis CobaltStrike loader and shellcode
Cobalt Strike

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-09-03 ⋅ Sophos ⋅ Sean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti

2021-09-02 ⋅ Twitter (@th3_protoCOL) ⋅ Colin, GaborSzappanos
Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)
Cobalt Strike

2021-09-02 ⋅ Bleeping Computer ⋅