Winnti Umbrella  (Back to overview)

This threat actor targets software companies and political organizations in the United States, China, Japan, and South Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services. Believed to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites

---

Associated Families

---

References

2021-07-29 ⋅ Rasta Mouse ⋅ Rasta Mouse @online{mouse:20210729:ntlm:7f97289, author = {Rasta Mouse}, title = {{NTLM Relaying via Cobalt Strike}}, date = {2021-07-29}, organization = {Rasta Mouse}, url = {https://rastamouse.me/ntlm-relaying-via-cobalt-strike/}, language = {English}, urldate = {2021-07-29} } NTLM Relaying via Cobalt Strike Cobalt Strike

2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team @techreport{team:20210727:old:3060d53, author = {BlackBerry Research & Intelligence Team}, title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}}, date = {2021-07-27}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf}, language = {English}, urldate = {2021-07-27} } Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy

2021-07-22 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20210722:cobalt:f102b02, author = {Michael Koczwara}, title = {{Cobalt Strike Hunting — simple PCAP and Beacon Analysis}}, date = {2021-07-22}, organization = {Medium michaelkoczwara}, url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811}, language = {English}, urldate = {2021-07-22} } Cobalt Strike Hunting — simple PCAP and Beacon Analysis Cobalt Strike

2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210719:icedid:0365384, author = {The DFIR Report}, title = {{IcedID and Cobalt Strike vs Antivirus}}, date = {2021-07-19}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/}, language = {English}, urldate = {2021-07-20} } IcedID and Cobalt Strike vs Antivirus Cobalt Strike IcedID

2021-07-14 ⋅ MDSec ⋅ Chris Basnett @online{basnett:20210714:investigating:585e2a1, author = {Chris Basnett}, title = {{Investigating a Suspicious Service}}, date = {2021-07-14}, organization = {MDSec}, url = {https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/}, language = {English}, urldate = {2021-07-20} } Investigating a Suspicious Service Cobalt Strike

2021-07-14 ⋅ Kaspersky ⋅ Mark Lechtik, Paul Rascagnères, Aseel Kayal @online{lechtik:20210714:luminousmoth:a5cf19d, author = {Mark Lechtik and Paul Rascagnères and Aseel Kayal}, title = {{LuminousMoth APT: Sweeping attacks for the chosen few}}, date = {2021-07-14}, organization = {Kaspersky}, url = {https://securelist.com/apt-luminousmoth/103332/}, language = {English}, urldate = {2021-07-20} } LuminousMoth APT: Sweeping attacks for the chosen few Cobalt Strike

2021-07-14 ⋅ Google ⋅ Maddie Stone, Clement Lecigne, Google Threat Analysis Group @online{stone:20210714:how:38dfdc6, author = {Maddie Stone and Clement Lecigne and Google Threat Analysis Group}, title = {{How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)}}, date = {2021-07-14}, organization = {Google}, url = {https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/}, language = {English}, urldate = {2021-07-26} } How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879) Cobalt Strike

2021-07-13 ⋅ YouTube ( Matt Soseman) ⋅ Matt Soseman @online{soseman:20210713:solarwinds:cb7df1d, author = {Matt Soseman}, title = {{Solarwinds and SUNBURST attacks compromised my lab!}}, date = {2021-07-13}, organization = {YouTube ( Matt Soseman)}, url = {https://www.youtube.com/watch?v=GfbxHy6xnbA}, language = {English}, urldate = {2021-07-21} } Solarwinds and SUNBURST attacks compromised my lab! Cobalt Strike Raindrop SUNBURST TEARDROP

2021-07-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20210709:hancitor:814e815, author = {Brad Duncan}, title = {{Hancitor tries XLL as initial malware file}}, date = {2021-07-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27618}, language = {English}, urldate = {2021-07-19} } Hancitor tries XLL as initial malware file Cobalt Strike Hancitor

2021-07-08 ⋅ Avast Decoded ⋅ Threat Intelligence Team @online{team:20210708:decoding:04acb98, author = {Threat Intelligence Team}, title = {{Decoding Cobalt Strike: Understanding Payloads}}, date = {2021-07-08}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/}, language = {English}, urldate = {2021-07-08} } Decoding Cobalt Strike: Understanding Payloads Cobalt Strike Empire Downloader

2021-07-07 ⋅ McAfee ⋅ McAfee Labs @techreport{labs:20210707:ryuk:ee88024, author = {McAfee Labs}, title = {{Ryuk Ransomware Now Targeting Webservers}}, date = {2021-07-07}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf}, language = {English}, urldate = {2021-07-11} } Ryuk Ransomware Now Targeting Webservers Cobalt Strike Ryuk

2021-07-07 ⋅ Trend Micro ⋅ Joseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen @online{chen:20210707:biopass:88dcdc2, author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen}, title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}}, date = {2021-07-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html}, language = {English}, urldate = {2021-07-19} } BIOPASS RAT: New Malware Sniffs Victims via Live Streaming win.BIOPASS Cobalt Strike Derusbi

2021-07-07 ⋅ Trustwave ⋅ Rodel Mendrez, Nikita Kazymirskyi @online{mendrez:20210707:diving:1c04c81, author = {Rodel Mendrez and Nikita Kazymirskyi}, title = {{Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails}}, date = {2021-07-07}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/}, language = {English}, urldate = {2021-07-09} } Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails Cobalt Strike REvil

2021-07-06 ⋅ Twitter (@MBThreatIntel) ⋅ Malwarebytes Threat Intelligence @online{intelligence:20210706:malspam:083ba5a, author = {Malwarebytes Threat Intelligence}, title = {{Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike}}, date = {2021-07-06}, organization = {Twitter (@MBThreatIntel)}, url = {https://twitter.com/MBThreatIntel/status/1412518446013812737}, language = {English}, urldate = {2021-07-09} } Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike Cobalt Strike

2021-07-05 ⋅ Trend Micro ⋅ Abraham Camba, Catherine Loveria, Ryan Maglaque, Buddy Tancio @online{camba:20210705:tracking:6ae6ad5, author = {Abraham Camba and Catherine Loveria and Ryan Maglaque and Buddy Tancio}, title = {{Tracking Cobalt Strike: A Trend Micro Vision One Investigation}}, date = {2021-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html}, language = {English}, urldate = {2021-07-19} } Tracking Cobalt Strike: A Trend Micro Vision One Investigation Cobalt Strike

2021-07-02 ⋅ MalwareBookReports ⋅ muzi @online{muzi:20210702:skip:09c3cd8, author = {muzi}, title = {{Skip the Middleman: Dridex Document to Cobalt Strike}}, date = {2021-07-02}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/cryptone-cobalt-strike/}, language = {English}, urldate = {2021-07-06} } Skip the Middleman: Dridex Document to Cobalt Strike Cobalt Strike Dridex

2021-07-01 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern, Jan Vojtěšek @online{camastra:20210701:backdoored:6f26c16, author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek}, title = {{Backdoored Client from Mongolian CA MonPass}}, date = {2021-07-01}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/}, language = {English}, urldate = {2021-07-02} } Backdoored Client from Mongolian CA MonPass Cobalt Strike

2021-07-01 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210701:mongolian:1fd57de, author = {Catalin Cimpanu}, title = {{Mongolian certificate authority hacked eight times, compromised with malware}}, date = {2021-07-01}, organization = {The Record}, url = {https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/}, language = {English}, urldate = {2021-07-02} } Mongolian certificate authority hacked eight times, compromised with malware Cobalt Strike

2021-06-30 ⋅ Group-IB ⋅ Oleg Skulkin @online{skulkin:20210630:revil:63bb524, author = {Oleg Skulkin}, title = {{REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs}}, date = {2021-06-30}, organization = {Group-IB}, url = {https://blog.group-ib.com/REvil_RaaS}, language = {English}, urldate = {2021-07-02} } REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs Cobalt Strike REvil

2021-06-29 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford @online{larson:20210629:cobalt:99ad5a0, author = {Selena Larson and Daniel Blackford}, title = {{Cobalt Strike: Favorite Tool from APT to Crimeware}}, date = {2021-06-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware}, language = {English}, urldate = {2021-06-29} } Cobalt Strike: Favorite Tool from APT to Crimeware Cobalt Strike

2021-06-29 ⋅ Accenture ⋅ Accenture Security @online{security:20210629:hades:2d4c606, author = {Accenture Security}, title = {{HADES ransomware operators continue attacks}}, date = {2021-06-29}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/ransomware-hades}, language = {English}, urldate = {2021-07-01} } HADES ransomware operators continue attacks Cobalt Strike Hades MimiKatz

2021-06-28 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210628:hancitor:b21cdd2, author = {The DFIR Report}, title = {{Hancitor Continues to Push Cobalt Strike}}, date = {2021-06-28}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/}, language = {English}, urldate = {2021-06-29} } Hancitor Continues to Push Cobalt Strike Cobalt Strike Hancitor

2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus, Kirk Sayre, dao ming si @online{cryptolaemus:20210622:ta575:895ac37, author = {Cryptolaemus and Kirk Sayre and dao ming si}, title = {{Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs}}, date = {2021-06-22}, organization = {Twitter (@Cryptolaemus1)}, url = {https://twitter.com/Cryptolaemus1/status/1407135648528711680}, language = {English}, urldate = {2021-06-22} } Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs Cobalt Strike Dridex

2021-06-22 ⋅ CrowdStrike ⋅ The Falcon Complete Team @online{team:20210622:response:13a8ee6, author = {The Falcon Complete Team}, title = {{Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators}}, date = {2021-06-22}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/}, language = {English}, urldate = {2021-06-24} } Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators Cobalt Strike

2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210620:from:aadb7e8, author = {The DFIR Report}, title = {{From Word to Lateral Movement in 1 Hour}}, date = {2021-06-20}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/}, language = {English}, urldate = {2021-06-22} } From Word to Lateral Movement in 1 Hour Cobalt Strike IcedID

2021-06-18 ⋅ SecurityScorecard ⋅ Ryan Sherstobitoff @online{sherstobitoff:20210618:securityscorecard:0000641, author = {Ryan Sherstobitoff}, title = {{SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought}}, date = {2021-06-18}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought}, language = {English}, urldate = {2021-06-22} } SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought Cobalt Strike

2021-06-17 ⋅ Binary Defense ⋅ Brandon George @online{george:20210617:analysis:6e4b8ac, author = {Brandon George}, title = {{Analysis of Hancitor – When Boring Begets Beacon}}, date = {2021-06-17}, organization = {Binary Defense}, url = {https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon}, language = {English}, urldate = {2021-06-22} } Analysis of Hancitor – When Boring Begets Beacon Cobalt Strike Ficker Stealer Hancitor

2021-06-16 ⋅ FireEye ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson @online{mclellan:20210616:smoking:fa6559d, author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson}, title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}}, date = {2021-06-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html}, language = {English}, urldate = {2021-06-21} } Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise Cobalt Strike FiveHands

2021-06-16 ⋅ Національної поліції України ⋅ Національна поліція України @online{:20210616:cyberpolice:f455d86, author = {Національна поліція України}, title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}}, date = {2021-06-16}, organization = {Національної поліції України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-06-21} } Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies Clop Cobalt Strike FlawedAmmyy

2021-06-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20210615:hades:e1734d8, author = {Counter Threat Unit ResearchTeam}, title = {{Hades Ransomware Operators Use Distinctive Tactics and Infrastructure}}, date = {2021-06-15}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure}, language = {English}, urldate = {2021-06-21} } Hades Ransomware Operators Use Distinctive Tactics and Infrastructure Cobalt Strike Hades

2021-06-12 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie @online{mackenzie:20210612:thread:eac742a, author = {Peter Mackenzie}, title = {{A thread on RagnarLocker ransomware group's TTP seen in an Incident Response}}, date = {2021-06-12}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1403707430765273095}, language = {English}, urldate = {2021-06-21} } A thread on RagnarLocker ransomware group's TTP seen in an Incident Response Cobalt Strike RagnarLocker

2021-06-10 ⋅ Group-IB ⋅ Nikita Rostovcev @online{rostovcev:20210610:big:4d0a5f2, author = {Nikita Rostovcev}, title = {{Big airline heist APT41 likely behind massive supply chain attack}}, date = {2021-06-10}, organization = {Group-IB}, url = {https://blog.group-ib.com/colunmtk_apt41}, language = {English}, urldate = {2021-06-16} } Big airline heist APT41 likely behind massive supply chain attack Cobalt Strike

2021-06-09 ⋅ Twitter (@RedDrip7) ⋅ RedDrip7 @online{reddrip7:20210609:in:74f9bac, author = {RedDrip7}, title = {{Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)}}, date = {2021-06-09}, organization = {Twitter (@RedDrip7)}, url = {https://twitter.com/RedDrip7/status/1402640362972147717?s=20}, language = {English}, urldate = {2021-06-21} } Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1) Cobalt Strike

2021-06-04 ⋅ Twitter (@alex_lanstein) ⋅ Alex Lanstein @online{lanstein:20210604:unc2652nobelium:460c6ab, author = {Alex Lanstein}, title = {{Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-​2021-1879}}, date = {2021-06-04}, organization = {Twitter (@alex_lanstein)}, url = {https://twitter.com/alex_lanstein/status/1399829754887524354}, language = {English}, urldate = {2021-07-26} } Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-​2021-1879 Cobalt Strike

2021-06-04 ⋅ Inky ⋅ Roger Kay @online{kay:20210604:colonial:959c12f, author = {Roger Kay}, title = {{Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts}}, date = {2021-06-04}, organization = {Inky}, url = {https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts}, language = {English}, urldate = {2021-06-16} } Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts Cobalt Strike

2021-06-02 ⋅ Sophos ⋅ Sean Gallagher @online{gallagher:20210602:amsi:084d0ba, author = {Sean Gallagher}, title = {{AMSI bypasses remain tricks of the malware trade}}, date = {2021-06-02}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/}, language = {English}, urldate = {2021-06-09} } AMSI bypasses remain tricks of the malware trade Agent Tesla Cobalt Strike Meterpreter

2021-06-02 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp @online{corp:20210602:chinalinked:487955f, author = {CyCraft Technology Corp}, title = {{China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware}}, date = {2021-06-02}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5}, language = {English}, urldate = {2021-06-09} } China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware Cobalt Strike ColdLock

2021-06-01 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade @online{guerrerosaade:20210601:noblebaron:20dd227, author = {Juan Andrés Guerrero-Saade}, title = {{NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks}}, date = {2021-06-01}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/}, language = {English}, urldate = {2021-06-09} } NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks Cobalt Strike

2021-06-01 ⋅ Department of Justice ⋅ Office of Public Affairs @online{affairs:20210601:justice:1ed9656, author = {Office of Public Affairs}, title = {{Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development}}, date = {2021-06-01}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear}, language = {English}, urldate = {2021-06-09} } Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development Cobalt Strike

2021-06-01 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team @online{mstic:20210601:new:83aee4c, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team}, title = {{New sophisticated email-based attack from NOBELIUM}}, date = {2021-06-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/}, language = {English}, urldate = {2021-06-09} } New sophisticated email-based attack from NOBELIUM Cobalt Strike

2021-06-01 ⋅ SANS ⋅ Kevin Haley, Jake Williams @online{haley:20210601:contrarian:6aff18c, author = {Kevin Haley and Jake Williams}, title = {{A Contrarian View on SolarWinds}}, date = {2021-06-01}, organization = {SANS}, url = {https://www.sans.org/webcasts/contrarian-view-solarwinds-119515}, language = {English}, urldate = {2021-06-21} } A Contrarian View on SolarWinds Cobalt Strike Raindrop SUNBURST TEARDROP

2021-05-28 ⋅ CISA ⋅ US-CERT @online{uscert:20210528:alert:be89c5f, author = {US-CERT}, title = {{Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs}}, date = {2021-05-28}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-148a}, language = {English}, urldate = {2021-07-27} } Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs Cobalt Strike

2021-05-28 ⋅ CISA ⋅ US-CERT @online{uscert:20210528:malware:0913332, author = {US-CERT}, title = {{Malware Analysis Report (AR21-148A): Cobalt Strike Beacon}}, date = {2021-05-28}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a}, language = {English}, urldate = {2021-07-19} } Malware Analysis Report (AR21-148A): Cobalt Strike Beacon Cobalt Strike

2021-05-27 ⋅ Volexity ⋅ Damien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster @online{cash:20210527:suspected:beb9dd9, author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns}}, date = {2021-05-27}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/}, language = {English}, urldate = {2021-06-09} } Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns Cobalt Strike

2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak @online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader

2021-05-25 ⋅ Huntress Labs ⋅ Matthew Brennan @online{brennan:20210525:cobalt:c428be0, author = {Matthew Brennan}, title = {{Cobalt Strikes Again: An Analysis of Obfuscated Malware}}, date = {2021-05-25}, organization = {Huntress Labs}, url = {https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware}, language = {English}, urldate = {2021-06-09} } Cobalt Strikes Again: An Analysis of Obfuscated Malware Cobalt Strike

2021-05-21 ⋅ blackarrow ⋅ Pablo Ambite @online{ambite:20210521:leveraging:55f56da, author = {Pablo Ambite}, title = {{Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic}}, date = {2021-05-21}, organization = {blackarrow}, url = {https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/}, language = {English}, urldate = {2021-06-22} } Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic Cobalt Strike

2021-05-19 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene @online{ergene:20210519:enterprise:f7fb481, author = {Mehmet Ergene}, title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2}}, date = {2021-05-19}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e}, language = {English}, urldate = {2021-05-26} } Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2 Cobalt Strike

2021-05-19 ⋅ Intel 471 ⋅ Intel 471 @online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot

2021-05-18 ⋅ Sophos ⋅ John Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie @online{shier:20210518:active:f313ac5, author = {John Shier and Mat Gangwer and Greg Iddon and Peter Mackenzie}, title = {{The Active Adversary Playbook 2021}}, date = {2021-05-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153}, language = {English}, urldate = {2021-05-25} } The Active Adversary Playbook 2021 Cobalt Strike MimiKatz

2021-05-17 ⋅ Talos ⋅ Brad Garnett @online{garnett:20210517:case:a8ef9cf, author = {Brad Garnett}, title = {{Case Study: Incident Response is a relationship-driven business}}, date = {2021-05-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/05/ctir-case-study.html}, language = {English}, urldate = {2021-05-25} } Case Study: Incident Response is a relationship-driven business Cobalt Strike

2021-05-16 ⋅ NCSC Ireland ⋅ NCSC Ireland @techreport{ireland:20210516:ransomware:b091d9b, author = {NCSC Ireland}, title = {{Ransomware Attack on Health Sector - UPDATE 2021-05-16}}, date = {2021-05-16}, institution = {NCSC Ireland}, url = {https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf}, language = {English}, urldate = {2021-05-17} } Ransomware Attack on Health Sector - UPDATE 2021-05-16 Cobalt Strike Conti

2021-05-14 ⋅ GuidePoint Security ⋅ Drew Schmitt @online{schmitt:20210514:from:944b5f1, author = {Drew Schmitt}, title = {{From ZLoader to DarkSide: A Ransomware Story}}, date = {2021-05-14}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/}, language = {English}, urldate = {2021-05-17} } From ZLoader to DarkSide: A Ransomware Story DarkSide Cobalt Strike Zloader

2021-05-14 ⋅ Blue Team Blog ⋅ Auth 0r @online{0r:20210514:darkside:bf9c5bc, author = {Auth 0r}, title = {{DarkSide Ransomware Operations – Preventions and Detections.}}, date = {2021-05-14}, organization = {Blue Team Blog}, url = {https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections}, language = {English}, urldate = {2021-05-17} } DarkSide Ransomware Operations – Preventions and Detections. Cobalt Strike DarkSide

2021-05-12 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene @online{ergene:20210512:enterprise:09742df, author = {Mehmet Ergene}, title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1}}, date = {2021-05-12}, organization = {Medium Mehmet Ergene}, url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f}, language = {English}, urldate = {2021-05-26} } Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1 Cobalt Strike

2021-05-12 ⋅ The DFIR Report @online{report:20210512:conti:598c5f2, author = {The DFIR Report}, title = {{Conti Ransomware}}, date = {2021-05-12}, url = {https://thedfirreport.com/2021/05/12/conti-ransomware/}, language = {English}, urldate = {2021-05-13} } Conti Ransomware Cobalt Strike Conti IcedID

2021-05-11 ⋅ FireEye ⋅ Jordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague, Jared Wilson @online{nuce:20210511:shining:339d137, author = {Jordan Nuce and Jeremy Kennelly and Kimberly Goody and Andrew Moore and Alyssa Rahman and Brendan McKeague and Jared Wilson}, title = {{Shining a Light on DARKSIDE Ransomware Operations}}, date = {2021-05-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html}, language = {English}, urldate = {2021-05-13} } Shining a Light on DARKSIDE Ransomware Operations Cobalt Strike DarkSide

2021-05-11 ⋅ Mal-Eats ⋅ mal_eats @online{maleats:20210511:campo:0305ab9, author = {mal_eats}, title = {{Campo, a New Attack Campaign Targeting Japan}}, date = {2021-05-11}, organization = {Mal-Eats}, url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-06-01} } Campo, a New Attack Campaign Targeting Japan Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader

2021-05-10 ⋅ ZERO.BS ⋅ ZEROBS @online{zerobs:20210510:cobaltstrikebeacons:b7fee54, author = {ZEROBS}, title = {{Cobaltstrike-Beacons analyzed}}, date = {2021-05-10}, organization = {ZERO.BS}, url = {https://zero.bs/cobaltstrike-beacons-analyzed.html}, language = {English}, urldate = {2021-05-11} } Cobaltstrike-Beacons analyzed Cobalt Strike

2021-05-10 ⋅ Mal-Eats ⋅ mal_eats @online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader

2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin @online{huey:20210507:lemon:0d46f81, author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin}, title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}}, date = {2021-05-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html}, language = {English}, urldate = {2021-05-11} } Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs CHINACHOPPER Cobalt Strike

2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj @online{nataraj:20210507:new:79ec788, author = {Rajesh Nataraj}, title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}}, date = {2021-05-07}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728}, language = {English}, urldate = {2021-05-11} } New Lemon Duck variants exploiting Microsoft Exchange Server CHINACHOPPER Cobalt Strike

2021-05-07 ⋅ Medium svch0st ⋅ svch0st @online{svch0st:20210507:stats:11919e5, author = {svch0st}, title = {{Stats from Hunting Cobalt Strike Beacons}}, date = {2021-05-07}, organization = {Medium svch0st}, url = {https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b}, language = {English}, urldate = {2021-05-08} } Stats from Hunting Cobalt Strike Beacons Cobalt Strike

2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre @online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2021-05-11} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party Prometei BlackKingdom Ransomware CHINACHOPPER Cobalt Strike

2021-05-05 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Peter Mackenzie, Vikas Singh, Gabor Szappanos @online{brandt:20210505:intervention:f548dee, author = {Andrew Brandt and Peter Mackenzie and Vikas Singh and Gabor Szappanos}, title = {{Intervention halts a ProxyLogon-enabled attack}}, date = {2021-05-05}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack}, language = {English}, urldate = {2021-05-07} } Intervention halts a ProxyLogon-enabled attack Cobalt Strike

2021-05-05 ⋅ TRUESEC ⋅ Mattias Wåhlén @online{whln:20210505:are:61bb8a0, author = {Mattias Wåhlén}, title = {{Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?}}, date = {2021-05-05}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/}, language = {English}, urldate = {2021-05-08} } Are The Notorious Cyber Criminals Evil Corp actually Russian Spies? Cobalt Strike Hades WastedLocker

2021-05-04 ⋅ Medium sergiusechel ⋅ Sergiu Sechel @online{sechel:20210504:improving:ce4da6d, author = {Sergiu Sechel}, title = {{Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives}}, date = {2021-05-04}, organization = {Medium sergiusechel}, url = {https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468}, language = {English}, urldate = {2021-05-04} } Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives Cobalt Strike

2021-05-02 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210502:trickbot:242b786, author = {The DFIR Report}, title = {{Trickbot Brief: Creds and Beacons}}, date = {2021-05-02}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/}, language = {English}, urldate = {2021-05-04} } Trickbot Brief: Creds and Beacons Cobalt Strike TrickBot

2021-05 ⋅ AWAKE ⋅ Kieran Evans @online{evans:202105:catching:eaa13e2, author = {Kieran Evans}, title = {{Catching the White Stork in Flight}}, date = {2021-05}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/}, language = {English}, urldate = {2021-06-09} } Catching the White Stork in Flight Cobalt Strike MimiKatz RMS

2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili, Earle Earnshaw @online{agcaoili:20210427:legitimate:b293526, author = {Janus Agcaoili and Earle Earnshaw}, title = {{Legitimate Tools Weaponized for Ransomware in 2021}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021}, language = {English}, urldate = {2021-05-03} } Legitimate Tools Weaponized for Ransomware in 2021 Cobalt Strike MimiKatz

2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili @online{agcaoili:20210427:hello:b3c5de5, author = {Janus Agcaoili}, title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html}, language = {English}, urldate = {2021-04-29} } Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability CHINACHOPPER Cobalt Strike

2021-04-26 ⋅ getrevue ⋅ Twitter (@80vul) @online{80vul:20210426:hunting:e8be278, author = {Twitter (@80vul)}, title = {{Hunting Cobalt Strike DNS redirectors by using ZoomEye}}, date = {2021-04-26}, organization = {getrevue}, url = {https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734}, language = {English}, urldate = {2021-04-29} } Hunting Cobalt Strike DNS redirectors by using ZoomEye Cobalt Strike

2021-04-26 ⋅ nviso ⋅ Maxime Thiebaut @online{thiebaut:20210426:anatomy:0ade0a5, author = {Maxime Thiebaut}, title = {{Anatomy of Cobalt Strike’s DLL Stager}}, date = {2021-04-26}, organization = {nviso}, url = {https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/}, language = {English}, urldate = {2021-04-29} } Anatomy of Cobalt Strike’s DLL Stager Cobalt Strike

2021-04-24 ⋅ Non-offensive security ⋅ Non-offensive security team @online{team:20210424:detect:4fab11a, author = {Non-offensive security team}, title = {{Detect Cobalt Strike server through DNS protocol}}, date = {2021-04-24}, organization = {Non-offensive security}, url = {https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ}, language = {Chinese}, urldate = {2021-04-29} } Detect Cobalt Strike server through DNS protocol Cobalt Strike

2021-04-23 ⋅ Twitter (@vikas891) ⋅ Vikas Singh @online{singh:20210423:doppel:1bfd6da, author = {Vikas Singh}, title = {{Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals}}, date = {2021-04-23}, organization = {Twitter (@vikas891)}, url = {https://twitter.com/vikas891/status/1385306823662587905}, language = {English}, urldate = {2021-05-25} } Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals Cobalt Strike DoppelPaymer

2021-04-22 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie @online{mackenzie:20210422:twwet:62355c6, author = {Peter Mackenzie}, title = {{Twwet On TTPs seen in IR used by DOPPEL SPIDER}}, date = {2021-04-22}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1385103712918642688}, language = {English}, urldate = {2021-05-25} } Twwet On TTPs seen in IR used by DOPPEL SPIDER Cobalt Strike DoppelPaymer

2021-04-21 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt @online{gallagher:20210421:nearly:53964a7, author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt}, title = {{Nearly half of malware now use TLS to conceal communications}}, date = {2021-04-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/}, language = {English}, urldate = {2021-04-28} } Nearly half of malware now use TLS to conceal communications Agent Tesla Cobalt Strike Dridex SystemBC

2021-04-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves @online{reaves:20210420:cobaltstrike:d18d4c4, author = {Jason Reaves}, title = {{CobaltStrike Stager Utilizing Floating Point Math}}, date = {2021-04-20}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718}, language = {English}, urldate = {2021-04-20} } CobaltStrike Stager Utilizing Floating Point Math Cobalt Strike

2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik @online{hjelmvik:20210419:analysing:c6bff49, author = {Erik Hjelmvik}, title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}}, date = {2021-04-19}, organization = {Netresec}, url = {https://netresec.com/?b=214d7ff}, language = {English}, urldate = {2021-04-20} } Analysing a malware PCAP with IcedID and Cobalt Strike traffic Cobalt Strike IcedID

2021-04-18 ⋅ YouTube (dist67) ⋅ Didier Stevens @online{stevens:20210418:decoding:18e5319, author = {Didier Stevens}, title = {{Decoding Cobalt Strike Traffic}}, date = {2021-04-18}, organization = {YouTube (dist67)}, url = {https://www.youtube.com/watch?v=ysN-MqyIN7M}, language = {English}, urldate = {2021-04-20} } Decoding Cobalt Strike Traffic Cobalt Strike

2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20210414:april:4a29cb5, author = {Brad Duncan}, title = {{April 2021 Forensic Quiz: Answers and Analysis}}, date = {2021-04-14}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27308}, language = {English}, urldate = {2021-04-14} } April 2021 Forensic Quiz: Answers and Analysis Anchor BazarBackdoor Cobalt Strike

2021-04-09 ⋅ F-Secure ⋅ Riccardo Ancarani, Giulio Ginesi @online{ancarani:20210409:detecting:01d28ed, author = {Riccardo Ancarani and Giulio Ginesi}, title = {{Detecting Exposed Cobalt Strike DNS Redirectors}}, date = {2021-04-09}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors}, language = {English}, urldate = {2021-04-14} } Detecting Exposed Cobalt Strike DNS Redirectors Cobalt Strike

2021-04-07 ⋅ Medium sixdub ⋅ Justin Warner @online{warner:20210407:using:a7d19fd, author = {Justin Warner}, title = {{Using Kaitai Struct to Parse Cobalt Strike Beacon Configs}}, date = {2021-04-07}, organization = {Medium sixdub}, url = {https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e}, language = {English}, urldate = {2021-04-09} } Using Kaitai Struct to Parse Cobalt Strike Beacon Configs Cobalt Strike

2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20210405:trickbot:a6b0592, author = {Jason Reaves and Joshua Platt}, title = {{TrickBot Crews New CobaltStrike Loader}}, date = {2021-04-05}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c}, language = {English}, urldate = {2021-04-06} } TrickBot Crews New CobaltStrike Loader Cobalt Strike TrickBot

2021-04-01 ⋅ DomainTools ⋅ Joe Slowik @online{slowik:20210401:covid19:6a96e45, author = {Joe Slowik}, title = {{COVID-19 Phishing With a Side of Cobalt Strike}}, date = {2021-04-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#}, language = {English}, urldate = {2021-04-06} } COVID-19 Phishing With a Side of Cobalt Strike Cobalt Strike

2021-04-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan @online{duncan:20210401:hancitors:8876ca1, author = {Brad Duncan}, title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}}, date = {2021-04-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/}, language = {English}, urldate = {2021-04-06} } Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool Cobalt Strike Hancitor

2021-03-31 ⋅ Red Canary ⋅ Red Canary @techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot

2021-03-30 ⋅ GuidePoint Security ⋅ Drew Schmitt @online{schmitt:20210330:yet:9855592, author = {Drew Schmitt}, title = {{Yet Another Cobalt Strike Stager: GUID Edition}}, date = {2021-03-30}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/}, language = {English}, urldate = {2021-04-06} } Yet Another Cobalt Strike Stager: GUID Edition Cobalt Strike

2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210329:sodinokibi:4c63e20, author = {The DFIR Report}, title = {{Sodinokibi (aka REvil) Ransomware}}, date = {2021-03-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/}, language = {English}, urldate = {2021-03-30} } Sodinokibi (aka REvil) Ransomware Cobalt Strike IcedID REvil

2021-03-21 ⋅ YouTube (dist67) ⋅ Didier Stevens @online{stevens:20210321:finding:92a9a4d, author = {Didier Stevens}, title = {{Finding Metasploit & Cobalt Strike URLs}}, date = {2021-03-21}, organization = {YouTube (dist67)}, url = {https://www.youtube.com/watch?v=WW0_TgWT2gs}, language = {English}, urldate = {2021-03-25} } Finding Metasploit & Cobalt Strike URLs Cobalt Strike

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2021-03-18 ⋅ DeepInstinct ⋅ Ben Gross @online{gross:20210318:cobalt:5392fb0, author = {Ben Gross}, title = {{Cobalt Strike – Post-Exploitation Attackers Toolkit}}, date = {2021-03-18}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/}, language = {English}, urldate = {2021-06-22} } Cobalt Strike – Post-Exploitation Attackers Toolkit Cobalt Strike

2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT @techreport{prodaft:20210318:silverfish:f203208, author = {PRODAFT}, title = {{SilverFish GroupThreat Actor Report}}, date = {2021-03-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf}, language = {English}, urldate = {2021-04-06} } SilverFish GroupThreat Actor Report Cobalt Strike Dridex Koadic

2021-03-16 ⋅ McAfee ⋅ McAfee ATR @techreport{atr:20210316:technical:8c4909a, author = {McAfee ATR}, title = {{Technical Analysis of Operation Diànxùn}}, date = {2021-03-16}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf}, language = {English}, urldate = {2021-03-22} } Technical Analysis of Operation Diànxùn Cobalt Strike

2021-03-16 ⋅ Elastic ⋅ Joe Desimone @online{desimone:20210316:detecting:4091130, author = {Joe Desimone}, title = {{Detecting Cobalt Strike with memory signatures}}, date = {2021-03-16}, organization = {Elastic}, url = {https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures}, language = {English}, urldate = {2021-03-22} } Detecting Cobalt Strike with memory signatures Cobalt Strike

2021-03-11 ⋅ Qurium ⋅ Qurium @online{qurium:20210311:myanmar:7bfc8ce, author = {Qurium}, title = {{Myanmar – Multi-stage malware attack targets elected lawmakers}}, date = {2021-03-11}, organization = {Qurium}, url = {https://www.qurium.org/alerts/targeted-malware-against-crph/}, language = {English}, urldate = {2021-06-21} } Myanmar – Multi-stage malware attack targets elected lawmakers Cobalt Strike

2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell @online{campbell:20210311:you:7bd2342, author = {Josh Campbell}, title = {{You Don't Know the HAFNIUM of it...}}, date = {2021-03-11}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/}, language = {English}, urldate = {2021-03-16} } You Don't Know the HAFNIUM of it... CHINACHOPPER Cobalt Strike PowerCat

2021-03-10 ⋅ Proofpoint ⋅ Dennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team @online{schwarz:20210310:nimzaloader:f6960d4, author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team}, title = {{NimzaLoader: TA800’s New Initial Access Malware}}, date = {2021-03-10}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware}, language = {English}, urldate = {2021-03-12} } NimzaLoader: TA800’s New Initial Access Malware BazarNimrod Cobalt Strike

2021-03-09 ⋅ splunk ⋅ Security Research Team @online{team:20210309:cloud:4deeb78, author = {Security Research Team}, title = {{Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021}}, date = {2021-03-09}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html}, language = {English}, urldate = {2021-03-11} } Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021 Cobalt Strike

2021-03-08 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210308:bazar:ba050d7, author = {The DFIR Report}, title = {{Bazar Drops the Anchor}}, date = {2021-03-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/}, language = {English}, urldate = {2021-03-10} } Bazar Drops the Anchor Anchor BazarBackdoor Cobalt Strike

2021-03-08 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Katie Nickels, Adam Pennington, Jen Burns @online{nickels:20210308:star:083eb29, author = {Katie Nickels and Adam Pennington and Jen Burns}, title = {{STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)}}, date = {2021-03-08}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=LA-XE5Jy2kU}, language = {English}, urldate = {2021-03-11} } STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R) Cobalt Strike SUNBURST TEARDROP

2021-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ Didier Stevens @online{stevens:20210307:pcaps:980212d, author = {Didier Stevens}, title = {{PCAPs and Beacons}}, date = {2021-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27176}, language = {English}, urldate = {2021-03-11} } PCAPs and Beacons Cobalt Strike

2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves @online{platt:20210301:nimar:c26af08, author = {Joshua Platt and Jason Reaves}, title = {{Nimar Loader}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e}, language = {English}, urldate = {2021-03-04} } Nimar Loader BazarBackdoor BazarNimrod Cobalt Strike

2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves @online{platt:20210301:investigation:a7851d5, author = {Joshua Platt and Jason Reaves}, title = {{Investigation into the state of Nim malware}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811}, language = {English}, urldate = {2021-03-04} } Investigation into the state of Nim malware BazarNimrod Cobalt Strike

2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff @online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil

2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta @online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC

2021-02-24 ⋅ Github (AmnestyTech) ⋅ Amnesty International @online{international:20210224:overview:95b80e0, author = {Amnesty International}, title = {{Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders}}, date = {2021-02-24}, organization = {Github (AmnestyTech)}, url = {https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam}, language = {English}, urldate = {2021-02-25} } Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders OceanLotus Cobalt Strike KerrDown

2021-02-24 ⋅ VMWare Carbon Black ⋅ Takahiro Haruyama @techreport{haruyama:20210224:knock:f4903a2, author = {Takahiro Haruyama}, title = {{Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation}}, date = {2021-02-24}, institution = {VMWare Carbon Black}, url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf}, language = {Japanese}, urldate = {2021-02-26} } Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation Cobalt Strike

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report @online{report:20210211:hancitor:9fa527e, author = {The DFIR Report}, title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}}, date = {2021-02-11}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1359669513520873473}, language = {English}, urldate = {2021-02-18} } Tweet on Hancitor Activity followed by cobaltsrike beacon Cobalt Strike Hancitor

2021-02-09 ⋅ Securehat ⋅ Securehat @online{securehat:20210209:extracting:0f4ae2f, author = {Securehat}, title = {{Extracting the Cobalt Strike Config from a TEARDROP Loader}}, date = {2021-02-09}, organization = {Securehat}, url = {https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader}, language = {English}, urldate = {2021-02-10} } Extracting the Cobalt Strike Config from a TEARDROP Loader Cobalt Strike TEARDROP

2021-02-09 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20210209:learn:c08b657, author = {Raphael Mudge}, title = {{Learn Pipe Fitting for all of your Offense Projects}}, date = {2021-02-09}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/}, language = {English}, urldate = {2021-02-10} } Learn Pipe Fitting for all of your Offense Projects Cobalt Strike

2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20210203:excel:8e949c9, author = {Brad Duncan}, title = {{Excel spreadsheets push SystemBC malware}}, date = {2021-02-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/}, language = {English}, urldate = {2021-02-04} } Excel spreadsheets push SystemBC malware Cobalt Strike SystemBC

2021-02-02 ⋅ Committee to Protect Journalists ⋅ Madeline Earp @online{earp:20210202:how:923f969, author = {Madeline Earp}, title = {{How Vietnam-based hacking operation OceanLotus targets journalists}}, date = {2021-02-02}, organization = {Committee to Protect Journalists}, url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists}, language = {English}, urldate = {2021-02-04} } How Vietnam-based hacking operation OceanLotus targets journalists Cobalt Strike

2021-02-02 ⋅ CRONUP ⋅ Germán Fernández @online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report @online{report:20210202:recent:5272ed0, author = {The DFIR Report}, title = {{Tweet on recent dridex post infection activity}}, date = {2021-02-02}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1356729371931860992}, language = {English}, urldate = {2021-02-04} } Tweet on recent dridex post infection activity Cobalt Strike Dridex

2021-02-01 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20210201:bluecrab:df21c0a, author = {ASEC Analysis Team}, title = {{BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment}}, date = {2021-02-01}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/19860/}, language = {English}, urldate = {2021-02-06} } BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment Cobalt Strike REvil

2021-02-01 ⋅ pkb1s.github.io ⋅ Petros Koutroumpis @online{koutroumpis:20210201:relay:596413f, author = {Petros Koutroumpis}, title = {{Relay Attacks via Cobalt Strike Beacons}}, date = {2021-02-01}, organization = {pkb1s.github.io}, url = {https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/}, language = {English}, urldate = {2021-02-04} } Relay Attacks via Cobalt Strike Beacons Cobalt Strike

2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210131:bazar:c3b3859, author = {The DFIR Report}, title = {{Bazar, No Ryuk?}}, date = {2021-01-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/}, language = {English}, urldate = {2021-02-02} } Bazar, No Ryuk? BazarBackdoor Cobalt Strike Ryuk

2021-01-28 ⋅ TrustedSec ⋅ Adam Chester @online{chester:20210128:tailoring:d3f973c, author = {Adam Chester}, title = {{Tailoring Cobalt Strike on Target}}, date = {2021-01-28}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/}, language = {English}, urldate = {2021-01-29} } Tailoring Cobalt Strike on Target Cobalt Strike

2021-01-28 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20210128:bluecrab:44d2e64, author = {ASEC Analysis Team}, title = {{BlueCrab ransomware constantly trying to bypass detection}}, date = {2021-01-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/19640/}, language = {Korean}, urldate = {2021-02-04} } BlueCrab ransomware constantly trying to bypass detection Cobalt Strike REvil

2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT @online{csirt:20210126:cring:f12c487, author = {Swisscom CSIRT}, title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}}, date = {2021-01-26}, organization = {Twitter (@swisscom_csirt)}, url = {https://twitter.com/swisscom_csirt/status/1354052879158571008}, language = {English}, urldate = {2021-01-27} } Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware Cobalt Strike Cring MimiKatz

2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC) @online{team:20210120:deep:1cc0551, author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC)}, title = {{Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop}}, date = {2021-01-20}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/}, language = {English}, urldate = {2021-01-21} } Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop Cobalt Strike SUNBURST TEARDROP

2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20210118:raindrop:9ab1262, author = {Threat Hunter Team}, title = {{Raindrop: New Malware Discovered in SolarWinds Investigation}}, date = {2021-01-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware}, language = {English}, urldate = {2021-01-21} } Raindrop: New Malware Discovered in SolarWinds Investigation Cobalt Strike Raindrop SUNBURST TEARDROP

2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie @online{mackenzie:20210117:conti:db7f1cb, author = {Peter Mackenzie}, title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}}, date = {2021-01-17}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352}, language = {English}, urldate = {2021-01-21} } Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders Cobalt Strike Conti

2021-01-15 ⋅ Medium Dansec ⋅ Dan Lussier @online{lussier:20210115:detecting:fecd6c3, author = {Dan Lussier}, title = {{Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike}}, date = {2021-01-15}, organization = {Medium Dansec}, url = {https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64}, language = {English}, urldate = {2021-01-21} } Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike Cobalt Strike

2021-01-14 ⋅ PTSecurity ⋅ PTSecurity @online{ptsecurity:20210114:higaisa:326f8ea, author = {PTSecurity}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2}, language = {English}, urldate = {2021-01-18} } Higaisa or Winnti? APT41 backdoors, old and new FunnySwitch

2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad

2021-01-12 ⋅ Fox-IT ⋅ Wouter Jansen @online{jansen:20210112:abusing:c38eeb6, author = {Wouter Jansen}, title = {{Abusing cloud services to fly under the radar}}, date = {2021-01-12}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/}, language = {English}, urldate = {2021-01-18} } Abusing cloud services to fly under the radar Cobalt Strike

2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John Hultquist @online{read:20210112:unc2452:6e54c6c, author = {Ben Read and John Hultquist}, title = {{UNC2452: What We Know So Far}}, date = {2021-01-12}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/462719}, language = {English}, urldate = {2021-01-18} } UNC2452: What We Know So Far Cobalt Strike SUNBURST TEARDROP

2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna @online{ramakrishna:20210111:new:296b621, author = {Sudhakar Ramakrishna}, title = {{New Findings From Our Investigation of SUNBURST}}, date = {2021-01-11}, organization = {SolarWinds}, url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/}, language = {English}, urldate = {2021-01-18} } New Findings From Our Investigation of SUNBURST Cobalt Strike SUNBURST TEARDROP

2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210111:trickbot:d1011f9, author = {The DFIR Report}, title = {{Trickbot Still Alive and Well}}, date = {2021-01-11}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/}, language = {English}, urldate = {2021-01-11} } Trickbot Still Alive and Well Cobalt Strike TrickBot

2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves @online{reaves:20210110:man1:54a4162, author = {Jason Reaves}, title = {{MAN1, Moskal, Hancitor and a side of Ransomware}}, date = {2021-01-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618}, language = {English}, urldate = {2021-01-11} } MAN1, Moskal, Hancitor and a side of Ransomware Cobalt Strike Hancitor SendSafe VegaLocker Zeppelin Ransomware

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli @online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-09 ⋅ Connor McGarr's Blog ⋅ Connor McGarr @online{mcgarr:20210109:malware:dde1353, author = {Connor McGarr}, title = {{Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking}}, date = {2021-01-09}, organization = {Connor McGarr's Blog}, url = {https://connormcgarr.github.io/thread-hijacking/}, language = {English}, urldate = {2021-01-11} } Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking Cobalt Strike

2021-01-07 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } Aversary Infrastructure Report 2020: A Defender's View Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2

2021-01-06 ⋅ Red Canary ⋅ Tony Lambert @online{lambert:20210106:hunting:272410b, author = {Tony Lambert}, title = {{Hunting for GetSystem in offensive security tools}}, date = {2021-01-06}, organization = {Red Canary}, url = {https://redcanary.com/blog/getsystem-offsec/}, language = {English}, urldate = {2021-01-11} } Hunting for GetSystem in offensive security tools Cobalt Strike Empire Downloader Meterpreter PoshC2

2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20210105:earth:d7bb547, author = {Trend Micro Research}, title = {{Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration}}, date = {2021-01-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html}, language = {English}, urldate = {2021-01-10} } Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration Cobalt Strike

2021-01-04 ⋅ Medium haggis-m ⋅ Michael Haag @online{haag:20210104:malleable:ab64356, author = {Michael Haag}, title = {{Malleable C2 Profiles and You}}, date = {2021-01-04}, organization = {Medium haggis-m}, url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929}, language = {English}, urldate = {2021-01-05} } Malleable C2 Profiles and You Cobalt Strike

2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:bce1d06, author = {SecureWorks}, title = {{Threat Profile: GOLD WINTER}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-winter}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD WINTER Cobalt Strike Hades Meterpreter GOLD WINTER

2021 ⋅ Talos ⋅ Talos Incident Response @techreport{response:2021:evicting:c795470, author = {Talos Incident Response}, title = {{Evicting Maze}}, date = {2021}, institution = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf}, language = {English}, urldate = {2021-05-26} } Evicting Maze Cobalt Strike Maze

2021 ⋅ SecureWorks @online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD DRAKE Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp

2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:45f61e0, author = {SecureWorks}, title = {{Threat Profile: GOLD WATERFALL}}, date = {2021}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-waterfall}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD WATERFALL Cobalt Strike DarkSide GOLD WATERFALL

2021 ⋅ Talos ⋅ Talos Incident Response @techreport{response:2021:cobalt:f4412fa, author = {Talos Incident Response}, title = {{Cobalt Strikes Out}}, date = {2021}, institution = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf}, language = {English}, urldate = {2021-05-26} } Cobalt Strikes Out Cobalt Strike

2020-12-26 ⋅ Medium grimminck ⋅ Stefan Grimminck @online{grimminck:20201226:spoofing:a0a5622, author = {Stefan Grimminck}, title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}}, date = {2020-12-26}, organization = {Medium grimminck}, url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b}, language = {English}, urldate = {2021-01-01} } Spoofing JARM signatures. I am the Cobalt Strike server now! Cobalt Strike

2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén @online{whln:20201222:collaboration:5d2ad28, author = {Mattias Wåhlén}, title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}}, date = {2020-12-22}, organization = {TRUESEC}, url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/}, language = {English}, urldate = {2021-01-01} } Collaboration between FIN7 and the RYUK group, a Truesec Investigation Carbanak Cobalt Strike Ryuk

2020-12-21 ⋅ Fortinet ⋅ Udi Yavo @online{yavo:20201221:what:716b31d, author = {Udi Yavo}, title = {{What We Have Learned So Far about the “Sunburst”/SolarWinds Hack}}, date = {2020-12-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack}, language = {English}, urldate = {2021-01-18} } What We Have Learned So Far about the “Sunburst”/SolarWinds Hack Cobalt Strike SUNBURST TEARDROP

2020-12-20 ⋅ Randhome ⋅ Etienne Maynier @online{maynier:20201220:analyzing:3e15960, author = {Etienne Maynier}, title = {{Analyzing Cobalt Strike for Fun and Profit}}, date = {2020-12-20}, organization = {Randhome}, url = {https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/}, language = {English}, urldate = {2020-12-23} } Analyzing Cobalt Strike for Fun and Profit Cobalt Strike

2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ Sophos Cyber Security Team @online{team:20201215:solarwindsthreathunt:4357421, author = {Sophos Cyber Security Team}, title = {{solarwinds-threathunt}}, date = {2020-12-15}, organization = {Github (sophos-cybersecurity)}, url = {https://github.com/sophos-cybersecurity/solarwinds-threathunt}, language = {English}, urldate = {2020-12-15} } solarwinds-threathunt Cobalt Strike SUNBURST

2020-12-15 ⋅ PICUS Security ⋅ Süleyman Özarslan @online{zarslan:20201215:tactics:bba1b4f, author = {Süleyman Özarslan}, title = {{Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach}}, date = {2020-12-15}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach}, language = {English}, urldate = {2020-12-17} } Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach Cobalt Strike SUNBURST

2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20201214:threat:032b92d, author = {Unit 42}, title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}}, date = {2020-12-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/}, language = {English}, urldate = {2020-12-15} } Threat Brief: SolarStorm and SUNBURST Customer Coverage Cobalt Strike SUNBURST

2020-12-11 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team @online{team:20201211:mountlocker:9c495cb, author = {BlackBerry Research and Intelligence team}, title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}}, date = {2020-12-11}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates}, language = {English}, urldate = {2020-12-14} } MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates Cobalt Strike Mount Locker

2020-12-10 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } No pandas, just people: The current state of China’s cybercrime underground Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT

2020-12-10 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42 @online{unit42:20201210:threat:6ac31af, author = {Unit42}, title = {{Threat Brief: FireEye Red Team Tool Breach}}, date = {2020-12-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/}, language = {English}, urldate = {2020-12-15} } Threat Brief: FireEye Red Team Tool Breach Cobalt Strike

2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES) Cobalt Strike DoppelPaymer QakBot REvil

2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20201209:recent:0992506, author = {Brad Duncan}, title = {{Recent Qakbot (Qbot) activity}}, date = {2020-12-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/26862}, language = {English}, urldate = {2020-12-10} } Recent Qakbot (Qbot) activity Cobalt Strike QakBot

2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } Quarterly Report: Incident Response trends from Fall 2020 Cobalt Strike IcedID Maze RansomEXX Ryuk

2020-12-08 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20201208:red:8ccdfcf, author = {Raphael Mudge}, title = {{A Red Teamer Plays with JARM}}, date = {2020-12-08}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/}, language = {English}, urldate = {2021-01-11} } A Red Teamer Plays with JARM Cobalt Strike

2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary) @online{redcanary:20201202:increased:5db5dce, author = {twitter (@redcanary)}, title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}}, date = {2020-12-02}, organization = {Red Canary}, url = {https://twitter.com/redcanary/status/1334224861628039169}, language = {English}, urldate = {2020-12-08} } Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware Cobalt Strike Egregor QakBot

2020-12-01 ⋅ 360.cn ⋅ jindanlong @online{jindanlong:20201201:hunting:b9e2674, author = {jindanlong}, title = {{Hunting Beacons}}, date = {2020-12-01}, organization = {360.cn}, url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950}, language = {English}, urldate = {2021-01-10} } Hunting Beacons Cobalt Strike

2020-12-01 ⋅ mez0.cc ⋅ mez0 @online{mez0:20201201:cobalt:38336ed, author = {mez0}, title = {{Cobalt Strike PowerShell Execution}}, date = {2020-12-01}, organization = {mez0.cc}, url = {https://mez0.cc/posts/cobaltstrike-powershell-exec/}, language = {English}, urldate = {2020-12-14} } Cobalt Strike PowerShell Execution Cobalt Strike

2020-11-30 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20201130:threat:2633df5, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them}}, date = {2020-11-30}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/}, language = {English}, urldate = {2020-12-01} } Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them Cobalt Strike

2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations Cobalt Strike DoppelPaymer MimiKatz QakBot REvil

2020-11-27 ⋅ Macnica ⋅ Hiroshi Takeuchi @online{takeuchi:20201127:analyzing:4089f84, author = {Hiroshi Takeuchi}, title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}}, date = {2020-11-27}, organization = {Macnica}, url = {https://blog.macnica.net/blog/2020/11/dtrack.html}, language = {Japanese}, urldate = {2020-12-08} } Analyzing Organizational Invasion Ransom Incidents Using Dtrack Cobalt Strike Dtrack

2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus @online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } Cybereason vs. Egregor Ransomware Cobalt Strike Egregor IcedID ISFB QakBot

2020-11-25 ⋅ SentinelOne ⋅ Jim Walter @online{walter:20201125:egregor:5727f7a, author = {Jim Walter}, title = {{Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone}}, date = {2020-11-25}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/}, language = {English}, urldate = {2020-12-08} } Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone Cobalt Strike Egregor

2020-11-20 ⋅ 360 netlab ⋅ JiaYu @online{jiayu:20201120:blackrota:ee43da1, author = {JiaYu}, title = {{Blackrota, a highly obfuscated backdoor developed by Go}}, date = {2020-11-20}, organization = {360 netlab}, url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/}, language = {Chinese}, urldate = {2020-11-23} } Blackrota, a highly obfuscated backdoor developed by Go Cobalt Strike

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-20 ⋅ F-Secure Labs ⋅ Riccardo Ancarani @online{ancarani:20201120:detecting:79afa40, author = {Riccardo Ancarani}, title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}}, date = {2020-11-20}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis}, language = {English}, urldate = {2020-11-23} } Detecting Cobalt Strike Default Modules via Named Pipe Analysis Cobalt Strike

2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse @online{althouse:20201117:easily:172bd6d, author = {John Althouse}, title = {{Easily Identify Malicious Servers on the Internet with JARM}}, date = {2020-11-17}, organization = {Salesforce Engineering}, url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a}, language = {English}, urldate = {2020-12-03} } Easily Identify Malicious Servers on the Internet with JARM Cobalt Strike TrickBot

2020-11-17 ⋅ cyble ⋅ Cyble @online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } OceanLotus Continues With Its Cyber Espionage Operations Cobalt Strike Meterpreter

2020-11-15 ⋅ Trustnet ⋅ Michael Wainshtain @online{wainshtain:20201115:from:719b7ff, author = {Michael Wainshtain}, title = {{From virus alert to PowerShell Encrypted Loader}}, date = {2020-11-15}, organization = {Trustnet}, url = {https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/}, language = {English}, urldate = {2021-07-26} } From virus alert to PowerShell Encrypted Loader Cobalt Strike

2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20201109:fake:c6dd7b3, author = {Ionut Ilascu}, title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/}, language = {English}, urldate = {2020-11-11} } Fake Microsoft Teams updates lead to Cobalt Strike deployment Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader

2020-11-06 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research @online{adair:20201106:oceanlotus:f7b11ac, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}}, date = {2020-11-06}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/}, language = {English}, urldate = {2020-11-09} } OceanLotus: Extending Cyber Espionage Operations Through Fake Websites Cobalt Strike KerrDown APT32

2020-11-06 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20201106:cobalt:05fe8fc, author = {Raphael Mudge}, title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}}, date = {2020-11-06}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/}, language = {English}, urldate = {2020-11-09} } Cobalt Strike 4.2 – Everything but the kitchen sink Cobalt Strike

2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ Ryan Tracey, Drew Schmitt, CRYPSIS @online{tracey:20201106:indicators:1ec9384, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/}, language = {English}, urldate = {2020-11-12} } Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777 Cobalt Strike PyXie RansomEXX

2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez @online{kremez:20201106:anatomy:b2ce3ae, author = {Vitali Kremez}, title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}}, date = {2020-11-06}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike}, language = {English}, urldate = {2020-11-09} } Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike BazarBackdoor Cobalt Strike Ryuk

2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst @online{theanalyst:20201105:zloader:c4bab85, author = {TheAnalyst}, title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}}, date = {2020-11-05}, organization = {Twitter (@ffforward)}, url = {https://twitter.com/ffforward/status/1324281530026524672}, language = {English}, urldate = {2020-11-09} } Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK Cobalt Strike Ryuk Zloader

2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20201105:ryuk:ceaa823, author = {The DFIR Report}, title = {{Ryuk Speed Run, 2 Hours to Ransom}}, date = {2020-11-05}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/}, language = {English}, urldate = {2020-11-06} } Ryuk Speed Run, 2 Hours to Ransom BazarBackdoor Cobalt Strike Ryuk

2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna @online{vigna:20201104:trick:a59a333, author = {Giovanni Vigna}, title = {{Trick or Threat: Ryuk ransomware targets the health care industry}}, date = {2020-11-04}, organization = {VMRay}, url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/}, language = {English}, urldate = {2020-11-06} } Trick or Threat: Ryuk ransomware targets the health care industry BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-11-03 ⋅ InfoSec Handlers Diary Blog ⋅ Renato Marinho @online{marinho:20201103:attackers:9b3762b, author = {Renato Marinho}, title = {{Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike}}, date = {2020-11-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/26752}, language = {English}, urldate = {2020-11-06} } Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike Cobalt Strike

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020 WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti

2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect @online{threatconnect:20201030:unc:b3ae3d0, author = {ThreatConnect}, title = {{UNC 1878 Indicators from Threatconnect}}, date = {2020-10-30}, organization = {Github (ThreatConnect-Inc)}, url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv}, language = {English}, urldate = {2020-11-06} } UNC 1878 Indicators from Threatconnect BazarBackdoor Cobalt Strike Ryuk

2020-10-29 ⋅ Github (Swisscom) ⋅ Swisscom CSIRT @online{csirt:20201029:list:5fb0206, author = {Swisscom CSIRT}, title = {{List of CobaltStrike C2's used by RYUK}}, date = {2020-10-29}, organization = {Github (Swisscom)}, url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt}, language = {English}, urldate = {2020-11-02} } List of CobaltStrike C2's used by RYUK Cobalt Strike

2020-10-29 ⋅ RiskIQ ⋅ RiskIQ @online{riskiq:20201029:ryuk:0643968, author = {RiskIQ}, title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}}, date = {2020-10-29}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/0bcefe76}, language = {English}, urldate = {2020-11-02} } Ryuk Ransomware: Extensive Attack Infrastructure Revealed Cobalt Strike Ryuk

2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team @online{team:20201029:bazar:1846b93, author = {The Red Canary Team}, title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}}, date = {2020-10-29}, organization = {Red Canary}, url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/}, language = {English}, urldate = {2020-11-02} } A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak Cobalt Strike Ryuk TrickBot

2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock @online{goody:20201028:unhappy:c0d2e4b, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock}, title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}}, date = {2020-10-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html}, language = {English}, urldate = {2020-11-02} } Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser BazarBackdoor Cobalt Strike Ryuk UNC1878

2020-10-27 ⋅ Sophos Managed Threat Response (MTR) ⋅ Greg Iddon @online{iddon:20201027:mtr:3b62ca9, author = {Greg Iddon}, title = {{MTR Casebook: An active adversary caught in the act}}, date = {2020-10-27}, organization = {Sophos Managed Threat Response (MTR)}, url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/}, language = {English}, urldate = {2020-11-02} } MTR Casebook: An active adversary caught in the act Cobalt Strike

2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours BazarBackdoor Cobalt Strike Ryuk

2020-10-14 ⋅ RiskIQ ⋅ Steve Ginty, Jon Gross @online{ginty:20201014:wellmarked:9176303, author = {Steve Ginty and Jon Gross}, title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}}, date = {2020-10-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f0320980}, language = {English}, urldate = {2020-10-23} } A Well-Marked Trail: Journeying through OceanLotus's Infrastructure Cobalt Strike

2020-10-14 ⋅ Sophos ⋅ Sean Gallagher @online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack Cobalt Strike Ryuk SystemBC

2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez @online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon BazarBackdoor Cobalt Strike Ryuk

2020-10-11 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel @online{strangerealintel:20201011:chimera:a423a07, author = {StrangerealIntel}, title = {{Chimera, APT19 under the radar ?}}, date = {2020-10-11}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md}, language = {English}, urldate = {2020-10-15} } Chimera, APT19 under the radar ? Cobalt Strike Meterpreter

2020-10-08 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen @online{tanriverdi:20201008:there:620f4e7, author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen}, title = {{There is no safe place}}, date = {2020-10-08}, organization = {Bayerischer Rundfunk}, url = {https://web.br.de/interaktiv/ocean-lotus/en/}, language = {English}, urldate = {2020-10-12} } There is no safe place Cobalt Strike

2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return BazarBackdoor Cobalt Strike Ryuk

2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3) @techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-10-01 ⋅ US-CERT ⋅ US-CERT @online{uscert:20201001:alert:a46c3d4, author = {US-CERT}, title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}}, date = {2020-10-01}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a}, language = {English}, urldate = {2020-10-04} } Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy

2020-10-01 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency Cobalt Strike Meterpreter

2020-09-29 ⋅ CrowdStrike ⋅ Kareem Hamdan, Lucas Miller @online{hamdan:20200929:getting:c01923a, author = {Kareem Hamdan and Lucas Miller}, title = {{Getting the Bacon from the Beacon}}, date = {2020-09-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/}, language = {English}, urldate = {2020-10-05} } Getting the Bacon from the Beacon Cobalt Strike

2020-09-29 ⋅ Github (Apr4h) ⋅ Apra @online{apra:20200929:cobaltstrikescan:ab5f221, author = {Apra}, title = {{CobaltStrikeScan}}, date = {2020-09-29}, organization = {Github (Apr4h)}, url = {https://github.com/Apr4h/CobaltStrikeScan}, language = {English}, urldate = {2020-10-05} } CobaltStrikeScan Cobalt Strike

2020-09-24 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200924:analysis:e1e4cc0, author = {US-CERT}, title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}}, date = {2020-09-24}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a}, language = {English}, urldate = {2020-10-13} } Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor Cobalt Strike Meterpreter

2020-09-21 ⋅ Cisco Talos ⋅ Nick Mavis, Joe Marshall, JON MUNSHAW @techreport{mavis:20200921:art:d9702a4, author = {Nick Mavis and Joe Marshall and JON MUNSHAW}, title = {{The art and science of detecting Cobalt Strike}}, date = {2020-09-21}, institution = {Cisco Talos}, url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf}, language = {English}, urldate = {2020-09-23} } The art and science of detecting Cobalt Strike Cobalt Strike

2020-09-18 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20200918:us:7900e6a, author = {Trend Micro}, title = {{U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks}}, date = {2020-09-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html}, language = {English}, urldate = {2020-09-23} } U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks Cobalt Strike ColdLock

2020-09-03 ⋅ Viettel Cybersecurity ⋅ vuonglvm @online{vuonglvm:20200903:apt32:02bd8fc, author = {vuonglvm}, title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)}}, date = {2020-09-03}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/}, language = {Vietnamese}, urldate = {2020-09-09} } APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2) Cobalt Strike

2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020 Cobalt Strike LockBit Mailto Maze Ryuk

2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } NetWalker Ransomware in 1 Hour Cobalt Strike Mailto MimiKatz

2020-08-20 ⋅ Seebug Paper ⋅ Malayke @online{malayke:20200820:use:77d3957, author = {Malayke}, title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}}, date = {2020-08-20}, organization = {Seebug Paper}, url = {https://paper.seebug.org/1301/}, language = {Chinese}, urldate = {2020-08-24} } Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks Cobalt Strike Empire Downloader PoshC2

2020-08-19 ⋅ TEAMT5 ⋅ TeamT5 @online{teamt5:20200819:0819:e955419, author = {TeamT5}, title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}}, date = {2020-08-19}, organization = {TEAMT5}, url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/}, language = {Chinese}, urldate = {2021-05-03} } 調查局 08/19 公布中國對台灣政府機關駭侵事件說明 Cobalt Strike Waterbear

2020-08-14 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez @online{kremez:20200814:zloader:cbd9ad5, author = {Vitali Kremez}, title = {{Tweet on Zloader infection leading to Cobaltstrike Installation}}, date = {2020-08-14}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1294320579311435776}, language = {English}, urldate = {2020-11-09} } Tweet on Zloader infection leading to Cobaltstrike Installation Cobalt Strike Zloader

2020-08-06 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20200806:chinese:32c43e3, author = {Andy Greenberg}, title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}}, date = {2020-08-06}, organization = {Wired}, url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/}, language = {English}, urldate = {2020-11-04} } Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry Cobalt Strike MimiKatz Winnti Operation Skeleton Key

2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang @techreport{chen:20200804:operation:4cf417f, author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang}, title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}}, date = {2020-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf}, language = {English}, urldate = {2020-11-04} } Operation Chimera - APT Operation Targets Semiconductor Vendors Cobalt Strike MimiKatz Winnti Operation Skeleton Key

2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020 PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel

2020-07-26 ⋅ Shells.System blog ⋅ Askar @online{askar:20200726:inmemory:5556cad, author = {Askar}, title = {{In-Memory shellcode decoding to evade AVs/EDRs}}, date = {2020-07-26}, organization = {Shells.System blog}, url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/}, language = {English}, urldate = {2020-07-30} } In-Memory shellcode decoding to evade AVs/EDRs Cobalt Strike

2020-07-22 ⋅ On the Hunt ⋅ Newton Paul @online{paul:20200722:analysing:2de83d7, author = {Newton Paul}, title = {{Analysing Fileless Malware: Cobalt Strike Beacon}}, date = {2020-07-22}, organization = {On the Hunt}, url = {https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/}, language = {English}, urldate = {2020-07-24} } Analysing Fileless Malware: Cobalt Strike Beacon Cobalt Strike

2020-07-21 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura @online{jazi:20200721:chinese:da6a239, author = {Hossein Jazi and Jérôme Segura}, title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}}, date = {2020-07-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/}, language = {English}, urldate = {2020-07-22} } Chinese APT group targets India and Hong Kong using new variant of MgBot malware KSREMOTE Cobalt Strike MgBot

2020-07-07 ⋅ MWLab ⋅ Ladislav Bačo @online{bao:20200707:cobalt:cf80aa8, author = {Ladislav Bačo}, title = {{Cobalt Strike stagers used by FIN6}}, date = {2020-07-07}, organization = {MWLab}, url = {https://malwarelab.eu/posts/fin6-cobalt-strike/}, language = {English}, urldate = {2020-07-11} } Cobalt Strike stagers used by FIN6 Cobalt Strike

2020-06-23 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee @online{pantazopoulos:20200623:wastedlocker:112d6b3, author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee}, title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}}, date = {2020-06-23}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/}, language = {English}, urldate = {2020-06-23} } WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Cobalt Strike ISFB WastedLocker

2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team @online{team:20200623:sodinokibi:7eff193, author = {Critical Attack Discovery and Intelligence Team}, title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}}, date = {2020-06-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos}, language = {English}, urldate = {2020-06-23} } Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Cobalt Strike REvil

2020-06-22 ⋅ Talos Intelligence ⋅ Asheer Malhotra @online{malhotra:20200622:indigodrop:6d5e7e1, author = {Asheer Malhotra}, title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}}, date = {2020-06-22}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html}, language = {English}, urldate = {2020-06-24} } IndigoDrop spreads via military-themed lures to deliver Cobalt Strike Cobalt Strike IndigoDrop

2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves @online{platt:20200622:inside:b381dd5, author = {Joshua Platt and Jason Reaves}, title = {{Inside a TrickBot Cobalt Strike Attack Server}}, date = {2020-06-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/}, language = {English}, urldate = {2020-06-23} } Inside a TrickBot Cobalt Strike Attack Server Cobalt Strike TrickBot

2020-06-19 ⋅ Zscaler ⋅ Atinderpal Singh, Nirmal Singh, Sahil Antil @online{singh:20200619:targeted:05d8d31, author = {Atinderpal Singh and Nirmal Singh and Sahil Antil}, title = {{Targeted Attack Leverages India-China Border Dispute to Lure Victims}}, date = {2020-06-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims}, language = {English}, urldate = {2020-06-21} } Targeted Attack Leverages India-China Border Dispute to Lure Victims Cobalt Strike

2020-06-19 ⋅ Youtube (Raphael Mudge) ⋅ Raphael Mudge @online{mudge:20200619:beacon:bc8ae77, author = {Raphael Mudge}, title = {{Beacon Object Files - Luser Demo}}, date = {2020-06-19}, organization = {Youtube (Raphael Mudge)}, url = {https://www.youtube.com/watch?v=gfYswA_Ronw}, language = {English}, urldate = {2020-06-23} } Beacon Object Files - Luser Demo Cobalt Strike

2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC) @techreport{acsc:20200618:advisory:ed0f53c, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-18}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf}, language = {English}, urldate = {2020-06-19} } Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks TwoFace Cobalt Strike Empire Downloader

2020-06-17 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura @online{jazi:20200617:multistage:6358f3f, author = {Hossein Jazi and Jérôme Segura}, title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}}, date = {2020-06-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/}, language = {English}, urldate = {2020-06-19} } Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature Cobalt Strike

2020-06-16 ⋅ Intezer ⋅ Aviygayil Mechtinger @online{mechtinger:20200616:elf:7057d58, author = {Aviygayil Mechtinger}, title = {{ELF Malware Analysis 101: Linux Threats No Longer an Afterthought}}, date = {2020-06-16}, organization = {Intezer}, url = {https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought}, language = {English}, urldate = {2020-06-16} } ELF Malware Analysis 101: Linux Threats No Longer an Afterthought Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti

2020-06-15 ⋅ NCC Group ⋅ Exploit Development Group @online{group:20200615:striking:8fdf4bb, author = {Exploit Development Group}, title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}}, date = {2020-06-15}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/}, language = {English}, urldate = {2020-06-16} } Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability Cobalt Strike

2020-06-09 ⋅ Github (Sentinel-One) ⋅ Gal Kristal @online{kristal:20200609:cobaltstrikeparser:a023ac8, author = {Gal Kristal}, title = {{CobaltStrikeParser}}, date = {2020-06-09}, organization = {Github (Sentinel-One)}, url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py}, language = {English}, urldate = {2020-09-15} } CobaltStrikeParser Cobalt Strike

2020-05-28 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC) @online{mstic:20200528:breaking:f55e372, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Breaking down NOBELIUM’s latest early-stage toolset}}, date = {2020-05-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/}, language = {English}, urldate = {2021-06-09} } Breaking down NOBELIUM’s latest early-stage toolset Cobalt Strike

2020-05-14 ⋅ Lab52 ⋅ Dex @online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey Cobalt Strike HTran MimiKatz PlugX Quasar RAT

2020-05-11 ⋅ SentinelOne ⋅ Gal Kristal @online{kristal:20200511:anatomy:4ece947, author = {Gal Kristal}, title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}}, date = {2020-05-11}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/}, language = {English}, urldate = {2020-05-13} } The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration Cobalt Strike

2020-04-24 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20200424:ursnif:e983798, author = {The DFIR Report}, title = {{Ursnif via LOLbins}}, date = {2020-04-24}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/}, language = {English}, urldate = {2021-03-16} } Ursnif via LOLbins Cobalt Strike LOLSnif TeamSpy

2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp @online{corp:20200416:taiwan:3029f53, author = {CyCraft Technology Corp}, title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}}, date = {2020-04-16}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730}, language = {English}, urldate = {2020-11-04} } Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures Cobalt Strike MimiKatz Operation Skeleton Key

2020-04-02 ⋅ Darktrace ⋅ Max Heinemeyer @online{heinemeyer:20200402:catching:b7f137d, author = {Max Heinemeyer}, title = {{Catching APT41 exploiting a zero-day vulnerability}}, date = {2020-04-02}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/}, language = {English}, urldate = {2020-04-13} } Catching APT41 exploiting a zero-day vulnerability Cobalt Strike

2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight @online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke

2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller @online{glyer:20200325:this:0bc322f, author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller}, title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}}, date = {2020-03-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html}, language = {English}, urldate = {2020-04-14} } This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits Speculoos Cobalt Strike

2020-03-25 ⋅ Wilbur Security ⋅ JW @online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } Trickbot to Ryuk in Two Hours Cobalt Strike Ryuk TrickBot

2020-03-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch @online{klopsch:20200322:mustang:56f3768, author = {Andreas Klopsch}, title = {{Mustang Panda joins the COVID-19 bandwagon}}, date = {2020-03-22}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/}, language = {English}, urldate = {2020-03-27} } Mustang Panda joins the COVID-19 bandwagon Cobalt Strike

2020-03-20 ⋅ RECON INFOSEC ⋅ Luke Rusten @online{rusten:20200320:analysis:f82a963, author = {Luke Rusten}, title = {{Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)}}, date = {2020-03-20}, organization = {RECON INFOSEC}, url = {https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/}, language = {English}, urldate = {2020-06-22} } Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41) Cobalt Strike

2020-03-04 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20200304:cobalt:176b61e, author = {Raphael Mudge}, title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}}, date = {2020-03-04}, organization = {Cobalt Strike}, url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/}, language = {English}, urldate = {2020-03-04} } Cobalt Strike joins Core Impact at HelpSystems, LLC Cobalt Strike

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER

2020-03-03 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom

2020-02-20 ⋅ McAfee ⋅ Christiaan Beek, Eamonn Ryan, Darren Fitzpatrick @online{beek:20200220:csi:8525a7b, author = {Christiaan Beek and Eamonn Ryan and Darren Fitzpatrick}, title = {{CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II}}, date = {2020-02-20}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/}, language = {English}, urldate = {2021-05-13} } CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II Cobalt Strike LockerGoga Maze MegaCortex

2020-02-19 ⋅ FireEye ⋅ FireEye @online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020 Cobalt Strike Grateful POS LockerGoga QakBot TrickBot

2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza @online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations Cobalt Strike HyperBro PlugX Trochilus RAT

2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer @online{svajcer:20200218:building:0a80664, author = {Vanja Svajcer}, title = {{Building a bypass with MSBuild}}, date = {2020-02-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html}, language = {English}, urldate = {2020-02-20} } Building a bypass with MSBuild Cobalt Strike GRUNT MimiKatz

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center @techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019 Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:66f1290, author = {SecureWorks}, title = {{BRONZE RIVERSIDE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside}, language = {English}, urldate = {2020-05-23} } BRONZE RIVERSIDE Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } TIN WOODLAWN Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:1a5bdbb, author = {SecureWorks}, title = {{BRONZE PRESIDENT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-president}, language = {English}, urldate = {2020-05-23} } BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX Mustang Panda

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT Cobalt Strike Defray PyXie GOLD DUPONT

2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko @online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech

2019-12-05 ⋅ Github (blackorbird) ⋅ blackorbird @techreport{blackorbird:20191205:apt32:0afe4e7, author = {blackorbird}, title = {{APT32 Report}}, date = {2019-12-05}, institution = {Github (blackorbird)}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf}, language = {Japanese}, urldate = {2020-01-10} } APT32 Report Cobalt Strike

2019-12-05 ⋅ Raphael Mudge @online{mudge:20191205:cobalt:219044e, author = {Raphael Mudge}, title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}}, date = {2019-12-05}, url = {https://blog.cobaltstrike.com/}, language = {English}, urldate = {2019-12-06} } Cobalt Strike 4.0 – Bring Your Own Weaponization Cobalt Strike

2019-11-29 ⋅ Deloitte ⋅ Thomas Thomasen @techreport{thomasen:20191129:cyber:1aae987, author = {Thomas Thomasen}, title = {{Cyber Threat Intelligence & Incident Response}}, date = {2019-11-29}, institution = {Deloitte}, url = {https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf}, language = {English}, urldate = {2020-03-04} } Cyber Threat Intelligence & Incident Response Cobalt Strike

2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser @techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell

2019-11-05 ⋅ tccontre Blog ⋅ tccontre @online{tccontre:20191105:cobaltstrike:02e37af, author = {tccontre}, title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}}, date = {2019-11-05}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html}, language = {English}, urldate = {2019-12-17} } CobaltStrike - beacon.dll : Your No Ordinary MZ Header Cobalt Strike

2019-09-22 ⋅ Check Point Research ⋅ Check Point Research @online{research:20190922:rancor:e834f67, author = {Check Point Research}, title = {{Rancor: The Year of The Phish}}, date = {2019-09-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/}, language = {English}, urldate = {2020-03-04} } Rancor: The Year of The Phish 8.t Dropper Cobalt Strike

2019-06-04 ⋅ Bitdefender ⋅ Bitdefender @techreport{bitdefender:20190604:blueprint:ce0583c, author = {Bitdefender}, title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}}, date = {2019-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf}, language = {English}, urldate = {2019-12-18} } An APT Blueprint: Gaining New Visibility into Financial Threats More_eggs Cobalt Strike

2019-05-15 ⋅ Chronicle ⋅ Silas Cutler, Juan Andrés Guerrero-Saade @online{cutler:20190515:winnti:269a852, author = {Silas Cutler and Juan Andrés Guerrero-Saade}, title = {{Winnti: More than just Windows and Gates}}, date = {2019-05-15}, organization = {Chronicle}, url = {https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a}, language = {English}, urldate = {2019-10-14} } Winnti: More than just Windows and Gates Winnti Axiom

2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc. @techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam

2019-04-24 ⋅ Weixin ⋅ Tencent @online{tencent:20190424:sea:a722d68, author = {Tencent}, title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}}, date = {2019-04-24}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A}, language = {English}, urldate = {2020-01-13} } "Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed Cobalt Strike SOUNDBITE

2019-04-15 ⋅ PenTestPartners ⋅ Neil Lines @online{lines:20190415:cobalt:7b3c086, author = {Neil Lines}, title = {{Cobalt Strike. Walkthrough for Red Teamers}}, date = {2019-04-15}, organization = {PenTestPartners}, url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/}, language = {English}, urldate = {2019-12-17} } Cobalt Strike. Walkthrough for Red Teamers Cobalt Strike

2019-04 ⋅ Macnica Networks ⋅ Macnica Networks @techreport{networks:201904:oceanlotus:8ceeac3, author = {Macnica Networks}, title = {{OceanLotus Attack on Southeast Asian Automotive Industry}}, date = {2019-04}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpression_automobile.pdf}, language = {Japanese}, urldate = {2021-03-02} } OceanLotus Attack on Southeast Asian Automotive Industry CACTUSTORCH Cobalt Strike

2019-04-01 ⋅ Macnica Networks ⋅ Macnica Networks @techreport{networks:20190401:trends:cf738dc, author = {Macnica Networks}, title = {{Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018}}, date = {2019-04-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018 Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy

2019-03-24 ⋅ One Night in Norfolk ⋅ Kevin Perlow @online{perlow:20190324:jeshell:439ae8b, author = {Kevin Perlow}, title = {{JEShell: An OceanLotus (APT32) Backdoor}}, date = {2019-03-24}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/}, language = {English}, urldate = {2020-05-19} } JEShell: An OceanLotus (APT32) Backdoor Cobalt Strike KerrDown

2019-02-27 ⋅ Morphisec ⋅ Michael Gorelik, Alon Groisman @online{gorelik:20190227:new:5296a0b, author = {Michael Gorelik and Alon Groisman}, title = {{New Global Cyber Attack on Point of Sale Sytem}}, date = {2019-02-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems}, language = {English}, urldate = {2020-01-09} } New Global Cyber Attack on Point of Sale Sytem Cobalt Strike

2019-02-26 ⋅ Fox-IT ⋅ Fox IT @online{it:20190226:identifying:689104d, author = {Fox IT}, title = {{Identifying Cobalt Strike team servers in the wild}}, date = {2019-02-26}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/}, language = {English}, urldate = {2020-10-25} } Identifying Cobalt Strike team servers in the wild Cobalt Strike

2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker @online{tracker:2019:winnti:979cb5b, author = {Cyber Operations Tracker}, title = {{Winnti Umbrella}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/winnti-umbrella}, language = {English}, urldate = {2019-12-20} } Winnti Umbrella Winnti Umbrella

2018-11-19 ⋅ FireEye ⋅ Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr @online{dunwoody:20181119:not:e581291, author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr}, title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}}, date = {2018-11-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign Cobalt Strike

2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe @online{joe:20181118:cozybear:4801301, author = {Joe}, title = {{CozyBear – In from the Cold?}}, date = {2018-11-18}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/}, language = {English}, urldate = {2020-01-09} } CozyBear – In from the Cold? Cobalt Strike APT 29

2018-10 ⋅ Group-IB ⋅ Group-IB @techreport{groupib:201810:hitech:420711f, author = {Group-IB}, title = {{Hi-Tech Crime Trends 2018}}, date = {2018-10}, institution = {Group-IB}, url = {https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf}, language = {English}, urldate = {2021-02-09} } Hi-Tech Crime Trends 2018 BackSwap Cobalt Strike Cutlet Meterpreter

2018-10-01 ⋅ FireEye ⋅ Regina Elwell, Katie Nickels @techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7 Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot

2018-10-01 ⋅ Macnica Networks ⋅ Macnica Networks @techreport{networks:20181001:trends:17b1db5, author = {Macnica Networks}, title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}}, date = {2018-10-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018 Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm

2018-08-03 ⋅ JPCERT/CC ⋅ Takuya Endo, Yukako Uchida @online{endo:20180803:volatility:4597ce0, author = {Takuya Endo and Yukako Uchida}, title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}}, date = {2018-08-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html}, language = {English}, urldate = {2019-07-11} } Volatility Plugin for Detecting Cobalt Strike Beacon Cobalt Strike

2018-07-31 ⋅ Github (JPCERTCC) ⋅ JPCERT/CC @online{jpcertcc:20180731:scanner:d1757d9, author = {JPCERT/CC}, title = {{Scanner for CobaltStrike}}, date = {2018-07-31}, organization = {Github (JPCERTCC)}, url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py}, language = {English}, urldate = {2020-01-13} } Scanner for CobaltStrike Cobalt Strike

2018-05-21 ⋅ LAC ⋅ Yoshihiro Ishikawa @online{ishikawa:20180521:confirmed:ad336b5, author = {Yoshihiro Ishikawa}, title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}}, date = {2018-05-21}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html}, language = {Japanese}, urldate = {2019-10-27} } Confirmed new attacks by APT attacker group menuPass (APT10) Cobalt Strike

2017-06-06 ⋅ FireEye ⋅ Ian Ahl @online{ahl:20170606:privileges:9598d5f, author = {Ian Ahl}, title = {{Privileges and Credentials: Phished at the Request of Counsel}}, date = {2017-06-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html}, language = {English}, urldate = {2019-12-20} } Privileges and Credentials: Phished at the Request of Counsel Cobalt Strike

2016-10-11 ⋅ Symantec ⋅ Symantec Security Response @online{response:20161011:odinaff:36b35db, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2019-12-05} } Odinaff: New Trojan used in high level financial attacks Cobalt Strike KLRD MimiKatz Odinaff

2012 ⋅ Cobalt Strike ⋅ Cobalt Strike @online{strike:2012:cobalt:8522cdd, author = {Cobalt Strike}, title = {{Cobalt Strike Website}}, date = {2012}, organization = {Cobalt Strike}, url = {https://www.cobaltstrike.com/support}, language = {English}, urldate = {2020-01-13} } Cobalt Strike Website Cobalt Strike

---

Credits: MISP Project