UNC2452 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

UNC2452 (Back to overview)

aka: DarkHalo, StellarParticle, NOBELIUM, Solar Phoenix

Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.

Associated Families

win.goldmax win.raindrop win.sunburst win.teardrop win.cobalt_strike

References

2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot

2023-01-24 ⋅ Fortinet ⋅ Geri Revay
The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar

2022-12-15 ⋅ Mandiant ⋅ Mandiant
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
Cobalt Strike STOWAWAY

2022-12-08 ⋅ Cisco Talos ⋅ Tiago Pereira
Breaking the silence - Recent Truebot activity
Clop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport

2022-12-02 ⋅ Palo Alto Networks Unit 42 ⋅ Dominik Reichel, Esmid Idrizovic, Bob Jung
Blowing Cobalt Strike Out of the Water With Memory Analysis
Cobalt Strike

2022-11-03 ⋅ Github (chronicle) ⋅ Chronicle
GCTI Open Source Detection Signatures
Cobalt Strike Sliver

2022-11-03 ⋅ Group-IB ⋅ Rustam Mirkasymov
Financially motivated, dangerously activated: OPERA1ER APT in Africa
Cobalt Strike

2022-11-03 ⋅ paloalto Netoworks: Unit42 ⋅ Durgesh Sangvikar, Chris Navarrete, Matthew Tennis, Yanhui Jia, Yu Fu, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild
Cobalt Strike

2022-10-31 ⋅ Cynet ⋅ Max Malyutin
Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware
Black Basta Cobalt Strike QakBot

2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm

2022-10-03 ⋅ Check Point ⋅ Marc Salinas Fernandez
Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar

2022-09-26 ⋅ The DFIR Report ⋅ The DFIR Report
BumbleBee: Round Two
BumbleBee Cobalt Strike Meterpreter

2022-09-25 ⋅ YouTube (Arda Büyükkaya) ⋅ Arda Büyükkaya
Cobalt Strike Shellcode Loader With Rust (YouTube)
Cobalt Strike

2022-09-13 ⋅ AdvIntel ⋅ Advanced Intelligence
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot

2022-09-12 ⋅ The DFIR Report ⋅ The DFIR Report
Dead or Alive? An Emotet Story
Cobalt Strike Emotet

2022-09-10 ⋅ cocomelonc
Malware development: persistence - part 10. Using Image File Execution Options. Simple C++ example.
SUNBURST

2022-09-07 ⋅ cyble ⋅ Cyble
Bumblebee Returns With New Infection Technique
BumbleBee Cobalt Strike

2022-09-07 ⋅ Google ⋅ Pierre-Marc Bureau, Google Threat Analysis Group
Initial access broker repurposing techniques in targeted attacks against Ukraine
AnchorMail Cobalt Strike IcedID

2022-09-06 ⋅ INCIBE-CERT ⋅ INCIBE
Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage

2022-09-06 ⋅ cocomelonc ⋅ cocomelonc
Malware development tricks: parent PID spoofing. Simple C++ example.
Cobalt Strike Konni

2022-09-06 ⋅ CISA ⋅ US-CERT, FBI, CISA, MS-ISAC
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin

2022-09-06 ⋅ Didier Stevens ⋅ Didier Stevens
An Obfuscated Beacon – Extra XOR Layer
Cobalt Strike

2022-09-01 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver

2022-09-01 ⋅ Trend Micro ⋅ Trend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot

2022-08-25 ⋅ SentinelOne ⋅ Jim Walter
BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar
BlueSky Cobalt Strike JuicyPotato

2022-08-22 ⋅ Microsoft ⋅ Microsoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk

2022-08-19 ⋅ nccgroup ⋅ Ross Inman
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
FAKEUPDATES Cobalt Strike LockBit

2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket

2022-08-18 ⋅ NSFOCUS ⋅ NSFOCUS
New APT group MURENSHARK investigative report: Torpedoes hit Turkish Navy
Cobalt Strike

2022-08-18 ⋅ Group-IB ⋅ Nikita Rostovtsev
APT41 World Tour 2021 on a tight schedule
Cobalt Strike

2022-08-18 ⋅ Sophos ⋅ Sean Gallagher
Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT

2022-08-17 ⋅ Cybereason ⋅ Cybereason Global SOC Team
Bumblebee Loader – The High Road to Enterprise Domain Control
BumbleBee Cobalt Strike

2022-08-17 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
DarkTortilla Malware Analysis
Agent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer

2022-08-12 ⋅ SANS ISC ⋅ Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID

2022-08-11 ⋅ SecurityScorecard ⋅ Robert Ames
The Increase in Ransomware Attacks on Local Governments
BlackCat BlackCat Cobalt Strike LockBit

2022-08-11 ⋅ Malcat ⋅ malcat team
LNK forensic and config extraction of a cobalt strike beacon
Cobalt Strike

2022-08-10 ⋅ Weixin ⋅ Red Raindrop Team
Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe
BumbleBee Cobalt Strike

2022-08-08 ⋅ The DFIR Report ⋅ The DFIR Report
BumbleBee Roasts Its Way to Domain Admin
BumbleBee Cobalt Strike

2022-08-04 ⋅ YouTube (Arda Büyükkaya) ⋅ Arda Büyükkaya
LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit

2022-08-03 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti

2022-08-02 ⋅ Cisco Talos ⋅ Asheer Malhotra, Vitor Ventura
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka Cobalt Strike Manjusaka

2022-07-31 ⋅ BushidoToken Blog ⋅ BushidoToken
Space Invaders: Cyber Threats That Are Out Of This World
Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker

2022-07-30 ⋅ cocomelonc
Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector

2022-07-28 ⋅ SentinelOne ⋅ Júlio Dantas, James Haughom, Julien Reisdorffer
Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit

2022-07-27 ⋅ cyble ⋅ Cyble Research Labs
Targeted Attacks Being Carried Out Via DLL SideLoading
Cobalt Strike QakBot

2022-07-27 ⋅ ReversingLabs ⋅ Joseph Edwards
Threat analysis: Follina exploit fuels 'live-off-the-land' attacks
Cobalt Strike MimiKatz

2022-07-27 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt

2022-07-22 ⋅ Binary Ninja ⋅ Xusheng Li
Reverse Engineering a Cobalt Strike Dropper With Binary Ninja
Cobalt Strike

2022-07-20 ⋅ NVISO Labs ⋅ Sasja Reynaert
Analysis of a trojanized jQuery script: GootLoader unleashed
GootLoader Cobalt Strike

2022-07-20 ⋅ U.S. Cyber Command ⋅ Cyber National Mission Force Public Affairs
Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor

2022-07-20 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy, Marley Smith
Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion
Cobalt Strike

2022-07-20 ⋅ Mandiant ⋅ Mandiant Threat Intelligence
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor

2022-07-19 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Peter Renals
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive
Cobalt Strike EnvyScout Gdrive

2022-07-18 ⋅ Censys ⋅ Censys
Russian Ransomware C2 Network Discovered in Censys Data
Cobalt Strike MimiKatz PoshC2

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Solar Phoenix
SUNBURST TEARDROP UNC2452

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Obscure Serpens
Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus

2022-07-13 ⋅ Malwarebytes Labs ⋅ Roberto Santos, Hossein Jazi
Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
Cobalt Strike

2022-07-13 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption
Cobalt Strike

2022-07-11 ⋅ Cert-UA ⋅ Cert-UA
UAC-0056 attack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4941)
Cobalt Strike

2022-07-07 ⋅ SANS ISC ⋅ Brad Duncan
Emotet infection with Cobalt Strike
Cobalt Strike Emotet

2022-07-07 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond, Kat Weinberger
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter

2022-07-06 ⋅ Cert-UA ⋅ Cert-UA
UAC-0056 cyberattack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4914)
Cobalt Strike

2022-06-30 ⋅ Trend Micro ⋅ Kenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot

2022-06-28 ⋅ Lumen ⋅ Black Lotus Labs
ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
ZuoRAT Cobalt Strike

2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad

2022-06-26 ⋅ BushidoToken
Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022
Cobalt Strike CredoMap EnvyScout

2022-06-23 ⋅ cyble ⋅ Cyble Research Labs
Matanbuchus Loader Resurfaces
Cobalt Strike Matanbuchus

2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster

2022-06-21 ⋅ Cisco Talos ⋅ Flavio Costa, Chris Neal, Guilherme Venere
Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz

2022-06-20 ⋅ Cert-UA ⋅ Cert-UA
UAC-0098 group cyberattack on critical infrastructure of Ukraine (CERT-UA#4842)
Cobalt Strike

2022-06-18 ⋅ R136a1 ⋅ Dominik Reichel
Using dotnetfile to get a Sunburst timeline for intelligence gathering
SUNBURST

2022-06-17 ⋅ SANS ISC ⋅ Brad Duncan
Malspam pushes Matanbuchus malware, leads to Cobalt Strike
Cobalt Strike Matanbuchus

2022-06-07 ⋅ cyble ⋅ Cyble
Bumblebee Loader on The Rise
BumbleBee Cobalt Strike

2022-06-07 ⋅ AdvIntel ⋅ Vitali Kremez, Marley Smith, Yelisey Boguslavskiy
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
BlackCat BlackCat Cobalt Strike

2022-06-06 ⋅ Trellix ⋅ Trelix
Growling Bears Make Thunderous Noise
Cobalt Strike HermeticWiper WhisperGate

2022-06-04 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien
[QuickNote] CobaltStrike SMB Beacon Analysis
Cobalt Strike

2022-06-03 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team
Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group
Cobalt Strike MimiKatz

2022-06-02 ⋅ Mandiant ⋅ Mandiant
TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot

2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker

2022-06-01 ⋅ Elastic ⋅ Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC

2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT

2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot

2022-05-24 ⋅ BitSight ⋅ João Batista, Pedro Umbelino, BitSight
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC

2022-05-22 ⋅ R136a1 ⋅ Dominik Reichel
Introduction of a PE file extractor for various situations
Cobalt Strike Matanbuchus

2022-05-20 ⋅ AhnLab ⋅ ASEC
Why Remediation Alone Is Not Enough When Infected by Malware
Cobalt Strike DarkSide

2022-05-20 ⋅ sonatype ⋅ Ax Sharma
New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux
Cobalt Strike

2022-05-20 ⋅ Cybleinc ⋅ Cyble
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon
Cobalt Strike

2022-05-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike

2022-05-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
Wizard Spider In-Depth Analysis
Cobalt Strike Conti

2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot

2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber
Gootloader and Cobalt Strike malware analysis
GootLoader Cobalt Strike

2022-05-12 ⋅ Intel 471 ⋅ Intel 471
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver

2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu

2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber
The Goot cause: Detecting Gootloader and its follow-on activity
GootLoader Cobalt Strike

2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader

2022-05-11 ⋅ NTT ⋅ Ryu Hiyoshi
Operation RestyLink: Targeted attack campaign targeting Japanese companies
Cobalt Strike

2022-05-10 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
A Malware Analysis in RU-AU conflict
Cobalt Strike

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-09 ⋅ The DFIR Report ⋅ The DFIR Report
SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit

2022-05-09 ⋅ TEAMT5 ⋅ TeamT5
Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services
Cobalt Strike

2022-05-09 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu

2022-05-08 ⋅ IronNet ⋅ Michael Leardi, Joey Fitzpatrick, Brent Eskridge
Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine
Cobalt Strike

2022-05-06 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding
Cobalt Strike

2022-05-06 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity
FAKEUPDATES Blister Cobalt Strike LockBit

2022-05-06 ⋅ The Hacker News ⋅ Ravie Lakshmanan
This New Fileless Malware Hides Shellcode in Windows Event Logs
Cobalt Strike

2022-05-05 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Justin Thattil, Aliza Berk, Kendall McKay
Mustang Panda deploys a new wave of malware targeting Europe
Cobalt Strike Meterpreter PlugX

2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader

2022-05-04 ⋅ Kaspersky ⋅ Denis Legezo
A new secret stash for “fileless” malware
Cobalt Strike

2022-05-03 ⋅ Recorded Future ⋅ Insikt Group
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike

2022-05-03 ⋅ Cluster25 ⋅ Cluster25
The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet
Cobalt Strike IsaacWiper PyXie

2022-05-03 ⋅ Recorded Future ⋅ Insikt Group®
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike EnvyScout

2022-05-02 ⋅ Cisco Talos ⋅ Kendall McKay, Paul Eubanks, JAIME FILSON
Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive

2022-05-02 ⋅ Macnica ⋅ Hiroshi Takeuchi
Attack Campaigns that Exploit Shortcuts and ISO Files
Cobalt Strike

2022-04-28 ⋅ Mandiant ⋅ John Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby
Trello From the Other Side: Tracking APT29 Phishing Campaigns
Cobalt Strike

2022-04-28 ⋅ PWC ⋅ PWC UK
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen

2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Júlio Dantas, Jim Walter
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit BRONZE STARLIGHT

2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Júlio Dantas, Jim Walter
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit

2022-04-27 ⋅ Mandiant ⋅ Mandiant
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
Cobalt Strike Raindrop SUNBURST TEARDROP

2022-04-27 ⋅ Trendmicro ⋅ Trendmicro
IOCs for Earth Berberoka - Windows
AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka

2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka

2022-04-27 ⋅ ANSSI ⋅ ANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot

2022-04-26 ⋅ Intel 471 ⋅ Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot

2022-04-26 ⋅ Trend Micro ⋅ Ryan Flores, Stephen Hilt, Lord Alfred Remorin
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT

2022-04-25 ⋅ Morphisec ⋅ Morphisec Labs
New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader

2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report
Quantum Ransomware
Cobalt Strike IcedID

2022-04-21 ⋅ ZeroSec ⋅ Andy Gill
Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6
Cobalt Strike

2022-04-20 ⋅ CISA ⋅ CISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader

2022-04-20 ⋅ CISA ⋅ CISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet

2022-04-19 ⋅ Varonis ⋅ Nadav Ovadia
Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz

2022-04-19 ⋅ Blake's R&D ⋅ bmcder02
Extracting Cobalt Strike from Windows Error Reporting
Cobalt Strike

2022-04-18 ⋅ vanmieghem ⋅ Vincent Van Mieghem
A blueprint for evading industry leading endpoint protection in 2022
Cobalt Strike

2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive

2022-04-18 ⋅ SentinelOne ⋅ James Haughom
From the Front Lines | Peering into A PYSA Ransomware Attack
Chisel Chisel Cobalt Strike Mespinoza

2022-04-14 ⋅ Cynet ⋅ Max Malyutin
Orion Threat Alert: Flight of the BumbleBee
BumbleBee Cobalt Strike

2022-04-13 ⋅ ESET Research ⋅ Jean-Ian Boutin, Tomáš Procházka
ESET takes part in global operation to disrupt Zloader botnets
Cobalt Strike Zloader

2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader

2022-04-08 ⋅ Infinitum Labs ⋅ Arda Büyükkaya
Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
Cobalt Strike MimiKatz

2022-04-07 ⋅ InQuest ⋅ Will MacArthur, Nick Chalard
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate

2022-04-07 ⋅ splunk ⋅ Splunk Threat Research Team
You Bet Your Lsass: Hunting LSASS Access
Cobalt Strike MimiKatz

2022-04-06 ⋅ Github (infinitumlabs) ⋅ Arda Büyükkaya
Karakurt Hacking Team Indicators of Compromise (IOC)
Cobalt Strike

2022-04-04 ⋅ Mandiant ⋅ Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite

2022-03-31 ⋅ nccgroup ⋅ Nikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot

2022-03-31 ⋅ SC Media ⋅ SC Staff
Novel obfuscation leveraged by Hive ransomware
Cobalt Strike Hive

2022-03-30 ⋅ Prevailion ⋅ Prevailion
Wizard Spider continues to confound
BazarBackdoor Cobalt Strike Emotet

2022-03-30 ⋅ Bleeping Computer ⋅ Bill Toulas
Phishing campaign targets Russian govt dissidents with Cobalt Strike
Unidentified PS 002 (RAT) Cobalt Strike

2022-03-29 ⋅ SentinelOne ⋅ James Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, Shai Tilias
From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Cobalt Strike Hive

2022-03-29 ⋅ Malwarebytes Labs ⋅ Hossein Jazi
New spear phishing campaign targets Russian dissidents
Unidentified PS 002 (RAT) Cobalt Strike

2022-03-28 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
CobaltStrike UUID stager
Cobalt Strike

2022-03-25 ⋅ nccgroup ⋅ Yun Zheng Hu
Mining data from Cobalt Strike beacons
Cobalt Strike

2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT

2022-03-22 ⋅ Red Canary ⋅ Red Canary
2022 Threat Detection Report
FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT

2022-03-22 ⋅ NVISO Labs ⋅ Didier Stevens
Cobalt Strike: Overview – Part 7
Cobalt Strike

2022-03-21 ⋅ Threat Post ⋅ Lisa Vaas
Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2022-03-17 ⋅ Google ⋅ Vladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti

2022-03-16 ⋅ SANS ISC ⋅ Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot

2022-03-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot

2022-03-16 ⋅ paloalto Netoworks: Unit42 ⋅ Chris Navarrete, Durgesh Sangvikar, Andrew Guan, Yu Fu, Yanhui Jia, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect
Cobalt Strike

2022-03-15 ⋅ SentinelOne ⋅ Amitai Ben Shushan Ehrlich
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear

2022-03-15 ⋅ Prevailion ⋅ Matt Stafford, Sherman Smith
What Wicked Webs We Un-weave
Cobalt Strike Conti

2022-03-14 ⋅ Bleeping Computer ⋅ Bill Toulas
Fake antivirus updates used to deploy Cobalt Strike in Ukraine
Cobalt Strike

2022-03-12 ⋅ Arash's Blog ⋅ Arash Parsa
Analyzing Malware with Hooks, Stomps, and Return-addresses
Cobalt Strike

2022-03-11 ⋅ Cert-UA
Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)
Cobalt Strike

2022-03-09 ⋅ BreachQuest ⋅ Marco Figueroa, Napoleon Bing, Bernard Silvestrini
The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot

2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot

2022-03-08 ⋅ Mandiant ⋅ Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram
Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
KEYPLUG Cobalt Strike LOWKEY

2022-03-07 ⋅ The DFIR Report ⋅ The DFIR Report
2021 Year In Review
Cobalt Strike

2022-03-04 ⋅ Telsy ⋅ Telsy
Legitimate Sites Used As Cobalt Strike C2s Against Indian Government
Cobalt Strike

2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate

2022-03 ⋅ VirusTotal ⋅ VirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT

2022-02-24 ⋅ Fortinet ⋅ Fred Gutierrez
Nobelium Returns to the Political World Stage
Cobalt Strike

2022-02-24 ⋅ Cynet ⋅ Max Malyutin
New Wave of Emotet – When Project X Turns Into Y
Cobalt Strike Emotet

2022-02-23 ⋅ SophosLabs Uncut ⋅ Andrew Brandt
Dridex bots deliver Entropy ransomware in recent attacks
Cobalt Strike Dridex Entropy

2022-02-23 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)
Cobalt Strike Conti

2022-02-23 ⋅ cyber.wtf blog ⋅ Luca Ebach
What the Pack(er)?
Cobalt Strike Emotet

2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader

2022-02-22 ⋅ Bleeping Computer ⋅ Bill Toulas
Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck

2022-02-21 ⋅ ASEC
Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
Cobalt Strike Lemon Duck

2022-02-21 ⋅ The DFIR Report
Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot

2022-02-20 ⋅ Medium SOCFortress ⋅ SOCFortress
Detecting Cobalt Strike Beacons
Cobalt Strike

2022-02-18 ⋅ Huntress Labs ⋅ Matthew Brennan
Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection
Cobalt Strike

2022-02-16 ⋅ Security Onion ⋅ Doug Burks
Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08
Cobalt Strike Emotet

2022-02-15 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Increase in Emotet Activity and Cobalt Strike Deployment
Cobalt Strike Emotet

2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot

2022-02-09 ⋅ vmware ⋅ VMWare
Exposing Malware in Linux-Based Multi-Cloud Environments
ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike

2022-01-31 ⋅ CyberArk ⋅ Arash Parsa
Analyzing Malware with Hooks, Stomps and Return-addresses
Cobalt Strike

2022-01-28 ⋅ Morphisec ⋅ Morphisec Labs
Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk
Cobalt Strike

2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru
What We Can Do against the Chaotic A41APT Campaign
CHINACHOPPER Cobalt Strike HUI Loader SodaMaster

2022-01-27 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign
GoldMax

2022-01-26 ⋅ Blackberry ⋅ Ryan Gibson, Codi Starks, Will Ikard
Log4U, Shell4Me
Cobalt Strike

2022-01-25 ⋅ Cynet ⋅ Orion Threat Research and Intelligence Team
Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky

2022-01-24 ⋅ The DFIR Report ⋅ The DFIR Report
Cobalt Strike, a Defender’s Guide – Part 2
Cobalt Strike

2022-01-20 ⋅ Morphisec ⋅ Michael Gorelik
Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk
Cobalt Strike

2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin
Extracting Cobalt Strike Beacon Configurations
Cobalt Strike

2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk

2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin
Collecting Cobalt Strike Beacons with the Elastic Stack
Cobalt Strike

2022-01-19 ⋅ Sophos ⋅ Colin Cowie, Mat Gangwer, Stan Andic, Sophos MTR Team
Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike
Cobalt Strike Zloader

2022-01-18 ⋅ Recorded Future ⋅ Insikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot

2022-01-17 ⋅ Trend Micro ⋅ Joseph Chen, Kenney Lu, Gloria Chen, Jaromír Hořejší, Daniel Lunghi, Cedric Pernet
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca

2022-01-16 ⋅ forensicitguy ⋅ Tony Lambert
Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
CACTUSTORCH Cobalt Strike

2022-01-15 ⋅ Huntress Labs ⋅ Team Huntress
Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401)
Cobalt Strike

2022-01-11 ⋅ Cybereason ⋅ Omri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2022-01-11 ⋅ Twitter (@cglyer) ⋅ Christopher Glyer
Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware
Cobalt Strike NightSky

2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
Signed DLL campaigns as a service
BATLOADER Cobalt Strike ISFB Zloader

2022-01-09 ⋅ forensicitguy ⋅ Tony Lambert
Inspecting a PowerShell Cobalt Strike Beacon
Cobalt Strike

2022-01-06 ⋅ Sekoia ⋅ sekoia
NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies
Cobalt Strike EnvyScout

2022 ⋅ Silent Push ⋅ Silent Push
Consequences- The Conti Leaks and future problems
Cobalt Strike Conti

2021-12-29 ⋅ Palo Alto Networks Unit 42 ⋅ Zhanhao Chen, Daiping Liu, Wanjin Li, Jielong Xu
Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends
Chrysaor SUNBURST

2021-12-29 ⋅ CrowdStrike ⋅ Benjamin Wiley, Falcon OverWatch Team
OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt
Cobalt Strike

2021-12-29 ⋅ Blake's R&D ⋅ Blake
Cobalt Strike DFIR: Listening to the Pipes
Cobalt Strike

2021-12-28 ⋅ Morphus Labs ⋅ Renato Marinho
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
Cobalt Strike

2021-12-22 ⋅ Telsy ⋅ Telsy Research Team
Phishing Campaign targeting citizens abroad using COVID-19 theme lures
Cobalt Strike

2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle

2021-12-10 ⋅ Accenture ⋅ Accenture
Karakurt rises from its lair
Cobalt Strike

2021-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Cobalt Strike Emotet

2021-12-06 ⋅ Mandiant ⋅ Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock, Luis Rocha, Marius Fodoreanu, Mitchell Clarke, Manfred Erjak, Josh Madeley, Ashraf Abdalhalim, Juraj Sucik, Wojciech Ledzion, Gabriella Roncone, Jonathan Leathery, Ben Read, Microsoft Threat Intelligence Center (MSTIC), Microsoft Detection and Response Team (DART)
Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot

2021-12-06 ⋅ CERT-FR ⋅ CERT-FR
Phishing campaigns by the Nobelium intrusion set
Cobalt Strike

2021-12-02 ⋅ CERT-FR ⋅ CERT-FR
Phishing Campaigns by the Nobelium Intrusion Set
Cobalt Strike

2021-11-30 ⋅ Symantec ⋅ Symantec Threat Hunter Team
Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands

2021-11-29 ⋅ Mandiant ⋅ Tyler McLellan, Brandan Schondorfer
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
Cobalt Strike ROLLCOAST

2021-11-29 ⋅ The DFIR Report ⋅ The DFIR Report
CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti

2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle

2021-11-17 ⋅ Trend Micro ⋅ Mohamed Fahmy, Abdelrhman Sharshar, Sherif Magdy, Ryan Maglaque
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT

2021-11-17 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Decrypting Obfuscated Traffic – Part 4
Cobalt Strike

2021-11-17 ⋅ Black Hills Information Security ⋅ Kyle Avery
DNS Over HTTPS for Cobalt Strike
Cobalt Strike

2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot

2021-11-16 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer, Asheer Malhotra
Attackers use domain fronting technique to target Myanmar with Cobalt Strike
Cobalt Strike

2021-11-16 ⋅ Blackberry ⋅ T.J. O'Leary, Tom Bonner, Marta Janus, Dean Given, Eoin Wickens, Jim Simpson
Finding Beacons in the dark
Cobalt Strike

2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil

2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot

2021-11-13 ⋅ Just Still ⋅ Still Hsu
Threat Spotlight - Domain Fronting
Cobalt Strike

2021-11-12 ⋅ Malwarebytes ⋅ Hossein Jazi
A multi-stage PowerShell based attack targets Kazakhstan
Cobalt Strike

2021-11-11 ⋅ Cynet ⋅ Max Malyutin
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot

2021-11-10 ⋅ AT&T ⋅ Josh Gomez
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti

2021-11-10 ⋅ Sekoia ⋅ Cyber Threat Intelligence team
Walking on APT31 infrastructure footprints
Rekoobe Unidentified ELF 004 Cobalt Strike

2021-11-09 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Eli Salem
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti

2021-11-05 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops
BazarBackdoor Cobalt Strike

2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity

2021-11-03 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3
Cobalt Strike

2021-11-03 ⋅ Didier Stevens ⋅ Didier Stevens
New Tool: cs-extract-key.py
Cobalt Strike

2021-11-02 ⋅ boschko.ca blog ⋅ Olivier Laflamme
Cobalt Strike Process Injection
Cobalt Strike

2021-11-02 ⋅ Intel 471 ⋅ Intel 471
Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti

2021-11-02 ⋅ unh4ck ⋅ Cyb3rSn0rlax
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti

2021-11-01 ⋅ The DFIR Report ⋅ @iiamaleks, @samaritan_o
From Zero to Domain Admin
Cobalt Strike Hancitor

2021-11-01 ⋅ Accenture ⋅ Heather Larrieu, Curt Wilson, Katrina Hill
Diving into double extortion campaigns
Cobalt Strike MimiKatz

2021-10-29 ⋅ Національна поліція України ⋅ Національна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-29 ⋅ Europol ⋅ Europol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-27 ⋅ Kaspersky ⋅ Ivan Kwiatkowski
Extracting type information from Go binaries
GoldMax

2021-10-27 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2
Cobalt Strike

2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy

2021-10-26 ⋅ ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil

2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2021-10-26 ⋅ unh4ck ⋅ Hamza OUADIA
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti

2021-10-21 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1
Cobalt Strike

2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet

2021-10-18 ⋅ paloalto Netoworks: Unit42 ⋅ Brad Duncan
Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike

2021-10-18 ⋅ Symantec ⋅ Threat Hunter Team
Harvester: Nation-state-backed group uses new toolset to target victims in South Asia
Cobalt Strike Graphon

2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker

2021-10-14 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)

2021-10-13 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book
Cobalt Strike

2021-10-12 ⋅ Mandiant ⋅ Alyssa Rahman
Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
Cobalt Strike

2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil

2021-10-08 ⋅ 0ffset Blog ⋅ Chuong Dong
SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle

2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle

2021-10-07 ⋅ Mandiant ⋅ Mandiant Research Team
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot

2021-10-06 ⋅ Blackberry ⋅ Blackberry Research
Finding Beacons in the Dark
Cobalt Strike

2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT

2021-10-04 ⋅ Sophos ⋅ Sean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike

2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report
BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti

2021-10-03 ⋅ Github (0xjxd) ⋅ Joel Dönne
SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-10-01 ⋅ 0ffset Blog ⋅ Chuong Dong
SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle

2021-09-30 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense
Cobalt Strike

2021-09-30 ⋅ PT Expert Security Center
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike

2021-09-30 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike

2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor

2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
Hancitor with Cobalt Strike
Cobalt Strike Hancitor

2021-09-29 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti

2021-09-28 ⋅ Zscaler ⋅ Avinash Kumar, Brett Stone-Gross
Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-09-27 ⋅ Cynet ⋅ Max Malyutin
A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle

2021-09-26 ⋅ NSFOCUS ⋅ Jie Ji
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile

2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas
Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz

2021-09-22 ⋅ CISA ⋅ US-CERT
Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti

2021-09-21 ⋅ Medium elis531989 ⋅ Eli Salem
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle

2021-09-21 ⋅ GuidePoint Security ⋅ Drew Schmitt
A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike
Cobalt Strike

2021-09-21 ⋅ skyblue.team blog ⋅ skyblue team
Scanning VirusTotal's firehose
Cobalt Strike

2021-09-21 ⋅ Sophos ⋅ Andrew Brandt, Vikas Singh, Shefali Gupta, Krisztián Diriczi, Chaitanya Ghorpade
Cring ransomware group exploits ancient ColdFusion server
Cobalt Strike Cring

2021-09-17 ⋅ Medium inteloperator ⋅ Intel Operator
The default: 63 6f 62 61 6c 74 strike
Cobalt Strike

2021-09-17 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike

2021-09-17 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-09-16 ⋅ Medium Shabarkin ⋅ Pavel Shabarkin
Pointer: Hunting Cobalt Strike globally
Cobalt Strike

2021-09-16 ⋅ Twitter (@GossiTheDog) ⋅ Kevin Beaumont
Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell
Cobalt Strike MgBot

2021-09-16 ⋅ RiskIQ ⋅ RiskIQ
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk

2021-09-15 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
Cobalt Strike

2021-09-14 ⋅ Recorded Future ⋅ Insikt Group®
Full-Spectrum Cobalt Strike Detection
Cobalt Strike

2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report
BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti

2021-09-12 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444
Cobalt Strike

2021-09-10 ⋅ Gigamon ⋅ Joe Slowik
Rendering Threats: A Network Perspective
Cobalt Strike

2021-09-09 ⋅ Trend Micro ⋅ Trend Micro
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
Cobalt Strike

2021-09-08 ⋅ Arash's Blog ⋅ Arash Parsa
Hook Heaps and Live Free
Cobalt Strike

2021-09-07 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Cobalt Strike C2 Hunting with Shodan
Cobalt Strike

2021-09-06 ⋅ kienmanowar Blog ⋅ m4n0w4r
Quick analysis CobaltStrike loader and shellcode
Cobalt Strike

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-09-03 ⋅ Sophos ⋅ Sean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti

2021-09-02 ⋅ Twitter (@th3_protoCOL) ⋅ Colin, GaborSzappanos
Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)
Cobalt Strike

2021-09-02 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Autodesk reveals it was targeted by Russian SolarWinds hackers
SUNBURST

2021-09-02 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Cobalt Strike PowerShell Payload Analysis
Cobalt Strike

2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear

2021-08-31 ⋅ BreakPoint Labs ⋅ BreakPoint Labs
Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign
Cobalt Strike

2021-08-30 ⋅ Qianxin ⋅ Red Raindrop Team
Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz

2021-08-29 ⋅ The DFIR Report ⋅ The DFIR Report
Cobalt Strike, a Defender’s Guide
Cobalt Strike

2021-08-27 ⋅ Morphisec ⋅ Morphisec Labs
ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors
Cobalt Strike

2021-08-27 ⋅ Aon ⋅ Noah Rubin, Aon’s Cyber Labs
Cobalt Strike Configuration Extractor and Parser
Cobalt Strike

2021-08-25 ⋅ Trend Micro ⋅ Hara Hiroaki, Ted Lee
Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor
Cobalt Strike SideWalk

2021-08-24 ⋅ ESET Research ⋅ Thibaut Passilly, Mathieu Tartare
The SideWalk may be as dangerous as the CROSSWALK
Cobalt Strike CROSSWALK SideWalk

2021-08-23 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Chad Tilbury
Keynote: Cobalt Strike Threat Hunting
Cobalt Strike

2021-08-23 ⋅ FBI ⋅ FBI
Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz

2021-08-19 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex

2021-08-19 ⋅ Sekoia ⋅ sekoia
An insider insights into Conti operations – Part two
Cobalt Strike Conti

2021-08-18 ⋅ Intezer ⋅ Ryan Robinson
Cobalt Strike: Detect this Persistent Threat
Cobalt Strike

2021-08-17 ⋅ Sekoia ⋅ sekoia
An insider insights into Conti operations – Part one
Cobalt Strike Conti

2021-08-17 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Cobalt Strike Hunting — DLL Hijacking/Attack Analysis
Cobalt Strike

2021-08-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration
Cobalt Strike Conti

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez
Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
Cobalt Strike Conti

2021-08-09 ⋅ IstroSec ⋅ Ladislav Bačo
APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)
Cobalt Strike

2021-08-05 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Dan Cotton
When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer

2021-08-05 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)
Cobalt Strike

2021-08-04 ⋅ CrowdStrike ⋅ Falcon OverWatch Team, CrowdStrike Intelligence Team, CrowdStrike IR
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker

2021-08-04 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)
Cobalt Strike

2021-08-04 ⋅ Sentinel LABS ⋅ Gal Kristal
Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations
Cobalt Strike

2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae

2021-08-02 ⋅ Youtube (Forschungsinstitut Cyber Defense) ⋅ Alexander Rausch, Konstantin Klinger
The CODE 2021: Workshop presentation and demonstration about CobaltStrike
Cobalt Strike

2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot

2021-07-30 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability
BazarBackdoor Cobalt Strike

2021-07-29 ⋅ Rasta Mouse ⋅ Rasta Mouse
NTLM Relaying via Cobalt Strike
Cobalt Strike

2021-07-29 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor Cobalt Strike

2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy

2021-07-27 ⋅ Gigamon ⋅ Joe Slowik
Ghosts on the Wire: Expanding Conceptions of Network Anomalies
SUNBURST

2021-07-25 ⋅ Medium svch0st ⋅ svch0st
Guide to Named Pipes and Hunting for Cobalt Strike Pipes
Cobalt Strike

2021-07-22 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Cobalt Strike Hunting — simple PCAP and Beacon Analysis
Cobalt Strike

2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID

2021-07-14 ⋅ Google ⋅ Maddie Stone, Clement Lecigne, Google Threat Analysis Group
How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)
Cobalt Strike

2021-07-14 ⋅ Kaspersky ⋅ Mark Lechtik, Paul Rascagnères, Aseel Kayal
LuminousMoth APT: Sweeping attacks for the chosen few
Cobalt Strike

2021-07-14 ⋅ MDSec ⋅ Chris Basnett
Investigating a Suspicious Service
Cobalt Strike

2021-07-13 ⋅ YouTube ( Matt Soseman) ⋅ Matt Soseman
Solarwinds and SUNBURST attacks compromised my lab!
Cobalt Strike Raindrop SUNBURST TEARDROP

2021-07-13 ⋅ Symantec ⋅ Threat Hunter Team
Attacks Against the Government Sector
Raindrop TEARDROP

2021-07-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor

2021-07-08 ⋅ Recorded Future ⋅ Insikt Group
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
Cobalt Strike Earth Lusca

2021-07-08 ⋅ Avast Decoded ⋅ Threat Intelligence Team
Decoding Cobalt Strike: Understanding Payloads
Cobalt Strike Empire Downloader

2021-07-07 ⋅ Trend Micro ⋅ Joseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi

2021-07-07 ⋅ Trustwave ⋅ Rodel Mendrez, Nikita Kazymirskyi
Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
Cobalt Strike REvil

2021-07-07 ⋅ McAfee ⋅ McAfee Labs
Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk

2021-07-06 ⋅ Twitter (@MBThreatIntel) ⋅ Malwarebytes Threat Intelligence
Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike
Cobalt Strike

2021-07-05 ⋅ Trend Micro ⋅ Abraham Camba, Catherine Loveria, Ryan Maglaque, Buddy Tancio
Tracking Cobalt Strike: A Trend Micro Vision One Investigation
Cobalt Strike

2021-07-03 ⋅ Medium AK1001 ⋅ AK1001
Analyzing Cobalt Strike PowerShell Payload
Cobalt Strike

2021-07-02 ⋅ MalwareBookReports ⋅ muzi
Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex

2021-07-01 ⋅ The Record ⋅ Catalin Cimpanu
Mongolian certificate authority hacked eight times, compromised with malware
Cobalt Strike

2021-07-01 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern, Jan Vojtěšek
Backdoored Client from Mongolian CA MonPass
Cobalt Strike Earth Lusca

2021-07-01 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern, Jan Vojtěšek
Backdoored Client from Mongolian CA MonPass
Cobalt Strike FishMaster

2021-06-30 ⋅ Group-IB ⋅ Oleg Skulkin
REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs
Cobalt Strike REvil

2021-06-29 ⋅ Accenture ⋅ Accenture Security
HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz

2021-06-29 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford
Cobalt Strike: Favorite Tool from APT to Crimeware
Cobalt Strike

2021-06-28 ⋅ The DFIR Report ⋅ The DFIR Report
Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor

2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus, Kirk Sayre, dao ming si
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex

2021-06-22 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators
Cobalt Strike

2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report
From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID

2021-06-18 ⋅ SecurityScorecard ⋅ Ryan Sherstobitoff
SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought
Cobalt Strike

2021-06-17 ⋅ Binary Defense ⋅ Brandon George
Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor

2021-06-16 ⋅ FireEye ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM

2021-06-16 ⋅ Mandiant ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson, Jordan Nuce
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM

2021-06-16 ⋅ Національної поліції України ⋅ Національна поліція України
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy

2021-06-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Hades Ransomware Operators Use Distinctive Tactics and Infrastructure
Cobalt Strike Hades

2021-06-12 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker

2021-06-12 ⋅ YouTube (BSidesBoulder) ⋅ Kurt Baumgartner, Kaspersky
Same and Different - sesame street level attribution
Kazuar SUNBURST

2021-06-10 ⋅ Group-IB ⋅ Nikita Rostovcev
Big airline heist APT41 likely behind massive supply chain attack
Cobalt Strike

2021-06-09 ⋅ Twitter (@RedDrip7) ⋅ RedDrip7