This threat actor targets software companies and political organizations in the United States, China, Japan, and South Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services.
Believed to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites
2022-06-28 ⋅ Lumen ⋅ Black Lotus Labs @online{labs:20220628:zuorat:f60583e,
author = {Black Lotus Labs},
title = {{ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks}},
date = {2022-06-28},
organization = {Lumen},
url = {https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/},
language = {English},
urldate = {2022-06-30}
}
ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks ZuoRAT Cobalt Strike |
2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov @online{snegirev:20220627:attacks:100c151,
author = {Artem Snegirev and Kirill Kruglov},
title = {{Attacks on industrial control systems using ShadowPad}},
date = {2022-06-27},
organization = {Kaspersky ICS CERT},
url = {https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/},
language = {English},
urldate = {2022-06-29}
}
Attacks on industrial control systems using ShadowPad Cobalt Strike PlugX ShadowPad |
2022-06-26 ⋅ BushidoToken @online{bushidotoken:20220626:overview:97370ff,
author = {BushidoToken},
title = {{Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022}},
date = {2022-06-26},
url = {https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html},
language = {English},
urldate = {2022-06-27}
}
Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022 Cobalt Strike EnvyScout |
2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220623:bronze:8bccd74,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}},
date = {2022-06-23},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader},
language = {English},
urldate = {2022-06-27}
}
BRONZE STARLIGHT Ransomware Operations Use HUI Loader ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora Rook |
2022-06-21 ⋅ Cisco Talos ⋅ Flavio Costa, Chris Neal, Guilherme Venere @online{costa:20220621:avos:b60a2ad,
author = {Flavio Costa and Chris Neal and Guilherme Venere},
title = {{Avos ransomware group expands with new attack arsenal}},
date = {2022-06-21},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html},
language = {English},
urldate = {2022-06-22}
}
Avos ransomware group expands with new attack arsenal AvosLocker Cobalt Strike DarkComet MimiKatz |
2022-06-17 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220617:malspam:25c76a4,
author = {Brad Duncan},
title = {{Malspam pushes Matanbuchus malware, leads to Cobalt Strike}},
date = {2022-06-17},
organization = {SANS ISC},
url = {https://isc.sans.edu/diary/rss/28752},
language = {English},
urldate = {2022-06-22}
}
Malspam pushes Matanbuchus malware, leads to Cobalt Strike Cobalt Strike Matanbuchus |
2022-06-07 ⋅ cyble ⋅ Cyble @online{cyble:20220607:bumblebee:9f2dc4a,
author = {Cyble},
title = {{Bumblebee Loader on The Rise}},
date = {2022-06-07},
organization = {cyble},
url = {https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/},
language = {English},
urldate = {2022-06-09}
}
Bumblebee Loader on The Rise BumbleBee Cobalt Strike |
2022-06-07 ⋅ AdvIntel ⋅ Vitali Kremez, Marley Smith, Yelisey Boguslavskiy @online{kremez:20220607:blackcat:3dc977e,
author = {Vitali Kremez and Marley Smith and Yelisey Boguslavskiy},
title = {{BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive}},
date = {2022-06-07},
organization = {AdvIntel},
url = {https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive},
language = {English},
urldate = {2022-06-08}
}
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive BlackCat BlackCat Cobalt Strike |
2022-06-06 ⋅ Trellix ⋅ Trelix @online{trelix:20220606:growling:14f9f75,
author = {Trelix},
title = {{Growling Bears Make Thunderous Noise}},
date = {2022-06-06},
organization = {Trellix},
url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html},
language = {English},
urldate = {2022-06-08}
}
Growling Bears Make Thunderous Noise Cobalt Strike HermeticWiper WhisperGate |
2022-06-04 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien @online{m4n0w4r:20220604:quicknote:dc79142,
author = {m4n0w4r and Tran Trung Kien},
title = {{[QuickNote] CobaltStrike SMB Beacon Analysis}},
date = {2022-06-04},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/},
language = {English},
urldate = {2022-06-07}
}
[QuickNote] CobaltStrike SMB Beacon Analysis Cobalt Strike |
2022-06-03 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team @online{wells:20220603:attack:5e4e9c6,
author = {Jackson Wells and AttackIQ Adversary Research Team},
title = {{Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group}},
date = {2022-06-03},
organization = {AttackIQ},
url = {https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/},
language = {English},
urldate = {2022-06-18}
}
Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group Cobalt Strike MimiKatz |
2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence @online{intelligence:20220602:to:e15831c,
author = {Mandiant Intelligence},
title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions},
language = {English},
urldate = {2022-06-04}
}
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker |
2022-06-02 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20220602:trending:0bcdbc4,
author = {Mandiant},
title = {{TRENDING EVIL Q2 2022}},
date = {2022-06-02},
organization = {Mandiant},
url = {https://experience.mandiant.com/trending-evil-2/p/1},
language = {English},
urldate = {2022-06-07}
}
TRENDING EVIL Q2 2022 CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot |
2022-06-01 ⋅ Elastic ⋅ Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease @online{stepanic:20220601:cuba:333f7c1,
author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease},
title = {{CUBA Ransomware Campaign Analysis}},
date = {2022-06-01},
organization = {Elastic},
url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis},
language = {English},
urldate = {2022-06-09}
}
CUBA Ransomware Campaign Analysis Cobalt Strike Cuba Meterpreter MimiKatz SystemBC |
2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20220525:socgholish:f876e0e,
author = {Jason Reaves and Joshua Platt},
title = {{SocGholish Campaigns and Initial Access Kit}},
date = {2022-05-25},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee},
language = {English},
urldate = {2022-06-02}
}
SocGholish Campaigns and Initial Access Kit FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT |
2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin @online{goutin:20220524:malware:e85b49b,
author = {Florian Goutin},
title = {{Malware Analysis: Trickbot}},
date = {2022-05-24},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/05/malware-analysis-trickbot.html},
language = {English},
urldate = {2022-05-29}
}
Malware Analysis: Trickbot Cobalt Strike Conti Ryuk TrickBot |
2022-05-24 ⋅ BitSight ⋅ João Batista, Pedro Umbelino, BitSight @online{batista:20220524:emotet:cae57f1,
author = {João Batista and Pedro Umbelino and BitSight},
title = {{Emotet Botnet Rises Again}},
date = {2022-05-24},
organization = {BitSight},
url = {https://www.bitsight.com/blog/emotet-botnet-rises-again},
language = {English},
urldate = {2022-05-25}
}
Emotet Botnet Rises Again Cobalt Strike Emotet QakBot SystemBC |
2022-05-22 ⋅ R136a1 ⋅ Dominik Reichel @online{reichel:20220522:introduction:47edade,
author = {Dominik Reichel},
title = {{Introduction of a PE file extractor for various situations}},
date = {2022-05-22},
organization = {R136a1},
url = {https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/},
language = {English},
urldate = {2022-06-02}
}
Introduction of a PE file extractor for various situations Cobalt Strike Matanbuchus |
2022-05-20 ⋅ sonatype ⋅ Ax Sharma @online{sharma:20220520:new:15b8bf7,
author = {Ax Sharma},
title = {{New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux}},
date = {2022-05-20},
organization = {sonatype},
url = {https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux},
language = {English},
urldate = {2022-05-24}
}
New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux Cobalt Strike |
2022-05-20 ⋅ Cybleinc ⋅ Cyble @online{cyble:20220520:malware:c20f29f,
author = {Cyble},
title = {{Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon}},
date = {2022-05-20},
organization = {Cybleinc},
url = {https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/},
language = {English},
urldate = {2022-05-23}
}
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon Cobalt Strike |
2022-05-20 ⋅ AhnLab ⋅ ASEC @online{asec:20220520:why:c6efba7,
author = {ASEC},
title = {{Why Remediation Alone Is Not Enough When Infected by Malware}},
date = {2022-05-20},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/34549/},
language = {English},
urldate = {2022-05-24}
}
Why Remediation Alone Is Not Enough When Infected by Malware Cobalt Strike DarkSide |
2022-05-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220519:bumblebee:20c59e6,
author = {Brad Duncan},
title = {{Bumblebee Malware from TransferXL URLs}},
date = {2022-05-19},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28664},
language = {English},
urldate = {2022-05-25}
}
Bumblebee Malware from TransferXL URLs BumbleBee Cobalt Strike |
2022-05-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT @techreport{prodaft:20220518:wizard:e7ee1c4,
author = {PRODAFT},
title = {{Wizard Spider In-Depth Analysis}},
date = {2022-05-18},
institution = {PRODAFT Threat Intelligence},
url = {https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf},
language = {English},
urldate = {2022-05-25}
}
Wizard Spider In-Depth Analysis Cobalt Strike Conti |
2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20220517:ransomware:7b86339,
author = {Trend Micro Research},
title = {{Ransomware Spotlight: RansomEXX}},
date = {2022-05-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx},
language = {English},
urldate = {2022-05-25}
}
Ransomware Spotlight: RansomEXX LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot |
2022-05-12 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220512:what:05369d4,
author = {Intel 471},
title = {{What malware to look for if you want to prevent a ransomware attack}},
date = {2022-05-12},
organization = {Intel 471},
url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike},
language = {English},
urldate = {2022-05-13}
}
What malware to look for if you want to prevent a ransomware attack Conti BumbleBee Cobalt Strike IcedID Sliver |
2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber @online{lambert:20220512:goot:1fc62fa,
author = {Tony Lambert and Lauren Podber},
title = {{The Goot cause: Detecting Gootloader and its follow-on activity}},
date = {2022-05-12},
organization = {Red Canary},
url = {https://redcanary.com/blog/gootloader},
language = {English},
urldate = {2022-05-13}
}
The Goot cause: Detecting Gootloader and its follow-on activity GootLoader Cobalt Strike |
2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber @techreport{lambert:20220512:gootloader:4562030,
author = {Tony Lambert and Lauren Podber},
title = {{Gootloader and Cobalt Strike malware analysis}},
date = {2022-05-12},
institution = {Red Canary},
url = {https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf},
language = {English},
urldate = {2022-05-13}
}
Gootloader and Cobalt Strike malware analysis GootLoader Cobalt Strike |
2022-05-11 ⋅ NTT ⋅ Ryu Hiyoshi @online{hiyoshi:20220511:operation:b5a845d,
author = {Ryu Hiyoshi},
title = {{Operation RestyLink: Targeted attack campaign targeting Japanese companies}},
date = {2022-05-11},
organization = {NTT},
url = {https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink},
language = {Japanese},
urldate = {2022-05-11}
}
Operation RestyLink: Targeted attack campaign targeting Japanese companies Cobalt Strike |
2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220511:ta578:0a0a686,
author = {Brad Duncan},
title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}},
date = {2022-05-11},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/28636},
language = {English},
urldate = {2022-05-11}
}
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware BumbleBee Cobalt Strike IcedID PhotoLoader |
2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20220509:ransomwareasaservice:13ec472,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}},
date = {2022-05-09},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself},
language = {English},
urldate = {2022-05-17}
}
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker |
2022-05-09 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220509:seo:cc8b1c2,
author = {The DFIR Report},
title = {{SEO Poisoning – A Gootloader Story}},
date = {2022-05-09},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/},
language = {English},
urldate = {2022-06-09}
}
SEO Poisoning – A Gootloader Story GootLoader LaZagne Cobalt Strike GootKit |
2022-05-09 ⋅ TEAMT5 ⋅ TeamT5 @online{teamt5:20220509:hiding:5e7c212,
author = {TeamT5},
title = {{Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services}},
date = {2022-05-09},
organization = {TEAMT5},
url = {https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services},
language = {English},
urldate = {2022-05-11}
}
Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services Cobalt Strike |
2022-05-08 ⋅ IronNet ⋅ Michael Leardi, Joey Fitzpatrick, Brent Eskridge @online{leardi:20220508:tracking:8f52310,
author = {Michael Leardi and Joey Fitzpatrick and Brent Eskridge},
title = {{Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine}},
date = {2022-05-08},
organization = {IronNet},
url = {https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine},
language = {English},
urldate = {2022-05-09}
}
Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine Cobalt Strike |
2022-05-06 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220506:this:e7fb654,
author = {Ravie Lakshmanan},
title = {{This New Fileless Malware Hides Shellcode in Windows Event Logs}},
date = {2022-05-06},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html},
language = {English},
urldate = {2022-05-08}
}
This New Fileless Malware Hides Shellcode in Windows Event Logs Cobalt Strike |
2022-05-06 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence @online{intelligence:20220506:twitter:7a00df8,
author = {Microsoft Security Intelligence},
title = {{Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity}},
date = {2022-05-06},
organization = {Twitter (@MsftSecIntel)},
url = {https://twitter.com/MsftSecIntel/status/1522690116979855360},
language = {English},
urldate = {2022-05-09}
}
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity FAKEUPDATES Blister Cobalt Strike LockBit |
2022-05-06 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia, Siddhart Shibiraj @online{navarrete:20220506:cobalt:8248108,
author = {Chris Navarrete and Durgesh Sangvikar and Yu Fu and Yanhui Jia and Siddhart Shibiraj},
title = {{Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding}},
date = {2022-05-06},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/},
language = {English},
urldate = {2022-05-09}
}
Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding Cobalt Strike |
2022-05-05 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Justin Thattil, Aliza Berk, Kendall McKay @online{an:20220505:mustang:cbc06e9,
author = {Jung soo An and Asheer Malhotra and Justin Thattil and Aliza Berk and Kendall McKay},
title = {{Mustang Panda deploys a new wave of malware targeting Europe}},
date = {2022-05-05},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html},
language = {English},
urldate = {2022-05-05}
}
Mustang Panda deploys a new wave of malware targeting Europe Cobalt Strike Meterpreter PlugX |
2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix @online{felix:20220504:twitter:0fb7e35,
author = {Felix},
title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}},
date = {2022-05-04},
organization = {Twitter (@felixw3000)},
url = {https://twitter.com/felixw3000/status/1521816045769662468},
language = {English},
urldate = {2022-05-09}
}
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC. Cobalt Strike IcedID PhotoLoader |
2022-05-04 ⋅ Kaspersky ⋅ Denis Legezo @online{legezo:20220504:new:02f705f,
author = {Denis Legezo},
title = {{A new secret stash for “fileless” malware}},
date = {2022-05-04},
organization = {Kaspersky},
url = {https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/},
language = {English},
urldate = {2022-05-09}
}
A new secret stash for “fileless” malware Cobalt Strike |
2022-05-03 ⋅ Recorded Future ⋅ Insikt Group @online{group:20220503:solardeflection:5419c1a,
author = {Insikt Group},
title = {{SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse}},
date = {2022-05-03},
organization = {Recorded Future},
url = {https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/},
language = {English},
urldate = {2022-05-06}
}
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse Cobalt Strike |
2022-05-03 ⋅ Cluster25 ⋅ Cluster25 @online{cluster25:20220503:strange:1481afa,
author = {Cluster25},
title = {{The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet}},
date = {2022-05-03},
organization = {Cluster25},
url = {https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/},
language = {English},
urldate = {2022-05-04}
}
The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet Cobalt Strike IsaacWiper PyXie |
2022-05-03 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20220503:solardeflection:1470221,
author = {Insikt Group®},
title = {{SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse}},
date = {2022-05-03},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf},
language = {English},
urldate = {2022-05-04}
}
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse Cobalt Strike EnvyScout |
2022-05-02 ⋅ Cisco Talos ⋅ Kendall McKay, Paul Eubanks, JAIME FILSON @techreport{mckay:20220502:conti:330e34b,
author = {Kendall McKay and Paul Eubanks and JAIME FILSON},
title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}},
date = {2022-05-02},
institution = {Cisco Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf},
language = {English},
urldate = {2022-05-04}
}
Conti and Hive ransomware operations: Leveraging victim chats for insights Cobalt Strike Conti Hive |
2022-05-02 ⋅ Macnica ⋅ Hiroshi Takeuchi @online{takeuchi:20220502:attack:8a7d966,
author = {Hiroshi Takeuchi},
title = {{Attack Campaigns that Exploit Shortcuts and ISO Files}},
date = {2022-05-02},
organization = {Macnica},
url = {https://security.macnica.co.jp/blog/2022/05/iso.html},
language = {Japanese},
urldate = {2022-05-03}
}
Attack Campaigns that Exploit Shortcuts and ISO Files Cobalt Strike |
2022-04-28 ⋅ PWC ⋅ PWC UK @techreport{uk:20220428:cyber:c43873f,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect (Annex)}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf},
language = {English},
urldate = {2022-04-29}
}
Cyber Threats 2021: A Year in Retrospect (Annex) Cobalt Strike Conti PlugX RokRAT Red Menshen |
2022-04-28 ⋅ Mandiant ⋅ John Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby @online{wolfram:20220428:trello:dab21ca,
author = {John Wolfram and Sarah Hawley and Tyler McLellan and Nick Simonian and Anders Vejlby},
title = {{Trello From the Other Side: Tracking APT29 Phishing Campaigns}},
date = {2022-04-28},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns},
language = {English},
urldate = {2022-04-29}
}
Trello From the Other Side: Tracking APT29 Phishing Campaigns Cobalt Strike |
2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Júlio Dantas, Jim Walter @online{haughom:20220427:lockbit:da3d5d1,
author = {James Haughom and Júlio Dantas and Jim Walter},
title = {{LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility}},
date = {2022-04-27},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/},
language = {English},
urldate = {2022-04-29}
}
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility Cobalt Strike LockBit |
2022-04-27 ⋅ Mandiant ⋅ Mandiant @online{mandiant:20220427:assembling:a7068b9,
author = {Mandiant},
title = {{Assembling the Russian Nesting Doll: UNC2452 Merged into APT29}},
date = {2022-04-27},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/unc2452-merged-into-apt29},
language = {English},
urldate = {2022-04-29}
}
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29 Cobalt Strike Raindrop SUNBURST TEARDROP |
2022-04-27 ⋅ ANSSI ⋅ ANSSI @techreport{anssi:20220427:le:5d47343,
author = {ANSSI},
title = {{LE GROUPE CYBERCRIMINEL FIN7}},
date = {2022-04-27},
institution = {ANSSI},
url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf},
language = {French},
urldate = {2022-05-05}
}
LE GROUPE CYBERCRIMINEL FIN7 Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot |
2022-04-26 ⋅ Trend Micro ⋅ Ryan Flores, Stephen Hilt, Lord Alfred Remorin @online{flores:20220426:how:28d9476,
author = {Ryan Flores and Stephen Hilt and Lord Alfred Remorin},
title = {{How Cybercriminals Abuse Cloud Tunneling Services}},
date = {2022-04-26},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services},
language = {English},
urldate = {2022-05-03}
}
How Cybercriminals Abuse Cloud Tunneling Services AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT |
2022-04-26 ⋅ Intel 471 ⋅ Intel 471 @online{471:20220426:conti:6bcff7d,
author = {Intel 471},
title = {{Conti and Emotet: A constantly destructive duo}},
date = {2022-04-26},
organization = {Intel 471},
url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks},
language = {English},
urldate = {2022-04-29}
}
Conti and Emotet: A constantly destructive duo Cobalt Strike Conti Emotet IcedID QakBot TrickBot |
2022-04-25 ⋅ Morphisec ⋅ Morphisec Labs @online{labs:20220425:new:7b1c795,
author = {Morphisec Labs},
title = {{New Core Impact Backdoor Delivered Via VMware Vulnerability}},
date = {2022-04-25},
organization = {Morphisec},
url = {https://blog.morphisec.com/vmware-identity-manager-attack-backdoor},
language = {English},
urldate = {2022-04-29}
}
New Core Impact Backdoor Delivered Via VMware Vulnerability Cobalt Strike JSSLoader |
2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220425:quantum:128d2b3,
author = {The DFIR Report},
title = {{Quantum Ransomware}},
date = {2022-04-25},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/04/25/quantum-ransomware/},
language = {English},
urldate = {2022-04-25}
}
Quantum Ransomware Cobalt Strike IcedID |
2022-04-21 ⋅ ZeroSec ⋅ Andy Gill @online{gill:20220421:understanding:65e50fe,
author = {Andy Gill},
title = {{Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6}},
date = {2022-04-21},
organization = {ZeroSec},
url = {https://blog.zsec.uk/cobalt-strike-profiles/},
language = {English},
urldate = {2022-04-24}
}
Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6 Cobalt Strike |
2022-04-19 ⋅ Blake's R&D ⋅ bmcder02 @online{bmcder02:20220419:extracting:3e827cf,
author = {bmcder02},
title = {{Extracting Cobalt Strike from Windows Error Reporting}},
date = {2022-04-19},
organization = {Blake's R&D},
url = {https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting},
language = {English},
urldate = {2022-04-20}
}
Extracting Cobalt Strike from Windows Error Reporting Cobalt Strike |
2022-04-19 ⋅ Varonis ⋅ Nadav Ovadia @online{ovadia:20220419:hive:51c5eb7,
author = {Nadav Ovadia},
title = {{Hive Ransomware Analysis}},
date = {2022-04-19},
organization = {Varonis},
url = {https://www.varonis.com/blog/hive-ransomware-analysis},
language = {English},
urldate = {2022-04-25}
}
Hive Ransomware Analysis Cobalt Strike Hive MimiKatz |
2022-04-18 ⋅ vanmieghem ⋅ Vincent Van Mieghem @online{mieghem:20220418:blueprint:c4009ef,
author = {Vincent Van Mieghem},
title = {{A blueprint for evading industry leading endpoint protection in 2022}},
date = {2022-04-18},
organization = {vanmieghem},
url = {https://vanmieghem.io/blueprint-for-evading-edr-in-2022/},
language = {English},
urldate = {2022-04-20}
}
A blueprint for evading industry leading endpoint protection in 2022 Cobalt Strike |
2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy @online{kremez:20220418:enter:2f9b689,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}},
date = {2022-04-18},
organization = {AdvIntel},
url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group},
language = {English},
urldate = {2022-05-17}
}
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive |
2022-04-18 ⋅ SentinelOne ⋅ James Haughom @online{haughom:20220418:from:b73f12b,
author = {James Haughom},
title = {{From the Front Lines | Peering into A PYSA Ransomware Attack}},
date = {2022-04-18},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/},
language = {English},
urldate = {2022-04-20}
}
From the Front Lines | Peering into A PYSA Ransomware Attack Chisel Chisel Cobalt Strike Mespinoza |
2022-04-14 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20220414:orion:9db6814,
author = {Max Malyutin},
title = {{Orion Threat Alert: Flight of the BumbleBee}},
date = {2022-04-14},
organization = {Cynet},
url = {https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/},
language = {English},
urldate = {2022-05-04}
}
Orion Threat Alert: Flight of the BumbleBee BumbleBee Cobalt Strike |
2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20220413:dismantling:ace8546,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware}},
date = {2022-04-13},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/},
language = {English},
urldate = {2022-04-14}
}
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware BlackMatter Cobalt Strike DarkSide Ryuk Zloader |
2022-04-13 ⋅ ESET Research ⋅ Jean-Ian Boutin, Tomáš Procházka @online{boutin:20220413:eset:7463437,
author = {Jean-Ian Boutin and Tomáš Procházka},
title = {{ESET takes part in global operation to disrupt Zloader botnets}},
date = {2022-04-13},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/},
language = {English},
urldate = {2022-04-14}
}
ESET takes part in global operation to disrupt Zloader botnets Cobalt Strike Zloader |
2022-04-08 ⋅ Infinitum Labs ⋅ Arda Büyükkaya @online{bykkaya:20220408:threat:cbbf292,
author = {Arda Büyükkaya},
title = {{Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team}},
date = {2022-04-08},
organization = {Infinitum Labs},
url = {https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/},
language = {English},
urldate = {2022-04-08}
}
Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team Cobalt Strike MimiKatz |
2022-04-07 ⋅ splunk ⋅ Splunk Threat Research Team @online{team:20220407:you:2d088bc,
author = {Splunk Threat Research Team},
title = {{You Bet Your Lsass: Hunting LSASS Access}},
date = {2022-04-07},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html},
language = {English},
urldate = {2022-05-04}
}
You Bet Your Lsass: Hunting LSASS Access Cobalt Strike MimiKatz |
2022-04-07 ⋅ InQuest ⋅ Will MacArthur, Nick Chalard @online{macarthur:20220407:ukraine:99bef5a,
author = {Will MacArthur and Nick Chalard},
title = {{Ukraine CyberWar Overview}},
date = {2022-04-07},
organization = {InQuest},
url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview},
language = {English},
urldate = {2022-04-29}
}
Ukraine CyberWar Overview CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate |
2022-04-06 ⋅ Github (infinitumlabs) ⋅ Arda Büyükkaya @online{bykkaya:20220406:karakurt:7471190,
author = {Arda Büyükkaya},
title = {{Karakurt Hacking Team Indicators of Compromise (IOC)}},
date = {2022-04-06},
organization = {Github (infinitumlabs)},
url = {https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI},
language = {English},
urldate = {2022-04-08}
}
Karakurt Hacking Team Indicators of Compromise (IOC) Cobalt Strike |
2022-04-04 ⋅ Mandiant ⋅ Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague @online{abdo:20220404:fin7:305d62b,
author = {Bryce Abdo and Zander Work and Ioana Teaca and Brendan McKeague},
title = {{FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7}},
date = {2022-04-04},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/evolution-of-fin7},
language = {English},
urldate = {2022-06-27}
}
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite |
2022-03-31 ⋅ nccgroup ⋅ Nikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team @online{pantazopoulos:20220331:continuation:b38514d,
author = {Nikolaos Pantazopoulos and Alex Jessop and Simon Biggs and RIFT: Research and Intelligence Fusion Team},
title = {{Conti-nuation: methods and techniques observed in operations post the leaks}},
date = {2022-03-31},
organization = {nccgroup},
url = {https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/},
language = {English},
urldate = {2022-03-31}
}
Conti-nuation: methods and techniques observed in operations post the leaks Cobalt Strike Conti QakBot |
2022-03-31 ⋅ SC Media ⋅ SC Staff @online{staff:20220331:novel:ef704af,
author = {SC Staff},
title = {{Novel obfuscation leveraged by Hive ransomware}},
date = {2022-03-31},
organization = {SC Media},
url = {https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware},
language = {English},
urldate = {2022-04-05}
}
Novel obfuscation leveraged by Hive ransomware Cobalt Strike Hive |
2022-03-30 ⋅ Prevailion ⋅ Prevailion @online{prevailion:20220330:wizard:6eb38a7,
author = {Prevailion},
title = {{Wizard Spider continues to confound}},
date = {2022-03-30},
organization = {Prevailion},
url = {https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903},
language = {English},
urldate = {2022-03-31}
}
Wizard Spider continues to confound BazarBackdoor Cobalt Strike Emotet |
2022-03-30 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220330:phishing:035d666,
author = {Bill Toulas},
title = {{Phishing campaign targets Russian govt dissidents with Cobalt Strike}},
date = {2022-03-30},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/},
language = {English},
urldate = {2022-03-31}
}
Phishing campaign targets Russian govt dissidents with Cobalt Strike Unidentified PS 002 (RAT) Cobalt Strike |
2022-03-29 ⋅ Malwarebytes Labs ⋅ Hossein Jazi @online{jazi:20220329:new:21f3605,
author = {Hossein Jazi},
title = {{New spear phishing campaign targets Russian dissidents}},
date = {2022-03-29},
organization = {Malwarebytes Labs},
url = {https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/},
language = {English},
urldate = {2022-03-31}
}
New spear phishing campaign targets Russian dissidents Unidentified PS 002 (RAT) Cobalt Strike |
2022-03-29 ⋅ SentinelOne ⋅ James Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, Shai Tilias @online{haughom:20220329:from:5e4b8cc,
author = {James Haughom and Antonis Terefos and Jim Walter and Jeff Cavanaugh and Nick Fox and Shai Tilias},
title = {{From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection}},
date = {2022-03-29},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/},
language = {English},
urldate = {2022-03-31}
}
From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection Cobalt Strike Hive |
2022-03-28 ⋅ Medium walmartglobaltech ⋅ Jason Reaves @online{reaves:20220328:cobaltstrike:65362d3,
author = {Jason Reaves},
title = {{CobaltStrike UUID stager}},
date = {2022-03-28},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64},
language = {English},
urldate = {2022-04-05}
}
CobaltStrike UUID stager Cobalt Strike |
2022-03-25 ⋅ nccgroup ⋅ Yun Zheng Hu @online{hu:20220325:mining:287a2e7,
author = {Yun Zheng Hu},
title = {{Mining data from Cobalt Strike beacons}},
date = {2022-03-25},
organization = {nccgroup},
url = {https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/},
language = {English},
urldate = {2022-03-28}
}
Mining data from Cobalt Strike beacons Cobalt Strike |
2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP) @online{cip:20220325:who:e75f0ac,
author = {State Service of Special Communication and Information Protection of Ukraine (CIP)},
title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}},
date = {2022-03-25},
organization = {GOV.UA},
url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya},
language = {English},
urldate = {2022-03-28}
}
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22 Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora |
2022-03-24 ⋅ Twitter (@ESETresearch) ⋅ ESET Research @online{research:20220324:pipemon:351014e,
author = {ESET Research},
title = {{Tweet on PipeMon variants by Winnti Group}},
date = {2022-03-24},
organization = {Twitter (@ESETresearch)},
url = {https://twitter.com/ESETresearch/status/1506904404225630210},
language = {English},
urldate = {2022-03-30}
}
Tweet on PipeMon variants by Winnti Group PipeMon |
2022-03-22 ⋅ Red Canary ⋅ Red Canary @techreport{canary:20220322:2022:67c40ea,
author = {Red Canary},
title = {{2022 Threat Detection Report}},
date = {2022-03-22},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf},
language = {English},
urldate = {2022-03-23}
}
2022 Threat Detection Report FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT |
2022-03-22 ⋅ NVISO Labs ⋅ Didier Stevens @online{stevens:20220322:cobalt:fdf35ba,
author = {Didier Stevens},
title = {{Cobalt Strike: Overview – Part 7}},
date = {2022-03-22},
organization = {NVISO Labs},
url = {https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/},
language = {English},
urldate = {2022-03-23}
}
Cobalt Strike: Overview – Part 7 Cobalt Strike |
2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220321:conti:507fdf9,
author = {eSentire Threat Response Unit (TRU)},
title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}},
date = {2022-03-21},
organization = {eSentire},
url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire},
language = {English},
urldate = {2022-05-23}
}
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID |
2022-03-21 ⋅ Threat Post ⋅ Lisa Vaas @online{vaas:20220321:conti:0b203c8,
author = {Lisa Vaas},
title = {{Conti Ransomware V. 3, Including Decryptor, Leaked}},
date = {2022-03-21},
organization = {Threat Post},
url = {https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/},
language = {English},
urldate = {2022-03-22}
}
Conti Ransomware V. 3, Including Decryptor, Leaked Cobalt Strike Conti TrickBot |
2022-03-17 ⋅ Google ⋅ Vladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group @online{stolyarov:20220317:exposing:f818c6d,
author = {Vladislav Stolyarov and Benoit Sevens and Google Threat Analysis Group},
title = {{Exposing initial access broker with ties to Conti}},
date = {2022-03-17},
organization = {Google},
url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/},
language = {English},
urldate = {2022-03-18}
}
Exposing initial access broker with ties to Conti BazarBackdoor BumbleBee Cobalt Strike Conti |
2022-03-16 ⋅ paloalto Netoworks: Unit42 ⋅ Chris Navarrete, Durgesh Sangvikar, Andrew Guan, Yu Fu, Yanhui Jia, Siddhart Shibiraj @online{navarrete:20220316:cobalt:015f5df,
author = {Chris Navarrete and Durgesh Sangvikar and Andrew Guan and Yu Fu and Yanhui Jia and Siddhart Shibiraj},
title = {{Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect}},
date = {2022-03-16},
organization = {paloalto Netoworks: Unit42},
url = {https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/},
language = {English},
urldate = {2022-03-18}
}
Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect Cobalt Strike |
2022-03-16 ⋅ SANS ISC ⋅ Brad Duncan @online{duncan:20220316:qakbot:7fe703f,
author = {Brad Duncan},
title = {{Qakbot infection with Cobalt Strike and VNC activity}},
date = {2022-03-16},
organization = {SANS ISC},
url = {https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/},
language = {English},
urldate = {2022-03-17}
}
Qakbot infection with Cobalt Strike and VNC activity Cobalt Strike QakBot |
2022-03-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20220316:qakbot:ff11e1e,
author = {Brad Duncan},
title = {{Qakbot infection with Cobalt Strike and VNC activity}},
date = {2022-03-16},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/28448},
language = {English},
urldate = {2022-03-17}
}
Qakbot infection with Cobalt Strike and VNC activity Cobalt Strike QakBot |
2022-03-15 ⋅ SentinelOne ⋅ Amitai Ben Shushan Ehrlich @online{ehrlich:20220315:threat:7f64477,
author = {Amitai Ben Shushan Ehrlich},
title = {{Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software}},
date = {2022-03-15},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/},
language = {English},
urldate = {2022-03-17}
}
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software Cobalt Strike GraphSteel GrimPlant SaintBear |
2022-03-15 ⋅ Prevailion ⋅ Matt Stafford, Sherman Smith @online{stafford:20220315:what:1df16e6,
author = {Matt Stafford and Sherman Smith},
title = {{What Wicked Webs We Un-weave}},
date = {2022-03-15},
organization = {Prevailion},
url = {https://www.prevailion.com/what-wicked-webs-we-unweave/},
language = {English},
urldate = {2022-03-17}
}
What Wicked Webs We Un-weave Cobalt Strike Conti |
2022-03-14 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220314:fake:c599da1,
author = {Bill Toulas},
title = {{Fake antivirus updates used to deploy Cobalt Strike in Ukraine}},
date = {2022-03-14},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/},
language = {English},
urldate = {2022-03-15}
}
Fake antivirus updates used to deploy Cobalt Strike in Ukraine Cobalt Strike |
2022-03-12 ⋅ Arash's Blog ⋅ Arash Parsa @online{parsa:20220312:analyzing:5b0c5f2,
author = {Arash Parsa},
title = {{Analyzing Malware with Hooks, Stomps, and Return-addresses}},
date = {2022-03-12},
organization = {Arash's Blog},
url = {https://www.arashparsa.com/catching-a-malware-with-no-name/},
language = {English},
urldate = {2022-03-28}
}
Analyzing Malware with Hooks, Stomps, and Return-addresses Cobalt Strike |
2022-03-11 ⋅ Cert-UA @online{certua:20220311:cyberattack:1e34a52,
author = {Cert-UA},
title = {{Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)}},
date = {2022-03-11},
url = {https://cert.gov.ua/article/37704},
language = {Ukrainian},
urldate = {2022-03-14}
}
Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145) Cobalt Strike |
2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20220309:cisa:63f18cd,
author = {Ionut Ilascu},
title = {{CISA updates Conti ransomware alert with nearly 100 domain names}},
date = {2022-03-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/},
language = {English},
urldate = {2022-03-10}
}
CISA updates Conti ransomware alert with nearly 100 domain names BazarBackdoor Cobalt Strike Conti TrickBot |
2022-03-09 ⋅ BreachQuest ⋅ Marco Figueroa, Napoleon Bing, Bernard Silvestrini @online{figueroa:20220309:conti:d237b64,
author = {Marco Figueroa and Napoleon Bing and Bernard Silvestrini},
title = {{The Conti Leaks | Insight into a Ransomware Unicorn}},
date = {2022-03-09},
organization = {BreachQuest},
url = {https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/},
language = {English},
urldate = {2022-03-14}
}
The Conti Leaks | Insight into a Ransomware Unicorn Cobalt Strike MimiKatz TrickBot |
2022-03-08 ⋅ Mandiant ⋅ Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram @online{brown:20220308:does:94c6c3e,
author = {Rufus Brown and Van Ta and Douglas Bienstock and Geoff Ackerman and John Wolfram},
title = {{Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments}},
date = {2022-03-08},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/apt41-us-state-governments},
language = {English},
urldate = {2022-03-10}
}
Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments KEYPLUG Cobalt Strike LOWKEY |
2022-03-07 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220307:2021:c2e2fbe,
author = {The DFIR Report},
title = {{2021 Year In Review}},
date = {2022-03-07},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/03/07/2021-year-in-review/},
language = {English},
urldate = {2022-03-07}
}
2021 Year In Review Cobalt Strike |
2022-03-04 ⋅ Telsy ⋅ Telsy @online{telsy:20220304:legitimate:d46b40c,
author = {Telsy},
title = {{Legitimate Sites Used As Cobalt Strike C2s Against Indian Government}},
date = {2022-03-04},
organization = {Telsy},
url = {https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/},
language = {English},
urldate = {2022-03-07}
}
Legitimate Sites Used As Cobalt Strike C2s Against Indian Government Cobalt Strike |
2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20220303:cyberattacks:d961eb0,
author = {Trend Micro Research},
title = {{Cyberattacks are Prominent in the Russia-Ukraine Conflict}},
date = {2022-03-03},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html},
language = {English},
urldate = {2022-03-04}
}
Cyberattacks are Prominent in the Russia-Ukraine Conflict BazarBackdoor Cobalt Strike Conti Emotet WhisperGate |
2022-03 ⋅ VirusTotal ⋅ VirusTotal @techreport{virustotal:202203:virustotals:c6af9c1,
author = {VirusTotal},
title = {{VirusTotal's 2021 Malware Trends Report}},
date = {2022-03},
institution = {VirusTotal},
url = {https://assets.virustotal.com/reports/2021trends.pdf},
language = {English},
urldate = {2022-04-13}
}
VirusTotal's 2021 Malware Trends Report Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT |
2022-02-24 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20220224:new:014251e,
author = {Max Malyutin},
title = {{New Wave of Emotet – When Project X Turns Into Y}},
date = {2022-02-24},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/},
language = {English},
urldate = {2022-05-04}
}
New Wave of Emotet – When Project X Turns Into Y Cobalt Strike Emotet |
2022-02-24 ⋅ Fortinet ⋅ Fred Gutierrez @online{gutierrez:20220224:nobelium:46d943e,
author = {Fred Gutierrez},
title = {{Nobelium Returns to the Political World Stage}},
date = {2022-02-24},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage},
language = {English},
urldate = {2022-03-02}
}
Nobelium Returns to the Political World Stage Cobalt Strike |
2022-02-23 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy @online{kremez:20220223:24:59b3a28,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)}},
date = {2022-02-23},
organization = {AdvIntel},
url = {https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir},
language = {English},
urldate = {2022-03-01}
}
24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR) Cobalt Strike Conti |
2022-02-23 ⋅ SophosLabs Uncut ⋅ Andrew Brandt @online{brandt:20220223:dridex:c1d4784,
author = {Andrew Brandt},
title = {{Dridex bots deliver Entropy ransomware in recent attacks}},
date = {2022-02-23},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/},
language = {English},
urldate = {2022-03-01}
}
Dridex bots deliver Entropy ransomware in recent attacks Cobalt Strike Dridex Entropy |
2022-02-23 ⋅ cyber.wtf blog ⋅ Luca Ebach @online{ebach:20220223:what:0a4496e,
author = {Luca Ebach},
title = {{What the Pack(er)?}},
date = {2022-02-23},
organization = {cyber.wtf blog},
url = {https://cyber.wtf/2022/03/23/what-the-packer/},
language = {English},
urldate = {2022-03-25}
}
What the Pack(er)? Cobalt Strike Emotet |
2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220222:icedid:67f870d,
author = {eSentire Threat Response Unit (TRU)},
title = {{IcedID to Cobalt Strike In Under 20 Minutes}},
date = {2022-02-22},
organization = {eSentire},
url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes},
language = {English},
urldate = {2022-05-23}
}
IcedID to Cobalt Strike In Under 20 Minutes Cobalt Strike IcedID PhotoLoader |
2022-02-22 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220222:vulnerable:80109eb,
author = {Bill Toulas},
title = {{Vulnerable Microsoft SQL Servers targeted with Cobalt Strike}},
date = {2022-02-22},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/},
language = {English},
urldate = {2022-02-26}
}
Vulnerable Microsoft SQL Servers targeted with Cobalt Strike Cobalt Strike Kingminer Lemon Duck |
2022-02-21 ⋅ ASEC @online{asec:20220221:cobalt:82a24d8,
author = {ASEC},
title = {{Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers}},
date = {2022-02-21},
url = {https://asec.ahnlab.com/en/31811/},
language = {English},
urldate = {2022-02-26}
}
Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers Cobalt Strike Lemon Duck |
2022-02-21 ⋅ The DFIR Report @online{report:20220221:qbot:8b10b52,
author = {The DFIR Report},
title = {{Qbot and Zerologon Lead To Full Domain Compromise}},
date = {2022-02-21},
url = {https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/},
language = {English},
urldate = {2022-02-26}
}
Qbot and Zerologon Lead To Full Domain Compromise Cobalt Strike QakBot |
2022-02-20 ⋅ Medium SOCFortress ⋅ SOCFortress @online{socfortress:20220220:detecting:5d28c28,
author = {SOCFortress},
title = {{Detecting Cobalt Strike Beacons}},
date = {2022-02-20},
organization = {Medium SOCFortress},
url = {https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654},
language = {English},
urldate = {2022-02-26}
}
Detecting Cobalt Strike Beacons Cobalt Strike |
2022-02-18 ⋅ Huntress Labs ⋅ Matthew Brennan @online{brennan:20220218:hackers:243d8b8,
author = {Matthew Brennan},
title = {{Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection}},
date = {2022-02-18},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection},
language = {English},
urldate = {2022-02-26}
}
Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection Cobalt Strike |
2022-02-16 ⋅ Security Onion ⋅ Doug Burks @online{burks:20220216:quick:e515983,
author = {Doug Burks},
title = {{Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08}},
date = {2022-02-16},
organization = {Security Onion},
url = {https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html},
language = {English},
urldate = {2022-02-17}
}
Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08 Cobalt Strike Emotet |
2022-02-15 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220215:increase:a4de9ce,
author = {eSentire Threat Response Unit (TRU)},
title = {{Increase in Emotet Activity and Cobalt Strike Deployment}},
date = {2022-02-15},
organization = {eSentire},
url = {https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment},
language = {English},
urldate = {2022-05-23}
}
Increase in Emotet Activity and Cobalt Strike Deployment Cobalt Strike Emotet |
2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team @online{team:20220210:threat:320574f,
author = {Cybereason Global SOC Team},
title = {{Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot}},
date = {2022-02-10},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot},
language = {English},
urldate = {2022-02-10}
}
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot Cobalt Strike Emotet IcedID QakBot |
2022-02-09 ⋅ vmware ⋅ VMWare @techreport{vmware:20220209:exposing:7b5f76e,
author = {VMWare},
title = {{Exposing Malware in Linux-Based Multi-Cloud Environments}},
date = {2022-02-09},
institution = {vmware},
url = {https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf},
language = {English},
urldate = {2022-02-10}
}
Exposing Malware in Linux-Based Multi-Cloud Environments ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike |
2022-01-31 ⋅ CyberArk ⋅ Arash Parsa @online{parsa:20220131:analyzing:c496cc6,
author = {Arash Parsa},
title = {{Analyzing Malware with Hooks, Stomps and Return-addresses}},
date = {2022-01-31},
organization = {CyberArk},
url = {https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2},
language = {English},
urldate = {2022-05-09}
}
Analyzing Malware with Hooks, Stomps and Return-addresses Cobalt Strike |
2022-01-28 ⋅ Morphisec ⋅ Morphisec Labs @online{labs:20220128:log4j:ee487ec,
author = {Morphisec Labs},
title = {{Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk}},
date = {2022-01-28},
organization = {Morphisec},
url = {https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications},
language = {English},
urldate = {2022-02-02}
}
Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk Cobalt Strike |
2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru @techreport{yanagishita:20220127:what:3c59dc9,
author = {Hajime Yanagishita and Kiyotaka Tamada and You Nakatsuru and Suguru Ishimaru},
title = {{What We Can Do against the Chaotic A41APT Campaign}},
date = {2022-01-27},
institution = {JSAC 2021},
url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf},
language = {English},
urldate = {2022-05-17}
}
What We Can Do against the Chaotic A41APT Campaign CHINACHOPPER Cobalt Strike HUI Loader SodaMaster |
2022-01-26 ⋅ Blackberry ⋅ Ryan Gibson, Codi Starks, Will Ikard @online{gibson:20220126:log4u:3f2992b,
author = {Ryan Gibson and Codi Starks and Will Ikard},
title = {{Log4U, Shell4Me}},
date = {2022-01-26},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/01/log4u-shell4me},
language = {English},
urldate = {2022-01-31}
}
Log4U, Shell4Me Cobalt Strike |
2022-01-25 ⋅ Cynet ⋅ Orion Threat Research and Intelligence Team @online{team:20220125:threats:5269cbc,
author = {Orion Threat Research and Intelligence Team},
title = {{Threats Looming Over the Horizon}},
date = {2022-01-25},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/},
language = {English},
urldate = {2022-01-28}
}
Threats Looming Over the Horizon Cobalt Strike Meterpreter NightSky |
2022-01-24 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20220124:cobalt:b0b48ee,
author = {The DFIR Report},
title = {{Cobalt Strike, a Defender’s Guide – Part 2}},
date = {2022-01-24},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/},
language = {English},
urldate = {2022-01-25}
}
Cobalt Strike, a Defender’s Guide – Part 2 Cobalt Strike |
2022-01-20 ⋅ Morphisec ⋅ Michael Gorelik @online{gorelik:20220120:log4j:99fd2e0,
author = {Michael Gorelik},
title = {{Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk}},
date = {2022-01-20},
organization = {Morphisec},
url = {https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk},
language = {English},
urldate = {2022-01-25}
}
Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk Cobalt Strike |
2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20220119:kraken:5b52d17,
author = {The BlackBerry Research & Intelligence Team},
title = {{Kraken the Code on Prometheus}},
date = {2022-01-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus},
language = {English},
urldate = {2022-05-25}
}
Kraken the Code on Prometheus Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk |
2022-01-19 ⋅ Sophos ⋅ Colin Cowie, Mat Gangwer, Stan Andic, Sophos MTR Team @online{cowie:20220119:zloader:e87c22c,
author = {Colin Cowie and Mat Gangwer and Stan Andic and Sophos MTR Team},
title = {{Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike}},
date = {2022-01-19},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/},
language = {English},
urldate = {2022-01-25}
}
Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike Cobalt Strike Zloader |
2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin @online{ditch:20220119:collecting:696e5d0,
author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin},
title = {{Collecting Cobalt Strike Beacons with the Elastic Stack}},
date = {2022-01-19},
organization = {Elastic},
url = {https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/},
language = {English},
urldate = {2022-01-25}
}
Collecting Cobalt Strike Beacons with the Elastic Stack Cobalt Strike |
2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin @online{ditch:20220119:extracting:39bd5e5,
author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin},
title = {{Extracting Cobalt Strike Beacon Configurations}},
date = {2022-01-19},
organization = {Elastic},
url = {https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/},
language = {English},
urldate = {2022-01-25}
}
Extracting Cobalt Strike Beacon Configurations Cobalt Strike |
2022-01-18 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20220118:2021:9cff6fc,
author = {Insikt Group®},
title = {{2021 Adversary Infrastructure Report}},
date = {2022-01-18},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf},
language = {English},
urldate = {2022-01-24}
}
2021 Adversary Infrastructure Report BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot |
2022-01-16 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220116:analyzing:2c8a9db,
author = {Tony Lambert},
title = {{Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike}},
date = {2022-01-16},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/},
language = {English},
urldate = {2022-01-25}
}
Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike CACTUSTORCH Cobalt Strike |
2022-01-15 ⋅ Huntress Labs ⋅ Team Huntress @online{huntress:20220115:threat:cb103f0,
author = {Team Huntress},
title = {{Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401)}},
date = {2022-01-15},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike},
language = {English},
urldate = {2022-03-07}
}
Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401) Cobalt Strike |
2022-01-11 ⋅ Cybereason ⋅ Omri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro @online{refaeli:20220111:threat:fd22089,
author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro},
title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}},
date = {2022-01-11},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike},
language = {English},
urldate = {2022-01-18}
}
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike Cobalt Strike QakBot Squirrelwaffle |
2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20220111:signed:0f32583,
author = {Jason Reaves and Joshua Platt},
title = {{Signed DLL campaigns as a service}},
date = {2022-01-11},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489},
language = {English},
urldate = {2022-01-25}
}
Signed DLL campaigns as a service Cobalt Strike ISFB Zloader |
2022-01-11 ⋅ Twitter (@cglyer) ⋅ Christopher Glyer @online{glyer:20220111:thread:ae5ec3d,
author = {Christopher Glyer},
title = {{Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware}},
date = {2022-01-11},
organization = {Twitter (@cglyer)},
url = {https://twitter.com/cglyer/status/1480742363991580674},
language = {English},
urldate = {2022-01-25}
}
Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware Cobalt Strike NightSky |
2022-01-09 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220109:inspecting:4681f0a,
author = {Tony Lambert},
title = {{Inspecting a PowerShell Cobalt Strike Beacon}},
date = {2022-01-09},
organization = {forensicitguy},
url = {https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/},
language = {English},
urldate = {2022-01-25}
}
Inspecting a PowerShell Cobalt Strike Beacon Cobalt Strike |
2022-01-06 ⋅ Sekoia ⋅ sekoia @online{sekoia:20220106:nobeliums:de631e8,
author = {sekoia},
title = {{NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies}},
date = {2022-01-06},
organization = {Sekoia},
url = {https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/},
language = {English},
urldate = {2022-01-10}
}
NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies Cobalt Strike EnvyScout |
2021-12-29 ⋅ Blake's R&D ⋅ Blake @online{blake:20211229:cobalt:b8c08bb,
author = {Blake},
title = {{Cobalt Strike DFIR: Listening to the Pipes}},
date = {2021-12-29},
organization = {Blake's R&D},
url = {https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes},
language = {English},
urldate = {2021-12-31}
}
Cobalt Strike DFIR: Listening to the Pipes Cobalt Strike |
2021-12-29 ⋅ CrowdStrike ⋅ Benjamin Wiley, Falcon OverWatch Team @online{wiley:20211229:overwatch:35d7dee,
author = {Benjamin Wiley and Falcon OverWatch Team},
title = {{OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt}},
date = {2021-12-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/},
language = {English},
urldate = {2021-12-31}
}
OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt Cobalt Strike AQUATIC PANDA |
2021-12-28 ⋅ Morphus Labs ⋅ Renato Marinho @online{marinho:20211228:attackers:48320eb,
author = {Renato Marinho},
title = {{Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons}},
date = {2021-12-28},
organization = {Morphus Labs},
url = {https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42},
language = {English},
urldate = {2021-12-31}
}
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons Cobalt Strike |
2021-12-22 ⋅ Telsy ⋅ Telsy Research Team @online{team:20211222:phishing:ffa707a,
author = {Telsy Research Team},
title = {{Phishing Campaign targeting citizens abroad using COVID-19 theme lures}},
date = {2021-12-22},
organization = {Telsy},
url = {https://www.telsy.com/download/5972/?uid=d7c082ba55},
language = {English},
urldate = {2022-01-25}
}
Phishing Campaign targeting citizens abroad using COVID-19 theme lures Cobalt Strike |
2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team @online{team:20211216:intelligence:f7bad55,
author = {The Red Canary Team},
title = {{Intelligence Insights: December 2021}},
date = {2021-12-16},
organization = {Red Canary},
url = {https://redcanary.com/blog/intelligence-insights-december-2021},
language = {English},
urldate = {2021-12-31}
}
Intelligence Insights: December 2021 Cobalt Strike QakBot Squirrelwaffle |
2021-12-10 ⋅ Accenture ⋅ Accenture @online{accenture:20211210:karakurt:5bb6d9c,
author = {Accenture},
title = {{Karakurt rises from its lair}},
date = {2021-12-10},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation},
language = {English},
urldate = {2021-12-15}
}
Karakurt rises from its lair Cobalt Strike |
2021-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20211207:emotet:f33c999,
author = {Lawrence Abrams},
title = {{Emotet now drops Cobalt Strike, fast forwards ransomware attacks}},
date = {2021-12-07},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/},
language = {English},
urldate = {2021-12-08}
}
Emotet now drops Cobalt Strike, fast forwards ransomware attacks Cobalt Strike Emotet |
2021-12-06 ⋅ Mandiant ⋅ Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock, Luis Rocha, Marius Fodoreanu, Mitchell Clarke, Manfred Erjak, Josh Madeley, Ashraf Abdalhalim, Juraj Sucik, Wojciech Ledzion, Gabriella Roncone, Jonathan Leathery, Ben Read, Microsoft Threat Intelligence Center (MSTIC), Microsoft Detection and Response Team (DART) @online{jenkins:20211206:suspected:d9da4ec,
author = {Luke Jenkins and Sarah Hawley and Parnian Najafi and Doug Bienstock and Luis Rocha and Marius Fodoreanu and Mitchell Clarke and Manfred Erjak and Josh Madeley and Ashraf Abdalhalim and Juraj Sucik and Wojciech Ledzion and Gabriella Roncone and Jonathan Leathery and Ben Read and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Detection and Response Team (DART)},
title = {{Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)}},
date = {2021-12-06},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/russian-targeting-gov-business},
language = {English},
urldate = {2021-12-07}
}
Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452) Cobalt Strike CryptBot |
2021-12-06 ⋅ CERT-FR ⋅ CERT-FR @online{certfr:20211206:phishing:c58da54,
author = {CERT-FR},
title = {{Phishing campaigns by the Nobelium intrusion set}},
date = {2021-12-06},
organization = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/},
language = {English},
urldate = {2021-12-07}
}
Phishing campaigns by the Nobelium intrusion set Cobalt Strike |
2021-12-02 ⋅ CERT-FR ⋅ CERT-FR @techreport{certfr:20211202:phishing:c22ef4f,
author = {CERT-FR},
title = {{Phishing Campaigns by the Nobelium Intrusion Set}},
date = {2021-12-02},
institution = {CERT-FR},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf},
language = {English},
urldate = {2021-12-07}
}
Phishing Campaigns by the Nobelium Intrusion Set Cobalt Strike |
2021-11-30 ⋅ Broadcom ⋅ Symantec Threat Hunter Team @online{team:20211130:yanluowang:538b90c,
author = {Symantec Threat Hunter Team},
title = {{Yanluowang: Further Insights on New Ransomware Threat}},
date = {2021-11-30},
organization = {Broadcom},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue},
language = {English},
urldate = {2021-11-30}
}
Yanluowang: Further Insights on New Ransomware Threat BazarBackdoor Cobalt Strike FiveHands |
2021-11-29 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20211129:continuing:646e622,
author = {The DFIR Report},
title = {{CONTInuing the Bazar Ransomware Story}},
date = {2021-11-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/},
language = {English},
urldate = {2021-12-07}
}
CONTInuing the Bazar Ransomware Story BazarBackdoor Cobalt Strike Conti |
2021-11-29 ⋅ Mandiant ⋅ Tyler McLellan, Brandan Schondorfer @online{mclellan:20211129:kittengif:efb8036,
author = {Tyler McLellan and Brandan Schondorfer},
title = {{Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again}},
date = {2021-11-29},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/sabbath-ransomware-affiliate},
language = {English},
urldate = {2021-11-30}
}
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again Cobalt Strike |
2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar @online{fahmy:20211119:squirrelwaffle:1e8fa78,
author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar},
title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}},
date = {2021-11-19},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html},
language = {English},
urldate = {2021-11-25}
}
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains Cobalt Strike QakBot Squirrelwaffle |
2021-11-17 ⋅ Trend Micro ⋅ Mohamed Fahmy, Abdelrhman Sharshar, Sherif Magdy, Ryan Maglaque @online{fahmy:20211117:analyzing:c6c52d1,
author = {Mohamed Fahmy and Abdelrhman Sharshar and Sherif Magdy and Ryan Maglaque},
title = {{Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR}},
date = {2021-11-17},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html},
language = {English},
urldate = {2021-11-18}
}
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR Cobalt Strike Cotx RAT |
2021-11-17 ⋅ nviso ⋅ Didier Stevens @online{stevens:20211117:cobalt:0b6ecf5,
author = {Didier Stevens},
title = {{Cobalt Strike: Decrypting Obfuscated Traffic – Part 4}},
date = {2021-11-17},
organization = {nviso},
url = {https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/},
language = {English},
urldate = {2021-11-18}
}
Cobalt Strike: Decrypting Obfuscated Traffic – Part 4 Cobalt Strike |
2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42 @online{42:20211117:matanbuchus:9e3556c,
author = {Unit 42},
title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}},
date = {2021-11-17},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1461004489234829320},
language = {English},
urldate = {2021-11-25}
}
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike Cobalt Strike QakBot |
2021-11-17 ⋅ Black Hills Information Security ⋅ Kyle Avery @online{avery:20211117:dns:847b573,
author = {Kyle Avery},
title = {{DNS Over HTTPS for Cobalt Strike}},
date = {2021-11-17},
organization = {Black Hills Information Security},
url = {https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/},
language = {English},
urldate = {2022-02-19}
}
DNS Over HTTPS for Cobalt Strike Cobalt Strike |
2021-11-16 ⋅ Blackberry ⋅ T.J. O'Leary, Tom Bonner, Marta Janus, Dean Given, Eoin Wickens, Jim Simpson @techreport{oleary:20211116:finding:e8594dd,
author = {T.J. O'Leary and Tom Bonner and Marta Janus and Dean Given and Eoin Wickens and Jim Simpson},
title = {{Finding Beacons in the dark}},
date = {2021-11-16},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf},
language = {English},
urldate = {2021-11-18}
}
Finding Beacons in the dark Cobalt Strike |
2021-11-16 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer, Asheer Malhotra @online{raghuprasad:20211116:attackers:c31ad77,
author = {Chetan Raghuprasad and Vanja Svajcer and Asheer Malhotra},
title = {{Attackers use domain fronting technique to target Myanmar with Cobalt Strike}},
date = {2021-11-16},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html},
language = {English},
urldate = {2021-11-17}
}
Attackers use domain fronting technique to target Myanmar with Cobalt Strike Cobalt Strike |
2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski @online{research:20211116:how:d7fdaf8,
author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski},
title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}},
date = {2021-11-16},
organization = {IronNet},
url = {https://www.ironnet.com/blog/ransomware-graphic-blog},
language = {English},
urldate = {2021-11-25}
}
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware Cobalt Strike Conti IcedID REvil |
2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani @online{viggiani:20211115:proxyshell:bf17c6d,
author = {Fabio Viggiani},
title = {{ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks}},
date = {2021-11-15},
organization = {TRUESEC},
url = {https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks},
language = {English},
urldate = {2021-11-17}
}
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks Cobalt Strike Conti QakBot |
2021-11-13 ⋅ Just Still ⋅ Still Hsu @online{hsu:20211113:threat:597b1a0,
author = {Still Hsu},
title = {{Threat Spotlight - Domain Fronting}},
date = {2021-11-13},
organization = {Just Still},
url = {https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/},
language = {English},
urldate = {2021-11-18}
}
Threat Spotlight - Domain Fronting Cobalt Strike |
2021-11-12 ⋅ Malwarebytes ⋅ Hossein Jazi @online{jazi:20211112:multistage:e70f6d0,
author = {Hossein Jazi},
title = {{A multi-stage PowerShell based attack targets Kazakhstan}},
date = {2021-11-12},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/},
language = {English},
urldate = {2021-11-17}
}
A multi-stage PowerShell based attack targets Kazakhstan Cobalt Strike |
2021-11-11 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20211111:duck:897cc6f,
author = {Max Malyutin},
title = {{A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation}},
date = {2021-11-11},
organization = {Cynet},
url = {https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/},
language = {English},
urldate = {2021-11-25}
}
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation Cobalt Strike QakBot |
2021-11-10 ⋅ AT&T ⋅ Josh Gomez @online{gomez:20211110:stories:4ce1168,
author = {Josh Gomez},
title = {{Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!}},
date = {2021-11-10},
organization = {AT&T},
url = {https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my},
language = {English},
urldate = {2021-11-17}
}
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY! Cobalt Strike Conti |
2021-11-10 ⋅ Sekoia ⋅ Cyber Threat Intelligence team @online{team:20211110:walking:cc41f24,
author = {Cyber Threat Intelligence team},
title = {{Walking on APT31 infrastructure footprints}},
date = {2021-11-10},
organization = {Sekoia},
url = {https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/},
language = {English},
urldate = {2021-11-11}
}
Walking on APT31 infrastructure footprints Rekoobe Unidentified ELF 004 Cobalt Strike |
2021-11-09 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Eli Salem @online{milenkoski:20211109:threat:9f898c9,
author = {Aleksandar Milenkoski and Eli Salem},
title = {{THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware}},
date = {2021-11-09},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware},
language = {English},
urldate = {2022-02-09}
}
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware Cobalt Strike Conti |
2021-11-05 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42 @online{42:20211105:ta551:98c564e,
author = {Unit 42},
title = {{Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops}},
date = {2021-11-05},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1458113934024757256},
language = {English},
urldate = {2021-11-17}
}
Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops BazarBackdoor Cobalt Strike |
2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20211105:hunter:3c7bab9,
author = {The BlackBerry Research & Intelligence Team},
title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}},
date = {2021-11-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/11/zebra2104},
language = {English},
urldate = {2021-11-08}
}
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity |
2021-11-03 ⋅ nviso ⋅ Didier Stevens @online{stevens:20211103:cobalt:8f8223d,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3}},
date = {2021-11-03},
organization = {nviso},
url = {https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/},
language = {English},
urldate = {2021-11-08}
}
Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3 Cobalt Strike |
2021-11-03 ⋅ Didier Stevens ⋅ Didier Stevens @online{stevens:20211103:new:6f8b92c,
author = {Didier Stevens},
title = {{New Tool: cs-extract-key.py}},
date = {2021-11-03},
organization = {Didier Stevens},
url = {https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/},
language = {English},
urldate = {2021-11-17}
}
New Tool: cs-extract-key.py Cobalt Strike |
2021-11-02 ⋅ Intel 471 ⋅ Intel 471 @online{471:20211102:cybercrime:4d53035,
author = {Intel 471},
title = {{Cybercrime underground flush with shipping companies’ credentials}},
date = {2021-11-02},
organization = {Intel 471},
url = {https://intel471.com/blog/shipping-companies-ransomware-credentials},
language = {English},
urldate = {2021-11-03}
}
Cybercrime underground flush with shipping companies’ credentials Cobalt Strike Conti |
2021-11-02 ⋅ unh4ck ⋅ Cyb3rSn0rlax @online{cyb3rsn0rlax:20211102:detecting:a2828eb,
author = {Cyb3rSn0rlax},
title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2}},
date = {2021-11-02},
organization = {unh4ck},
url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2},
language = {English},
urldate = {2021-11-03}
}
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2 Cobalt Strike Conti |
2021-11-02 ⋅ boschko.ca blog ⋅ Olivier Laflamme @online{laflamme:20211102:cobalt:d09aa11,
author = {Olivier Laflamme},
title = {{Cobalt Strike Process Injection}},
date = {2021-11-02},
organization = {boschko.ca blog},
url = {https://boschko.ca/cobalt-strike-process-injection/},
language = {English},
urldate = {2021-11-29}
}
Cobalt Strike Process Injection Cobalt Strike |
2021-11-01 ⋅ Accenture ⋅ Heather Larrieu, Curt Wilson, Katrina Hill @online{larrieu:20211101:diving:a732a35,
author = {Heather Larrieu and Curt Wilson and Katrina Hill},
title = {{Diving into double extortion campaigns}},
date = {2021-11-01},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns},
language = {English},
urldate = {2021-11-03}
}
Diving into double extortion campaigns Cobalt Strike MimiKatz |
2021-11-01 ⋅ The DFIR Report ⋅ @iiamaleks, @samaritan_o @online{iiamaleks:20211101:from:2348d47,
author = {@iiamaleks and @samaritan_o},
title = {{From Zero to Domain Admin}},
date = {2021-11-01},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/},
language = {English},
urldate = {2021-11-03}
}
From Zero to Domain Admin Cobalt Strike Hancitor |
2021-10-29 ⋅ Національна поліція України ⋅ Національна поліція України @online{:20211029:cyberpolice:fc43b20,
author = {Національна поліція України},
title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}},
date = {2021-10-29},
organization = {Національна поліція України},
url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/},
language = {Ukrainian},
urldate = {2021-11-02}
}
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies Cobalt Strike Dharma LockerGoga MegaCortex TrickBot |
2021-10-29 ⋅ Europol ⋅ Europol @online{europol:20211029:12:5c0fd59,
author = {Europol},
title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}},
date = {2021-10-29},
organization = {Europol},
url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure},
language = {English},
urldate = {2021-11-02}
}
12 targeted for involvement in ransomware attacks against critical infrastructure Cobalt Strike Dharma LockerGoga MegaCortex TrickBot |
2021-10-27 ⋅ nviso ⋅ Didier Stevens @online{stevens:20211027:cobalt:b91181a,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2}},
date = {2021-10-27},
organization = {nviso},
url = {https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/},
language = {English},
urldate = {2021-11-03}
}
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2 Cobalt Strike |
2021-10-26 ⋅ ANSSI @techreport{anssi:20211026:identification:9444ac3,
author = {ANSSI},
title = {{Identification of a new cyber criminal group: Lockean}},
date = {2021-10-26},
institution = {},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf},
language = {English},
urldate = {2022-01-25}
}
Identification of a new cyber criminal group: Lockean Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil |
2021-10-26 ⋅ unh4ck ⋅ Hamza OUADIA @online{ouadia:20211026:detecting:2a3e2fa,
author = {Hamza OUADIA},
title = {{Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1}},
date = {2021-10-26},
organization = {unh4ck},
url = {https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1},
language = {English},
urldate = {2021-11-03}
}
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1 Cobalt Strike Conti |
2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis @online{brumaghin:20211026:squirrelwaffle:88c5943,
author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis},
title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}},
date = {2021-10-26},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html},
language = {English},
urldate = {2021-11-02}
}
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike Cobalt Strike QakBot Squirrelwaffle |
2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson @online{clinton:20211021:stopping:3c26152,
author = {Alex Clinton and Tasha Robinson},
title = {{Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign}},
date = {2021-10-21},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/},
language = {English},
urldate = {2021-11-02}
}
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign Cobalt Strike FlawedGrace TinyMet |
2021-10-21 ⋅ nviso ⋅ Didier Stevens @online{stevens:20211021:cobalt:bfc8702,
author = {Didier Stevens},
title = {{Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1}},
date = {2021-10-21},
organization = {nviso},
url = {https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/},
language = {English},
urldate = {2021-10-26}
}
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1 Cobalt Strike |
2021-10-18 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20211018:harvester:ad72962,
author = {Threat Hunter Team},
title = {{Harvester: Nation-state-backed group uses new toolset to target victims in South Asia}},
date = {2021-10-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia},
language = {English},
urldate = {2021-11-03}
}
Harvester: Nation-state-backed group uses new toolset to target victims in South Asia Cobalt Strike Graphon |
2021-10-18 ⋅ paloalto Netoworks: Unit42 ⋅ Brad Duncan @online{duncan:20211018:case:bdd95ff,
author = {Brad Duncan},
title = {{Case Study: From BazarLoader to Network Reconnaissance}},
date = {2021-10-18},
organization = {paloalto Netoworks: Unit42},
url = {https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/},
language = {English},
urldate = {2021-10-22}
}
Case Study: From BazarLoader to Network Reconnaissance BazarBackdoor Cobalt Strike |
2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20211018:icedid:0b574b0,
author = {The DFIR Report},
title = {{IcedID to XingLocker Ransomware in 24 hours}},
date = {2021-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/},
language = {English},
urldate = {2021-10-22}
}
IcedID to XingLocker Ransomware in 24 hours Cobalt Strike IcedID Mount Locker |
2021-10-14 ⋅ Medium walmartglobaltech ⋅ Jason Reaves @online{reaves:20211014:investigation:29ef29c,
author = {Jason Reaves},
title = {{Investigation into the state of NIM malware Part 2}},
date = {2021-10-14},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671},
language = {English},
urldate = {2021-12-15}
}
Investigation into the state of NIM malware Part 2 Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware) |
2021-10-13 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team @online{team:20211013:blackberry:9892a2c,
author = {BlackBerry Research & Intelligence Team},
title = {{BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book}},
date = {2021-10-13},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book},
language = {English},
urldate = {2022-04-25}
}
BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book Cobalt Strike |
2021-10-12 ⋅ Mandiant ⋅ Alyssa Rahman @online{rahman:20211012:defining:df3f43c,
author = {Alyssa Rahman},
title = {{Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis}},
date = {2021-10-12},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/defining-cobalt-strike-components},
language = {English},
urldate = {2021-11-02}
}
Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis Cobalt Strike |
2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence @online{intelligence:20211011:moving:3b0eaec,
author = {Accenture Cyber Threat Intelligence},
title = {{Moving Left of the Ransomware Boom}},
date = {2021-10-11},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom},
language = {English},
urldate = {2021-11-03}
}
Moving Left of the Ransomware Boom REvil Cobalt Strike MimiKatz RagnarLocker REvil |
2021-10-08 ⋅ 0ffset Blog ⋅ Chuong Dong @online{dong:20211008:squirrelwaffle:4549cd1,
author = {Chuong Dong},
title = {{SQUIRRELWAFFLE – Analysing The Main Loader}},
date = {2021-10-08},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/},
language = {English},
urldate = {2021-10-14}
}
SQUIRRELWAFFLE – Analysing The Main Loader Cobalt Strike Squirrelwaffle |
2021-10-07 ⋅ Mandiant ⋅ Mandiant Research Team @online{team:20211007:fin12:505a3a8,
author = {Mandiant Research Team},
title = {{FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets}},
date = {2021-10-07},
organization = {Mandiant},
url = {https://www.mandiant.com/media/12596/download},
language = {English},
urldate = {2021-11-27}
}
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets Cobalt Strike Empire Downloader TrickBot |
2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy @online{palazolo:20211007:squirrelwaffle:3506816,
author = {Gustavo Palazolo and Ghanashyam Satpathy},
title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}},
date = {2021-10-07},
organization = {Netskope},
url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot},
language = {English},
urldate = {2021-10-11}
}
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot Cobalt Strike QakBot Squirrelwaffle |
2021-10-06 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20211006:finding:50936df,
author = {Blackberry Research},
title = {{Finding Beacons in the Dark}},
date = {2021-10-06},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf},
language = {English},
urldate = {2021-11-08}
}
Finding Beacons in the Dark Cobalt Strike |
2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20211005:drawing:e53477d,
author = {The BlackBerry Research & Intelligence Team},
title = {{Drawing a Dragon: Connecting the Dots to Find APT41}},
date = {2021-10-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41},
language = {English},
urldate = {2021-10-11}
}
Drawing a Dragon: Connecting the Dots to Find APT41 Cobalt Strike Ghost RAT |
2021-10-04 ⋅ Sophos ⋅ Sean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah @online{gallagher:20211004:atom:782b979,
author = {Sean Gallagher and Vikas Singh and Krisztián Diriczi and Kajal Katiyar and Chaitanya Ghorpade and Rahil Shah},
title = {{Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack}},
date = {2021-10-04},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/},
language = {English},
urldate = {2021-10-11}
}
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack ATOMSILO Cobalt Strike |
2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20211004:bazarloader:fe3adf3,
author = {The DFIR Report},
title = {{BazarLoader and the Conti Leaks}},
date = {2021-10-04},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/},
language = {English},
urldate = {2021-10-11}
}
BazarLoader and the Conti Leaks BazarBackdoor Cobalt Strike Conti |
2021-10-03 ⋅ Github (0xjxd) ⋅ Joel Dönne @techreport{dnne:20211003:squirrelwaffle:3a35566,
author = {Joel Dönne},
title = {{SquirrelWaffle - From Maldoc to Cobalt Strike}},
date = {2021-10-03},
institution = {Github (0xjxd)},
url = {https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf},
language = {English},
urldate = {2021-10-07}
}
SquirrelWaffle - From Maldoc to Cobalt Strike Cobalt Strike Squirrelwaffle |
2021-10-01 ⋅ 0ffset Blog ⋅ Chuong Dong @online{dong:20211001:squirrelwaffle:24c9b06,
author = {Chuong Dong},
title = {{SQUIRRELWAFFLE – Analysing the Custom Packer}},
date = {2021-10-01},
organization = {0ffset Blog},
url = {https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/},
language = {English},
urldate = {2021-10-14}
}
SQUIRRELWAFFLE – Analysing the Custom Packer Cobalt Strike Squirrelwaffle |
2021-09-30 ⋅ PT Expert Security Center @online{center:20210930:masters:8707c00,
author = {PT Expert Security Center},
title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}},
date = {2021-09-30},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang},
language = {English},
urldate = {2021-10-14}
}
Masters of Mimicry: new APT group ChamelGang and its arsenal Cobalt Strike |
2021-09-30 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20210930:masters:4394504,
author = {PT ESC Threat Intelligence},
title = {{Masters of Mimicry: new APT group ChamelGang and its arsenal}},
date = {2021-09-30},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3},
language = {English},
urldate = {2021-11-29}
}
Masters of Mimicry: new APT group ChamelGang and its arsenal Cobalt Strike |
2021-09-30 ⋅ CrowdStrike ⋅ Falcon OverWatch Team @online{team:20210930:hunting:bc2e59d,
author = {Falcon OverWatch Team},
title = {{Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense}},
date = {2021-09-30},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/},
language = {English},
urldate = {2021-10-05}
}
Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense Cobalt Strike |
2021-09-29 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy @online{kremez:20210929:backup:4aebe4e,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{Backup “Removal” Solutions - From Conti Ransomware With Love}},
date = {2021-09-29},
organization = {Advanced Intelligence},
url = {https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love},
language = {English},
urldate = {2021-10-20}
}
Backup “Removal” Solutions - From Conti Ransomware With Love Cobalt Strike Conti |
2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan @online{duncan:20210929:20210929:e348fca,
author = {Brad Duncan},
title = {{2021-09-29 (Wednesday) - Hancitor with Cobalt Strike}},
date = {2021-09-29},
organization = {Malware Traffic Analysis},
url = {https://malware-traffic-analysis.net/2021/09/29/index.html},
language = {English},
urldate = {2021-11-03}
}
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike Cobalt Strike Hancitor |
2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan @online{duncan:20210929:hancitor:e510da9,
author = {Brad Duncan},
title = {{Hancitor with Cobalt Strike}},
date = {2021-09-29},
organization = {Malware Traffic Analysis},
url = {https://www.malware-traffic-analysis.net/2021/09/29/index.html},
language = {English},
urldate = {2022-02-01}
}
Hancitor with Cobalt Strike Cobalt Strike Hancitor |
2021-09-28 ⋅ Zscaler ⋅ Avinash Kumar, Brett Stone-Gross @online{kumar:20210928:squirrelwaffle:9b1cffc,
author = {Avinash Kumar and Brett Stone-Gross},
title = {{Squirrelwaffle: New Loader Delivering Cobalt Strike}},
date = {2021-09-28},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike},
language = {English},
urldate = {2021-10-11}
}
Squirrelwaffle: New Loader Delivering Cobalt Strike Cobalt Strike Squirrelwaffle |
2021-09-27 ⋅ Cynet ⋅ Max Malyutin @online{malyutin:20210927:virtual:cd72501,
author = {Max Malyutin},
title = {{A Virtual Baffle to Battle Squirrelwaffle}},
date = {2021-09-27},
organization = {Cynet},
url = {https://www.cynet.com/understanding-squirrelwaffle/},
language = {English},
urldate = {2021-09-28}
}
A Virtual Baffle to Battle Squirrelwaffle Cobalt Strike Squirrelwaffle |
2021-09-26 ⋅ NSFOCUS ⋅ Jie Ji @online{ji:20210926:insights:51c06b8,
author = {Jie Ji},
title = {{Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2}},
date = {2021-09-26},
organization = {NSFOCUS},
url = {https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/},
language = {English},
urldate = {2021-11-25}
}
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2 Cobalt Strike LockFile |
2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas @online{stotomas:20210924:examining:9165fe5,
author = {Warren Sto.Tomas},
title = {{Examining the Cring Ransomware Techniques}},
date = {2021-09-24},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html},
language = {English},
urldate = {2021-09-29}
}
Examining the Cring Ransomware Techniques Cobalt Strike Cring MimiKatz |
2021-09-22 ⋅ CISA ⋅ US-CERT @online{uscert:20210922:alert:50b9d38,
author = {US-CERT},
title = {{Alert (AA21-265A) Conti Ransomware}},
date = {2021-09-22},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-265a},
language = {English},
urldate = {2021-10-05}
}
Alert (AA21-265A) Conti Ransomware Cobalt Strike Conti |
2021-09-21 ⋅ GuidePoint Security ⋅ Drew Schmitt @online{schmitt:20210921:ransomware:7c6144d,
author = {Drew Schmitt},
title = {{A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike}},
date = {2021-09-21},
organization = {GuidePoint Security},
url = {https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/},
language = {English},
urldate = {2021-09-22}
}
A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike Cobalt Strike |
2021-09-21 ⋅ Medium elis531989 ⋅ Eli Salem @online{salem:20210921:squirrel:1254a9d,
author = {Eli Salem},
title = {{The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”}},
date = {2021-09-21},
organization = {Medium elis531989},
url = {https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9},
language = {English},
urldate = {2021-09-22}
}
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle” Cobalt Strike Squirrelwaffle |
2021-09-21 ⋅ Sophos ⋅ Andrew Brandt, Vikas Singh, Shefali Gupta, Krisztián Diriczi, Chaitanya Ghorpade @online{brandt:20210921:cring:9bd4998,
author = {Andrew Brandt and Vikas Singh and Shefali Gupta and Krisztián Diriczi and Chaitanya Ghorpade},
title = {{Cring ransomware group exploits ancient ColdFusion server}},
date = {2021-09-21},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728},
language = {English},
urldate = {2021-09-24}
}
Cring ransomware group exploits ancient ColdFusion server Cobalt Strike Cring |
2021-09-21 ⋅ skyblue.team blog ⋅ skyblue team @online{team:20210921:scanning:5a0697f,
author = {skyblue team},
title = {{Scanning VirusTotal's firehose}},
date = {2021-09-21},
organization = {skyblue.team blog},
url = {https://skyblue.team/posts/scanning-virustotal-firehose/},
language = {English},
urldate = {2021-09-24}
}
Scanning VirusTotal's firehose Cobalt Strike |
2021-09-17 ⋅ Malware Traffic Analysis ⋅ Brad Duncan @online{duncan:20210917:20210917:b995435,
author = {Brad Duncan},
title = {{2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike}},
date = {2021-09-17},
organization = {Malware Traffic Analysis},
url = {https://www.malware-traffic-analysis.net/2021/09/17/index.html},
language = {English},
urldate = {2021-09-20}
}
2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike Cobalt Strike Squirrelwaffle |
2021-09-17 ⋅ CrowdStrike ⋅ Falcon OverWatch Team @online{team:20210917:falcon:76aa03b,
author = {Falcon OverWatch Team},
title = {{Falcon OverWatch Hunts Down Adversaries Where They Hide}},
date = {2021-09-17},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/},
language = {English},
urldate = {2021-10-05}
}
Falcon OverWatch Hunts Down Adversaries Where They Hide BazarBackdoor Cobalt Strike |
2021-09-17 ⋅ Medium inteloperator ⋅ Intel Operator @online{operator:20210917:default:aaaa15c,
author = {Intel Operator},
title = {{The default: 63 6f 62 61 6c 74 strike}},
date = {2021-09-17},
organization = {Medium inteloperator},
url = {https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7},
language = {English},
urldate = {2021-09-19}
}
The default: 63 6f 62 61 6c 74 strike Cobalt Strike |
2021-09-16 ⋅ Twitter (@GossiTheDog) ⋅ Kevin Beaumont @online{beaumont:20210916:some:550bbaa,
author = {Kevin Beaumont},
title = {{Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell}},
date = {2021-09-16},
organization = {Twitter (@GossiTheDog)},
url = {https://twitter.com/GossiTheDog/status/1438500100238577670},
language = {English},
urldate = {2021-09-20}
}
Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell Cobalt Strike MgBot |
2021-09-16 ⋅ Medium Shabarkin ⋅ Pavel Shabarkin @online{shabarkin:20210916:pointer:828998f,
author = {Pavel Shabarkin},
title = {{Pointer: Hunting Cobalt Strike globally}},
date = {2021-09-16},
organization = {Medium Shabarkin},
url = {https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a},
language = {English},
urldate = {2021-09-19}
}
Pointer: Hunting Cobalt Strike globally Cobalt Strike |
2021-09-16 ⋅ RiskIQ ⋅ RiskIQ @online{riskiq:20210916:untangling:d1e0f1b,
author = {RiskIQ},
title = {{Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit}},
date = {2021-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/c88cf7e6},
language = {English},
urldate = {2021-09-19}
}
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit Cobalt Strike Ryuk |
2021-09-15 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20210915:analyzing:37b6528,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability}},
date = {2021-09-15},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/},
language = {English},
urldate = {2021-09-19}
}
Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability Cobalt Strike |
2021-09-14 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210914:fullspectrum:fdc7b06,
author = {Insikt Group®},
title = {{Full-Spectrum Cobalt Strike Detection}},
date = {2021-09-14},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf},
language = {English},
urldate = {2021-09-19}
}
Full-Spectrum Cobalt Strike Detection Cobalt Strike |
2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210913:bazarloader:5073703,
author = {The DFIR Report},
title = {{BazarLoader to Conti Ransomware in 32 Hours}},
date = {2021-09-13},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/},
language = {English},
urldate = {2021-09-14}
}
BazarLoader to Conti Ransomware in 32 Hours BazarBackdoor Cobalt Strike Conti |
2021-09-12 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20210912:mapping:8a5f43a,
author = {Michael Koczwara},
title = {{Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444}},
date = {2021-09-12},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a},
language = {English},
urldate = {2022-01-28}
}
Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444 Cobalt Strike |
2021-09-10 ⋅ Gigamon ⋅ Joe Slowik @online{slowik:20210910:rendering:59082b0,
author = {Joe Slowik},
title = {{Rendering Threats: A Network Perspective}},
date = {2021-09-10},
organization = {Gigamon},
url = {https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/},
language = {English},
urldate = {2021-09-12}
}
Rendering Threats: A Network Perspective Cobalt Strike |
2021-09-09 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20210909:remote:17382af,
author = {Trend Micro},
title = {{Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs}},
date = {2021-09-09},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html},
language = {English},
urldate = {2021-09-12}
}
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs Cobalt Strike |
2021-09-08 ⋅ Arash's Blog ⋅ Arash Parsa @online{parsa:20210908:hook:4dff1b6,
author = {Arash Parsa},
title = {{Hook Heaps and Live Free}},
date = {2021-09-08},
organization = {Arash's Blog},
url = {https://www.arashparsa.com/hook-heaps-and-live-free/},
language = {English},
urldate = {2021-09-10}
}
Hook Heaps and Live Free Cobalt Strike |
2021-09-07 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20210907:cobalt:7af112e,
author = {Michael Koczwara},
title = {{Cobalt Strike C2 Hunting with Shodan}},
date = {2021-09-07},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2},
language = {English},
urldate = {2021-09-09}
}
Cobalt Strike C2 Hunting with Shodan Cobalt Strike |
2021-09-06 ⋅ kienmanowar Blog ⋅ m4n0w4r @online{m4n0w4r:20210906:quick:0a892b2,
author = {m4n0w4r},
title = {{Quick analysis CobaltStrike loader and shellcode}},
date = {2021-09-06},
organization = {kienmanowar Blog},
url = {https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/},
language = {English},
urldate = {2021-09-10}
}
Quick analysis CobaltStrike loader and shellcode Cobalt Strike |
2021-09-03 ⋅ Sophos ⋅ Sean Gallagher, Peter Mackenzie, Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Sergio Bestulic, Syed Zaidi @online{gallagher:20210903:conti:db20680,
author = {Sean Gallagher and Peter Mackenzie and Anand Ajjan and Andrew Ludgate and Gabor Szappanos and Sergio Bestulic and Syed Zaidi},
title = {{Conti affiliates use ProxyShell Exchange exploit in ransomware attacks}},
date = {2021-09-03},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/},
language = {English},
urldate = {2021-09-06}
}
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks Cobalt Strike Conti |
2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel @techreport{mokbel:20210903:state:df86499,
author = {Mohamad Mokbel},
title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}},
date = {2021-09-03},
institution = {Trend Micro},
url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf},
language = {English},
urldate = {2021-09-19}
}
The State of SSL/TLS Certificate Usage in Malware C&C Communications AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
2021-09-02 ⋅ Twitter (@th3_protoCOL) ⋅ Colin, GaborSzappanos @online{colin:20210902:confluence:5bbf2cb,
author = {Colin and GaborSzappanos},
title = {{Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)}},
date = {2021-09-02},
organization = {Twitter (@th3_protoCOL)},
url = {https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20},
language = {English},
urldate = {2021-09-06}
}
Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos) Cobalt Strike |
2021-09-02 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20210902:cobalt:40a1888,
author = {Michael Koczwara},
title = {{Cobalt Strike PowerShell Payload Analysis}},
date = {2021-09-02},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7},
language = {English},
urldate = {2021-09-09}
}
Cobalt Strike PowerShell Payload Analysis Cobalt Strike |
2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li @online{tseng:20210901:mem2img:7817a5d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-09-01},
organization = {YouTube (Black Hat)},
url = {https://www.youtube.com/watch?v=6SDdUVejR2w},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
2021-08-31 ⋅ BreakPoint Labs ⋅ BreakPoint Labs @online{labs:20210831:cobalt:47e2c20,
author = {BreakPoint Labs},
title = {{Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign}},
date = {2021-08-31},
organization = {BreakPoint Labs},
url = {https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/},
language = {English},
urldate = {2021-09-23}
}
Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign Cobalt Strike |
2021-08-30 ⋅ Qianxin ⋅ Red Raindrop Team @online{team:20210830:operation:7b5be26,
author = {Red Raindrop Team},
title = {{Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss}},
date = {2021-08-30},
organization = {Qianxin},
url = {https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/},
language = {Chinese},
urldate = {2021-09-09}
}
Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss Cobalt Strike MimiKatz |
2021-08-29 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210829:cobalt:1e4595e,
author = {The DFIR Report},
title = {{Cobalt Strike, a Defender’s Guide}},
date = {2021-08-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/},
language = {English},
urldate = {2021-08-31}
}
Cobalt Strike, a Defender’s Guide Cobalt Strike |
2021-08-27 ⋅ Morphisec ⋅ Morphisec Labs @online{labs:20210827:proxyshell:a4650f1,
author = {Morphisec Labs},
title = {{ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors}},
date = {2021-08-27},
organization = {Morphisec},
url = {https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors},
language = {English},
urldate = {2021-08-31}
}
ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors Cobalt Strike |
2021-08-27 ⋅ Aon ⋅ Noah Rubin, Aon’s Cyber Labs @online{rubin:20210827:cobalt:a44e08a,
author = {Noah Rubin and Aon’s Cyber Labs},
title = {{Cobalt Strike Configuration Extractor and Parser}},
date = {2021-08-27},
organization = {Aon},
url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/},
language = {English},
urldate = {2022-05-04}
}
Cobalt Strike Configuration Extractor and Parser Cobalt Strike |
2021-08-25 ⋅ Trend Micro ⋅ Hara Hiroaki, Ted Lee @techreport{hiroaki:20210825:earth:776384f,
author = {Hara Hiroaki and Ted Lee},
title = {{Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor}},
date = {2021-08-25},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf},
language = {English},
urldate = {2021-08-31}
}
Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor Cobalt Strike SideWalk |
2021-08-24 ⋅ ESET Research ⋅ Thibaut Passilly, Mathieu Tartare @online{passilly:20210824:sidewalk:75d39db,
author = {Thibaut Passilly and Mathieu Tartare},
title = {{The SideWalk may be as dangerous as the CROSSWALK}},
date = {2021-08-24},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/},
language = {English},
urldate = {2021-08-31}
}
The SideWalk may be as dangerous as the CROSSWALK Cobalt Strike CROSSWALK SideWalk |
2021-08-23 ⋅ FBI ⋅ FBI @techreport{fbi:20210823:indicators:3308f26,
author = {FBI},
title = {{Indicators of Compromise Associated with OnePercent Group Ransomware}},
date = {2021-08-23},
institution = {FBI},
url = {https://www.ic3.gov/Media/News/2021/210823.pdf},
language = {English},
urldate = {2021-08-24}
}
Indicators of Compromise Associated with OnePercent Group Ransomware Cobalt Strike MimiKatz |
2021-08-23 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Chad Tilbury @online{tilbury:20210823:keynote:23c0084,
author = {Chad Tilbury},
title = {{Keynote: Cobalt Strike Threat Hunting}},
date = {2021-08-23},
organization = {Youtube (SANS Digital Forensics and Incident Response)},
url = {https://www.youtube.com/watch?v=borfuQGrB8g},
language = {English},
urldate = {2021-08-25}
}
Keynote: Cobalt Strike Threat Hunting Cobalt Strike |
2021-08-19 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team @online{team:20210819:blackberry:2eec433,
author = {BlackBerry Research & Intelligence Team},
title = {{BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware}},
date = {2021-08-19},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware},
language = {English},
urldate = {2021-08-23}
}
BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware Cobalt Strike Dridex |
2021-08-19 ⋅ Sekoia ⋅ sekoia @online{sekoia:20210819:insider:ceb84de,
author = {sekoia},
title = {{An insider insights into Conti operations – Part two}},
date = {2021-08-19},
organization = {Sekoia},
url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/},
language = {English},
urldate = {2021-09-06}
}
An insider insights into Conti operations – Part two Cobalt Strike Conti |
2021-08-18 ⋅ Intezer ⋅ Ryan Robinson @online{robinson:20210818:cobalt:965e1a9,
author = {Ryan Robinson},
title = {{Cobalt Strike: Detect this Persistent Threat}},
date = {2021-08-18},
organization = {Intezer},
url = {https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/},
language = {English},
urldate = {2021-08-25}
}
Cobalt Strike: Detect this Persistent Threat Cobalt Strike |
2021-08-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy @online{kremez:20210817:hunting:1dc14d0,
author = {Vitali Kremez and Yelisey Boguslavskiy},
title = {{Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration}},
date = {2021-08-17},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations},
language = {English},
urldate = {2021-08-31}
}
Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration Cobalt Strike Conti |
2021-08-17 ⋅ Sekoia ⋅ sekoia @online{sekoia:20210817:insider:3b427c7,
author = {sekoia},
title = {{An insider insights into Conti operations – Part one}},
date = {2021-08-17},
organization = {Sekoia},
url = {https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one},
language = {English},
urldate = {2021-09-06}
}
An insider insights into Conti operations – Part one Cobalt Strike Conti |
2021-08-17 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20210817:cobalt:64689eb,
author = {Michael Koczwara},
title = {{Cobalt Strike Hunting — DLL Hijacking/Attack Analysis}},
date = {2021-08-17},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e},
language = {English},
urldate = {2021-09-09}
}
Cobalt Strike Hunting — DLL Hijacking/Attack Analysis Cobalt Strike |
2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team @techreport{team:20210815:ransomware:f799696,
author = {Threat Hunter Team},
title = {{The Ransomware Threat}},
date = {2021-08-15},
institution = {Symantec},
url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf},
language = {English},
urldate = {2021-12-15}
}
The Ransomware Threat Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker |
2021-08-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez @online{kremez:20210811:secret:5c5f06c,
author = {Vitali Kremez},
title = {{Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent}},
date = {2021-08-11},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent},
language = {English},
urldate = {2021-08-31}
}
Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent Cobalt Strike Conti |
2021-08-09 ⋅ IstroSec ⋅ Ladislav Bačo @online{bao:20210809:cobalt:fc98da7,
author = {Ladislav Bačo},
title = {{APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)}},
date = {2021-08-09},
organization = {IstroSec},
url = {https://www.istrosec.com/blog/apt-sk-cobalt/},
language = {English},
urldate = {2021-08-16}
}
APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk) Cobalt Strike |
2021-08-05 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Dan Cotton @online{lambert:20210805:when:aeb7b10,
author = {Tony Lambert and Brian Donohue and Dan Cotton},
title = {{When Dridex and Cobalt Strike give you Grief}},
date = {2021-08-05},
organization = {Red Canary},
url = {https://redcanary.com/blog/grief-ransomware/},
language = {English},
urldate = {2021-09-10}
}
When Dridex and Cobalt Strike give you Grief Cobalt Strike DoppelDridex DoppelPaymer |
2021-08-05 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20210805:detecting:235fe13,
author = {Counter Threat Unit ResearchTeam},
title = {{Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)}},
date = {2021-08-05},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups},
language = {English},
urldate = {2021-08-06}
}
Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32) Cobalt Strike |
2021-08-04 ⋅ CrowdStrike ⋅ Falcon OverWatch Team, CrowdStrike Intelligence Team, CrowdStrike IR @online{team:20210804:prophet:e6e6a99,
author = {Falcon OverWatch Team and CrowdStrike Intelligence Team and CrowdStrike IR},
title = {{PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity}},
date = {2021-08-04},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/},
language = {English},
urldate = {2021-09-02}
}
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity Cobalt Strike Egregor Mount Locker |
2021-08-04 ⋅ Sentinel LABS ⋅ Gal Kristal @online{kristal:20210804:hotcobalt:136e715,
author = {Gal Kristal},
title = {{Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations}},
date = {2021-08-04},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/},
language = {English},
urldate = {2021-08-06}
}
Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations Cobalt Strike |
2021-08-04 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20210804:detecting:b379acb,
author = {Counter Threat Unit ResearchTeam},
title = {{Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)}},
date = {2021-08-04},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks},
language = {English},
urldate = {2021-08-06}
}
Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON) Cobalt Strike |
2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman @online{dahan:20210803:deadringer:908e8d5,
author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman},
title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}},
date = {2021-08-03},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos},
language = {English},
urldate = {2021-08-06}
}
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos CHINACHOPPER Cobalt Strike MimiKatz Nebulae |
2021-08-02 ⋅ Youtube (Forschungsinstitut Cyber Defense) ⋅ Alexander Rausch, Konstantin Klinger @online{rausch:20210802:code:dee039d,
author = {Alexander Rausch and Konstantin Klinger},
title = {{The CODE 2021: Workshop presentation and demonstration about CobaltStrike}},
date = {2021-08-02},
organization = {Youtube (Forschungsinstitut Cyber Defense)},
url = {https://www.youtube.com/watch?v=y65hmcLIWDY},
language = {English},
urldate = {2021-08-25}
}
The CODE 2021: Workshop presentation and demonstration about CobaltStrike Cobalt Strike |
2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210801:bazarcall:bb6829b,
author = {The DFIR Report},
title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}},
date = {2021-08-01},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/},
language = {English},
urldate = {2021-08-02}
}
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike BazarBackdoor Cobalt Strike Conti TrickBot |
2021-07-30 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42 @online{42:20210730:bazarloader:43bdc2c,
author = {Unit 42},
title = {{Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability}},
date = {2021-07-30},
organization = {Twitter (@Unit42_Intel)},
url = {https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20},
language = {English},
urldate = {2021-08-02}
}
Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability BazarBackdoor Cobalt Strike |
2021-07-29 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team @online{team:20210729:bazacall:8d79cdf,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{BazaCall: Phony call centers lead to exfiltration and ransomware}},
date = {2021-07-29},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/},
language = {English},
urldate = {2021-08-02}
}
BazaCall: Phony call centers lead to exfiltration and ransomware BazarBackdoor Cobalt Strike |
2021-07-29 ⋅ Rasta Mouse ⋅ Rasta Mouse @online{mouse:20210729:ntlm:7f97289,
author = {Rasta Mouse},
title = {{NTLM Relaying via Cobalt Strike}},
date = {2021-07-29},
organization = {Rasta Mouse},
url = {https://rastamouse.me/ntlm-relaying-via-cobalt-strike/},
language = {English},
urldate = {2021-07-29}
}
NTLM Relaying via Cobalt Strike Cobalt Strike |
2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team @techreport{team:20210727:old:3060d53,
author = {BlackBerry Research & Intelligence Team},
title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}},
date = {2021-07-27},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf},
language = {English},
urldate = {2021-07-27}
}
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy |
2021-07-25 ⋅ Medium svch0st ⋅ svch0st @online{svch0st:20210725:guide:28267fd,
author = {svch0st},
title = {{Guide to Named Pipes and Hunting for Cobalt Strike Pipes}},
date = {2021-07-25},
organization = {Medium svch0st},
url = {https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575},
language = {English},
urldate = {2021-08-02}
}
Guide to Named Pipes and Hunting for Cobalt Strike Pipes Cobalt Strike |
2021-07-22 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara @online{koczwara:20210722:cobalt:f102b02,
author = {Michael Koczwara},
title = {{Cobalt Strike Hunting — simple PCAP and Beacon Analysis}},
date = {2021-07-22},
organization = {Medium michaelkoczwara},
url = {https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811},
language = {English},
urldate = {2021-07-22}
}
Cobalt Strike Hunting — simple PCAP and Beacon Analysis Cobalt Strike |
2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210719:icedid:0365384,
author = {The DFIR Report},
title = {{IcedID and Cobalt Strike vs Antivirus}},
date = {2021-07-19},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/},
language = {English},
urldate = {2021-07-20}
}
IcedID and Cobalt Strike vs Antivirus Cobalt Strike IcedID |
2021-07-14 ⋅ MDSec ⋅ Chris Basnett @online{basnett:20210714:investigating:585e2a1,
author = {Chris Basnett},
title = {{Investigating a Suspicious Service}},
date = {2021-07-14},
organization = {MDSec},
url = {https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/},
language = {English},
urldate = {2021-07-20}
}
Investigating a Suspicious Service Cobalt Strike |
2021-07-14 ⋅ Kaspersky ⋅ Mark Lechtik, Paul Rascagnères, Aseel Kayal @online{lechtik:20210714:luminousmoth:a5cf19d,
author = {Mark Lechtik and Paul Rascagnères and Aseel Kayal},
title = {{LuminousMoth APT: Sweeping attacks for the chosen few}},
date = {2021-07-14},
organization = {Kaspersky},
url = {https://securelist.com/apt-luminousmoth/103332/},
language = {English},
urldate = {2021-07-20}
}
LuminousMoth APT: Sweeping attacks for the chosen few Cobalt Strike |
2021-07-14 ⋅ Google ⋅ Maddie Stone, Clement Lecigne, Google Threat Analysis Group @online{stone:20210714:how:38dfdc6,
author = {Maddie Stone and Clement Lecigne and Google Threat Analysis Group},
title = {{How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)}},
date = {2021-07-14},
organization = {Google},
url = {https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/},
language = {English},
urldate = {2021-07-26}
}
How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879) Cobalt Strike |
2021-07-13 ⋅ YouTube ( Matt Soseman) ⋅ Matt Soseman @online{soseman:20210713:solarwinds:cb7df1d,
author = {Matt Soseman},
title = {{Solarwinds and SUNBURST attacks compromised my lab!}},
date = {2021-07-13},
organization = {YouTube ( Matt Soseman)},
url = {https://www.youtube.com/watch?v=GfbxHy6xnbA},
language = {English},
urldate = {2021-07-21}
}
Solarwinds and SUNBURST attacks compromised my lab! Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-07-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20210709:hancitor:814e815,
author = {Brad Duncan},
title = {{Hancitor tries XLL as initial malware file}},
date = {2021-07-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/27618},
language = {English},
urldate = {2021-07-19}
}
Hancitor tries XLL as initial malware file Cobalt Strike Hancitor |
2021-07-08 ⋅ Avast Decoded ⋅ Threat Intelligence Team @online{team:20210708:decoding:04acb98,
author = {Threat Intelligence Team},
title = {{Decoding Cobalt Strike: Understanding Payloads}},
date = {2021-07-08},
organization = {Avast Decoded},
url = {https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/},
language = {English},
urldate = {2021-07-08}
}
Decoding Cobalt Strike: Understanding Payloads Cobalt Strike Empire Downloader |
2021-07-07 ⋅ Trend Micro ⋅ Joseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen @online{chen:20210707:biopass:88dcdc2,
author = {Joseph C Chen and Kenney Lu and Jaromír Hořejší and Gloria Chen},
title = {{BIOPASS RAT: New Malware Sniffs Victims via Live Streaming}},
date = {2021-07-07},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html},
language = {English},
urldate = {2021-07-19}
}
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming BIOPASS Cobalt Strike Derusbi |
2021-07-07 ⋅ McAfee ⋅ McAfee Labs @techreport{labs:20210707:ryuk:ee88024,
author = {McAfee Labs},
title = {{Ryuk Ransomware Now Targeting Webservers}},
date = {2021-07-07},
institution = {McAfee},
url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf},
language = {English},
urldate = {2021-07-11}
}
Ryuk Ransomware Now Targeting Webservers Cobalt Strike Ryuk |
2021-07-07 ⋅ Trustwave ⋅ Rodel Mendrez, Nikita Kazymirskyi @online{mendrez:20210707:diving:1c04c81,
author = {Rodel Mendrez and Nikita Kazymirskyi},
title = {{Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails}},
date = {2021-07-07},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/},
language = {English},
urldate = {2021-07-09}
}
Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails Cobalt Strike REvil |
2021-07-06 ⋅ Twitter (@MBThreatIntel) ⋅ Malwarebytes Threat Intelligence @online{intelligence:20210706:malspam:083ba5a,
author = {Malwarebytes Threat Intelligence},
title = {{Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike}},
date = {2021-07-06},
organization = {Twitter (@MBThreatIntel)},
url = {https://twitter.com/MBThreatIntel/status/1412518446013812737},
language = {English},
urldate = {2021-07-09}
}
Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike Cobalt Strike |
2021-07-05 ⋅ Trend Micro ⋅ Abraham Camba, Catherine Loveria, Ryan Maglaque, Buddy Tancio @online{camba:20210705:tracking:6ae6ad5,
author = {Abraham Camba and Catherine Loveria and Ryan Maglaque and Buddy Tancio},
title = {{Tracking Cobalt Strike: A Trend Micro Vision One Investigation}},
date = {2021-07-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html},
language = {English},
urldate = {2021-07-19}
}
Tracking Cobalt Strike: A Trend Micro Vision One Investigation Cobalt Strike |
2021-07-03 ⋅ Medium AK1001 ⋅ AK1001 @online{ak1001:20210703:analyzing:65452fa,
author = {AK1001},
title = {{Analyzing Cobalt Strike PowerShell Payload}},
date = {2021-07-03},
organization = {Medium AK1001},
url = {https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b},
language = {English},
urldate = {2022-01-31}
}
Analyzing Cobalt Strike PowerShell Payload Cobalt Strike |
2021-07-02 ⋅ MalwareBookReports ⋅ muzi @online{muzi:20210702:skip:09c3cd8,
author = {muzi},
title = {{Skip the Middleman: Dridex Document to Cobalt Strike}},
date = {2021-07-02},
organization = {MalwareBookReports},
url = {https://malwarebookreports.com/cryptone-cobalt-strike/},
language = {English},
urldate = {2021-07-06}
}
Skip the Middleman: Dridex Document to Cobalt Strike Cobalt Strike Dridex |
2021-07-01 ⋅ The Record ⋅ Catalin Cimpanu @online{cimpanu:20210701:mongolian:1fd57de,
author = {Catalin Cimpanu},
title = {{Mongolian certificate authority hacked eight times, compromised with malware}},
date = {2021-07-01},
organization = {The Record},
url = {https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/},
language = {English},
urldate = {2021-07-02}
}
Mongolian certificate authority hacked eight times, compromised with malware Cobalt Strike |
2021-07-01 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern, Jan Vojtěšek @online{camastra:20210701:backdoored:6f26c16,
author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek},
title = {{Backdoored Client from Mongolian CA MonPass}},
date = {2021-07-01},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/},
language = {English},
urldate = {2021-07-02}
}
Backdoored Client from Mongolian CA MonPass Cobalt Strike |
2021-06-30 ⋅ Group-IB ⋅ Oleg Skulkin @online{skulkin:20210630:revil:63bb524,
author = {Oleg Skulkin},
title = {{REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs}},
date = {2021-06-30},
organization = {Group-IB},
url = {https://blog.group-ib.com/REvil_RaaS},
language = {English},
urldate = {2021-07-02}
}
REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs Cobalt Strike REvil |
2021-06-29 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford @online{larson:20210629:cobalt:99ad5a0,
author = {Selena Larson and Daniel Blackford},
title = {{Cobalt Strike: Favorite Tool from APT to Crimeware}},
date = {2021-06-29},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware},
language = {English},
urldate = {2021-06-29}
}
Cobalt Strike: Favorite Tool from APT to Crimeware Cobalt Strike |
2021-06-29 ⋅ Accenture ⋅ Accenture Security @online{security:20210629:hades:2d4c606,
author = {Accenture Security},
title = {{HADES ransomware operators continue attacks}},
date = {2021-06-29},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/security/ransomware-hades},
language = {English},
urldate = {2021-07-01}
}
HADES ransomware operators continue attacks Cobalt Strike Hades MimiKatz |
2021-06-28 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210628:hancitor:b21cdd2,
author = {The DFIR Report},
title = {{Hancitor Continues to Push Cobalt Strike}},
date = {2021-06-28},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/},
language = {English},
urldate = {2021-06-29}
}
Hancitor Continues to Push Cobalt Strike Cobalt Strike Hancitor |
2021-06-22 ⋅ CrowdStrike ⋅ The Falcon Complete Team @online{team:20210622:response:13a8ee6,
author = {The Falcon Complete Team},
title = {{Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators}},
date = {2021-06-22},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/},
language = {English},
urldate = {2021-06-24}
}
Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators Cobalt Strike |
2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus, Kirk Sayre, dao ming si @online{cryptolaemus:20210622:ta575:895ac37,
author = {Cryptolaemus and Kirk Sayre and dao ming si},
title = {{Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs}},
date = {2021-06-22},
organization = {Twitter (@Cryptolaemus1)},
url = {https://twitter.com/Cryptolaemus1/status/1407135648528711680},
language = {English},
urldate = {2021-06-22}
}
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs Cobalt Strike Dridex |
2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210620:from:aadb7e8,
author = {The DFIR Report},
title = {{From Word to Lateral Movement in 1 Hour}},
date = {2021-06-20},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/},
language = {English},
urldate = {2021-06-22}
}
From Word to Lateral Movement in 1 Hour Cobalt Strike IcedID |
2021-06-18 ⋅ SecurityScorecard ⋅ Ryan Sherstobitoff @online{sherstobitoff:20210618:securityscorecard:0000641,
author = {Ryan Sherstobitoff},
title = {{SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought}},
date = {2021-06-18},
organization = {SecurityScorecard},
url = {https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought},
language = {English},
urldate = {2021-06-22}
}
SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought Cobalt Strike |
2021-06-17 ⋅ Binary Defense ⋅ Brandon George @online{george:20210617:analysis:6e4b8ac,
author = {Brandon George},
title = {{Analysis of Hancitor – When Boring Begets Beacon}},
date = {2021-06-17},
organization = {Binary Defense},
url = {https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon},
language = {English},
urldate = {2021-06-22}
}
Analysis of Hancitor – When Boring Begets Beacon Cobalt Strike Ficker Stealer Hancitor |
2021-06-16 ⋅ Mandiant ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson, Jordan Nuce @online{mclellan:20210616:smoking:a03a78c,
author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson and Jordan Nuce},
title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}},
date = {2021-06-16},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise},
language = {English},
urldate = {2021-12-01}
}
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise Cobalt Strike SMOKEDHAM |
2021-06-16 ⋅ FireEye ⋅ Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson @online{mclellan:20210616:smoking:fa6559d,
author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson},
title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}},
date = {2021-06-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html},
language = {English},
urldate = {2021-12-01}
}
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise Cobalt Strike SMOKEDHAM |
2021-06-16 ⋅ Національної поліції України ⋅ Національна поліція України @online{:20210616:cyberpolice:f455d86,
author = {Національна поліція України},
title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}},
date = {2021-06-16},
organization = {Національної поліції України},
url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/},
language = {Ukrainian},
urldate = {2021-06-21}
}
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies Clop Cobalt Strike FlawedAmmyy |
2021-06-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20210615:hades:e1734d8,
author = {Counter Threat Unit ResearchTeam},
title = {{Hades Ransomware Operators Use Distinctive Tactics and Infrastructure}},
date = {2021-06-15},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure},
language = {English},
urldate = {2021-06-21}
}
Hades Ransomware Operators Use Distinctive Tactics and Infrastructure Cobalt Strike Hades |
2021-06-12 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie @online{mackenzie:20210612:thread:eac742a,
author = {Peter Mackenzie},
title = {{A thread on RagnarLocker ransomware group's TTP seen in an Incident Response}},
date = {2021-06-12},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1403707430765273095},
language = {English},
urldate = {2021-06-21}
}
A thread on RagnarLocker ransomware group's TTP seen in an Incident Response Cobalt Strike RagnarLocker |
2021-06-10 ⋅ Group-IB ⋅ Nikita Rostovcev @online{rostovcev:20210610:big:4d0a5f2,
author = {Nikita Rostovcev},
title = {{Big airline heist APT41 likely behind massive supply chain attack}},
date = {2021-06-10},
organization = {Group-IB},
url = {https://blog.group-ib.com/colunmtk_apt41},
language = {English},
urldate = {2021-06-16}
}
Big airline heist APT41 likely behind massive supply chain attack Cobalt Strike |
2021-06-09 ⋅ Twitter (@RedDrip7) ⋅ RedDrip7 @online{reddrip7:20210609:in:74f9bac,
author = {RedDrip7},
title = {{Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)}},
date = {2021-06-09},
organization = {Twitter (@RedDrip7)},
url = {https://twitter.com/RedDrip7/status/1402640362972147717?s=20},
language = {English},
urldate = {2021-06-21}
}
Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1) Cobalt Strike |
2021-06-04 ⋅ Inky ⋅ Roger Kay @online{kay:20210604:colonial:959c12f,
author = {Roger Kay},
title = {{Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts}},
date = {2021-06-04},
organization = {Inky},
url = {https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts},
language = {English},
urldate = {2021-06-16}
}
Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts Cobalt Strike |
2021-06-04 ⋅ Twitter (@alex_lanstein) ⋅ Alex Lanstein @online{lanstein:20210604:unc2652nobelium:460c6ab,
author = {Alex Lanstein},
title = {{Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-2021-1879}},
date = {2021-06-04},
organization = {Twitter (@alex_lanstein)},
url = {https://twitter.com/alex_lanstein/status/1399829754887524354},
language = {English},
urldate = {2021-07-26}
}
Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-2021-1879 Cobalt Strike |
2021-06-02 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp @online{corp:20210602:chinalinked:487955f,
author = {CyCraft Technology Corp},
title = {{China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware}},
date = {2021-06-02},
organization = {Medium CyCraft},
url = {https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5},
language = {English},
urldate = {2021-06-09}
}
China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware Cobalt Strike ColdLock |
2021-06-02 ⋅ Sophos ⋅ Sean Gallagher @online{gallagher:20210602:amsi:084d0ba,
author = {Sean Gallagher},
title = {{AMSI bypasses remain tricks of the malware trade}},
date = {2021-06-02},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/},
language = {English},
urldate = {2021-06-09}
}
AMSI bypasses remain tricks of the malware trade Agent Tesla Cobalt Strike Meterpreter |
2021-06-01 ⋅ Department of Justice ⋅ Office of Public Affairs @online{affairs:20210601:justice:1ed9656,
author = {Office of Public Affairs},
title = {{Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development}},
date = {2021-06-01},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear},
language = {English},
urldate = {2021-06-09}
}
Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development Cobalt Strike |
2021-06-01 ⋅ SANS ⋅ Kevin Haley, Jake Williams @online{haley:20210601:contrarian:6aff18c,
author = {Kevin Haley and Jake Williams},
title = {{A Contrarian View on SolarWinds}},
date = {2021-06-01},
organization = {SANS},
url = {https://www.sans.org/webcasts/contrarian-view-solarwinds-119515},
language = {English},
urldate = {2021-06-21}
}
A Contrarian View on SolarWinds Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-06-01 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade @online{guerrerosaade:20210601:noblebaron:20dd227,
author = {Juan Andrés Guerrero-Saade},
title = {{NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks}},
date = {2021-06-01},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/},
language = {English},
urldate = {2021-06-09}
}
NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks Cobalt Strike |
2021-06-01 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team @online{mstic:20210601:new:83aee4c,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team},
title = {{New sophisticated email-based attack from NOBELIUM}},
date = {2021-06-01},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/},
language = {English},
urldate = {2021-06-09}
}
New sophisticated email-based attack from NOBELIUM Cobalt Strike |
2021-05-29 ⋅ Twitter (@elisalem9) ⋅ Eli Salem @online{salem:20210529:obfuscation:f1b68f3,
author = {Eli Salem},
title = {{Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452}},
date = {2021-05-29},
organization = {Twitter (@elisalem9)},
url = {https://twitter.com/elisalem9/status/1398566939656601606},
language = {English},
urldate = {2021-08-02}
}
Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452 Cobalt Strike |
2021-05-28 ⋅ CISA ⋅ US-CERT @online{uscert:20210528:alert:be89c5f,
author = {US-CERT},
title = {{Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs}},
date = {2021-05-28},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-148a},
language = {English},
urldate = {2021-07-27}
}
Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs Cobalt Strike |
2021-05-28 ⋅ CISA ⋅ US-CERT @online{uscert:20210528:malware:0913332,
author = {US-CERT},
title = {{Malware Analysis Report (AR21-148A): Cobalt Strike Beacon}},
date = {2021-05-28},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a},
language = {English},
urldate = {2021-07-19}
}
Malware Analysis Report (AR21-148A): Cobalt Strike Beacon Cobalt Strike |
2021-05-28 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC) @online{mstic:20210528:breaking:f55e372,
author = {Microsoft Threat Intelligence Center (MSTIC)},
title = {{Breaking down NOBELIUM’s latest early-stage toolset}},
date = {2021-05-28},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/},
language = {English},
urldate = {2022-05-17}
}
Breaking down NOBELIUM’s latest early-stage toolset Cobalt Strike |
2021-05-27 ⋅ Volexity ⋅ Damien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster @online{cash:20210527:suspected:beb9dd9,
author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster},
title = {{Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns}},
date = {2021-05-27},
organization = {Volexity},
url = {https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/},
language = {English},
urldate = {2021-06-09}
}
Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns Cobalt Strike |
2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak @online{yizhak:20210526:deep:c123a19,
author = {Ron Ben Yizhak},
title = {{A Deep Dive into Packing Software CryptOne}},
date = {2021-05-26},
organization = {DeepInstinct},
url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/},
language = {English},
urldate = {2021-06-22}
}
A Deep Dive into Packing Software CryptOne Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader |
2021-05-25 ⋅ Huntress Labs ⋅ Matthew Brennan @online{brennan:20210525:cobalt:c428be0,
author = {Matthew Brennan},
title = {{Cobalt Strikes Again: An Analysis of Obfuscated Malware}},
date = {2021-05-25},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware},
language = {English},
urldate = {2021-06-09}
}
Cobalt Strikes Again: An Analysis of Obfuscated Malware Cobalt Strike |
2021-05-21 ⋅ blackarrow ⋅ Pablo Ambite @online{ambite:20210521:leveraging:55f56da,
author = {Pablo Ambite},
title = {{Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic}},
date = {2021-05-21},
organization = {blackarrow},
url = {https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/},
language = {English},
urldate = {2021-06-22}
}
Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic Cobalt Strike |
2021-05-19 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene @online{ergene:20210519:enterprise:f7fb481,
author = {Mehmet Ergene},
title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2}},
date = {2021-05-19},
organization = {Medium Mehmet Ergene},
url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e},
language = {English},
urldate = {2021-05-26}
}
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2 Cobalt Strike |
2021-05-19 ⋅ Intel 471 ⋅ Intel 471 @online{471:20210519:look:5ba9516,
author = {Intel 471},
title = {{Look how many cybercriminals love Cobalt Strike}},
date = {2021-05-19},
organization = {Intel 471},
url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor},
language = {English},
urldate = {2021-05-19}
}
Look how many cybercriminals love Cobalt Strike BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot |
2021-05-18 ⋅ Sophos ⋅ John Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie @online{shier:20210518:active:f313ac5,
author = {John Shier and Mat Gangwer and Greg Iddon and Peter Mackenzie},
title = {{The Active Adversary Playbook 2021}},
date = {2021-05-18},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153},
language = {English},
urldate = {2021-05-25}
}
The Active Adversary Playbook 2021 Cobalt Strike MimiKatz |
2021-05-17 ⋅ Talos ⋅ Brad Garnett @online{garnett:20210517:case:a8ef9cf,
author = {Brad Garnett},
title = {{Case Study: Incident Response is a relationship-driven business}},
date = {2021-05-17},
organization = {Talos},
url = {https://blog.talosintelligence.com/2021/05/ctir-case-study.html},
language = {English},
urldate = {2021-05-25}
}
Case Study: Incident Response is a relationship-driven business Cobalt Strike |
2021-05-16 ⋅ NCSC Ireland ⋅ NCSC Ireland @techreport{ireland:20210516:ransomware:b091d9b,
author = {NCSC Ireland},
title = {{Ransomware Attack on Health Sector - UPDATE 2021-05-16}},
date = {2021-05-16},
institution = {NCSC Ireland},
url = {https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf},
language = {English},
urldate = {2021-05-17}
}
Ransomware Attack on Health Sector - UPDATE 2021-05-16 Cobalt Strike Conti |
2021-05-14 ⋅ Blue Team Blog ⋅ Auth 0r @online{0r:20210514:darkside:bf9c5bc,
author = {Auth 0r},
title = {{DarkSide Ransomware Operations – Preventions and Detections.}},
date = {2021-05-14},
organization = {Blue Team Blog},
url = {https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections},
language = {English},
urldate = {2021-05-17}
}
DarkSide Ransomware Operations – Preventions and Detections. Cobalt Strike DarkSide |
2021-05-14 ⋅ GuidePoint Security ⋅ Drew Schmitt @online{schmitt:20210514:from:944b5f1,
author = {Drew Schmitt},
title = {{From ZLoader to DarkSide: A Ransomware Story}},
date = {2021-05-14},
organization = {GuidePoint Security},
url = {https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/},
language = {English},
urldate = {2021-05-17}
}
From ZLoader to DarkSide: A Ransomware Story DarkSide Cobalt Strike Zloader |
2021-05-13 ⋅ AWAKE ⋅ Kieran Evans @online{evans:20210513:catching:eaa13e2,
author = {Kieran Evans},
title = {{Catching the White Stork in Flight}},
date = {2021-05-13},
organization = {AWAKE},
url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/},
language = {English},
urldate = {2021-09-19}
}
Catching the White Stork in Flight Cobalt Strike MimiKatz RMS |
2021-05-12 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene @online{ergene:20210512:enterprise:09742df,
author = {Mehmet Ergene},
title = {{Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1}},
date = {2021-05-12},
organization = {Medium Mehmet Ergene},
url = {https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f},
language = {English},
urldate = {2021-05-26}
}
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1 Cobalt Strike |
2021-05-12 ⋅ The DFIR Report @online{report:20210512:conti:598c5f2,
author = {The DFIR Report},
title = {{Conti Ransomware}},
date = {2021-05-12},
url = {https://thedfirreport.com/2021/05/12/conti-ransomware/},
language = {English},
urldate = {2021-05-13}
}
Conti Ransomware Cobalt Strike Conti IcedID |
2021-05-11 ⋅ Mal-Eats ⋅ mal_eats @online{maleats:20210511:campo:0305ab9,
author = {mal_eats},
title = {{Campo, a New Attack Campaign Targeting Japan}},
date = {2021-05-11},
organization = {Mal-Eats},
url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-06-01}
}
Campo, a New Attack Campaign Targeting Japan AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader |
2021-05-11 ⋅ FireEye ⋅ Jordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague, Jared Wilson @online{nuce:20210511:shining:339d137,
author = {Jordan Nuce and Jeremy Kennelly and Kimberly Goody and Andrew Moore and Alyssa Rahman and Brendan McKeague and Jared Wilson},
title = {{Shining a Light on DARKSIDE Ransomware Operations}},
date = {2021-05-11},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html},
language = {English},
urldate = {2021-05-13}
}
Shining a Light on DARKSIDE Ransomware Operations Cobalt Strike DarkSide |
2021-05-10 ⋅ ZERO.BS ⋅ ZEROBS @online{zerobs:20210510:cobaltstrikebeacons:b7fee54,
author = {ZEROBS},
title = {{Cobaltstrike-Beacons analyzed}},
date = {2021-05-10},
organization = {ZERO.BS},
url = {https://zero.bs/cobaltstrike-beacons-analyzed.html},
language = {English},
urldate = {2021-05-11}
}
Cobaltstrike-Beacons analyzed Cobalt Strike |
2021-05-10 ⋅ Mal-Eats ⋅ mal_eats @online{maleats:20210510:overview:50ff3b3,
author = {mal_eats},
title = {{Overview of Campo, a new attack campaign targeting Japan}},
date = {2021-05-10},
organization = {Mal-Eats},
url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/},
language = {English},
urldate = {2021-05-13}
}
Overview of Campo, a new attack campaign targeting Japan AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader |
2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li @techreport{tseng:20210507:mem2img:494799d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-05-07},
institution = {TEAMT5},
url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj @online{nataraj:20210507:new:79ec788,
author = {Rajesh Nataraj},
title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}},
date = {2021-05-07},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728},
language = {English},
urldate = {2022-02-16}
}
New Lemon Duck variants exploiting Microsoft Exchange Server CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin @online{huey:20210507:lemon:0d46f81,
author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin},
title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}},
date = {2021-05-07},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html},
language = {English},
urldate = {2022-02-16}
}
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-07 ⋅ Medium svch0st ⋅ svch0st @online{svch0st:20210507:stats:11919e5,
author = {svch0st},
title = {{Stats from Hunting Cobalt Strike Beacons}},
date = {2021-05-07},
organization = {Medium svch0st},
url = {https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b},
language = {English},
urldate = {2021-05-08}
}
Stats from Hunting Cobalt Strike Beacons Cobalt Strike |
2021-05-05 ⋅ TRUESEC ⋅ Mattias Wåhlén @online{whln:20210505:are:61bb8a0,
author = {Mattias Wåhlén},
title = {{Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?}},
date = {2021-05-05},
organization = {TRUESEC},
url = {https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/},
language = {English},
urldate = {2021-05-08}
}
Are The Notorious Cyber Criminals Evil Corp actually Russian Spies? Cobalt Strike Hades WastedLocker |
2021-05-05 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Peter Mackenzie, Vikas Singh, Gabor Szappanos @online{brandt:20210505:intervention:f548dee,
author = {Andrew Brandt and Peter Mackenzie and Vikas Singh and Gabor Szappanos},
title = {{Intervention halts a ProxyLogon-enabled attack}},
date = {2021-05-05},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack},
language = {English},
urldate = {2021-05-07}
}
Intervention halts a ProxyLogon-enabled attack Cobalt Strike |
2021-05-04 ⋅ Medium sergiusechel ⋅ Sergiu Sechel @online{sechel:20210504:improving:ce4da6d,
author = {Sergiu Sechel},
title = {{Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives}},
date = {2021-05-04},
organization = {Medium sergiusechel},
url = {https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468},
language = {English},
urldate = {2021-05-04}
}
Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives Cobalt Strike |
2021-05-02 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210502:trickbot:242b786,
author = {The DFIR Report},
title = {{Trickbot Brief: Creds and Beacons}},
date = {2021-05-02},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/},
language = {English},
urldate = {2021-05-04}
}
Trickbot Brief: Creds and Beacons Cobalt Strike TrickBot |
2021-04-29 ⋅ NTT ⋅ Threat Detection NTT Ltd. @techreport{ltd:20210429:operations:a7ad0d4,
author = {Threat Detection NTT Ltd.},
title = {{The Operations of Winnti group}},
date = {2021-04-29},
institution = {NTT},
url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf},
language = {English},
urldate = {2021-08-09}
}
The Operations of Winnti group Cobalt Strike ShadowPad Spyder Winnti |
2021-04-29 ⋅ FireEye ⋅ Tyler McLellan, Justin Moore, Raymond Leong @online{mclellan:20210429:unc2447:2ad0d96,
author = {Tyler McLellan and Justin Moore and Raymond Leong},
title = {{UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat}},
date = {2021-04-29},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html},
language = {English},
urldate = {2022-03-07}
}
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat Cobalt Strike FiveHands HelloKitty |
2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili, Earle Earnshaw @online{agcaoili:20210427:legitimate:b293526,
author = {Janus Agcaoili and Earle Earnshaw},
title = {{Legitimate Tools Weaponized for Ransomware in 2021}},
date = {2021-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021},
language = {English},
urldate = {2021-05-03}
}
Legitimate Tools Weaponized for Ransomware in 2021 Cobalt Strike MimiKatz |
2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili @online{agcaoili:20210427:hello:b3c5de5,
author = {Janus Agcaoili},
title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}},
date = {2021-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html},
language = {English},
urldate = {2021-04-29}
}
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability CHINACHOPPER Cobalt Strike |
2021-04-26 ⋅ getrevue ⋅ Twitter (@80vul) @online{80vul:20210426:hunting:e8be278,
author = {Twitter (@80vul)},
title = {{Hunting Cobalt Strike DNS redirectors by using ZoomEye}},
date = {2021-04-26},
organization = {getrevue},
url = {https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734},
language = {English},
urldate = {2021-04-29}
}
Hunting Cobalt Strike DNS redirectors by using ZoomEye Cobalt Strike |
2021-04-26 ⋅ nviso ⋅ Maxime Thiebaut @online{thiebaut:20210426:anatomy:0ade0a5,
author = {Maxime Thiebaut},
title = {{Anatomy of Cobalt Strike’s DLL Stager}},
date = {2021-04-26},
organization = {nviso},
url = {https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/},
language = {English},
urldate = {2021-04-29}
}
Anatomy of Cobalt Strike’s DLL Stager Cobalt Strike |
2021-04-24 ⋅ Non-offensive security ⋅ Non-offensive security team @online{team:20210424:detect:4fab11a,
author = {Non-offensive security team},
title = {{Detect Cobalt Strike server through DNS protocol}},
date = {2021-04-24},
organization = {Non-offensive security},
url = {https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ},
language = {Chinese},
urldate = {2021-04-29}
}
Detect Cobalt Strike server through DNS protocol Cobalt Strike |
2021-04-23 ⋅ Twitter (@vikas891) ⋅ Vikas Singh @online{singh:20210423:doppel:1bfd6da,
author = {Vikas Singh},
title = {{Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals}},
date = {2021-04-23},
organization = {Twitter (@vikas891)},
url = {https://twitter.com/vikas891/status/1385306823662587905},
language = {English},
urldate = {2021-05-25}
}
Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals Cobalt Strike DoppelPaymer |
2021-04-22 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie @online{mackenzie:20210422:twwet:62355c6,
author = {Peter Mackenzie},
title = {{Twwet On TTPs seen in IR used by DOPPEL SPIDER}},
date = {2021-04-22},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1385103712918642688},
language = {English},
urldate = {2021-05-25}
}
Twwet On TTPs seen in IR used by DOPPEL SPIDER Cobalt Strike DoppelPaymer |
2021-04-21 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt @online{gallagher:20210421:nearly:53964a7,
author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt},
title = {{Nearly half of malware now use TLS to conceal communications}},
date = {2021-04-21},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/},
language = {English},
urldate = {2021-04-28}
}
Nearly half of malware now use TLS to conceal communications Agent Tesla Cobalt Strike Dridex SystemBC |
2021-04-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves @online{reaves:20210420:cobaltstrike:d18d4c4,
author = {Jason Reaves},
title = {{CobaltStrike Stager Utilizing Floating Point Math}},
date = {2021-04-20},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718},
language = {English},
urldate = {2021-04-20}
}
CobaltStrike Stager Utilizing Floating Point Math Cobalt Strike |
2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik @online{hjelmvik:20210419:analysing:c6bff49,
author = {Erik Hjelmvik},
title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}},
date = {2021-04-19},
organization = {Netresec},
url = {https://netresec.com/?b=214d7ff},
language = {English},
urldate = {2021-04-20}
}
Analysing a malware PCAP with IcedID and Cobalt Strike traffic Cobalt Strike IcedID |
2021-04-18 ⋅ YouTube (dist67) ⋅ Didier Stevens @online{stevens:20210418:decoding:18e5319,
author = {Didier Stevens},
title = {{Decoding Cobalt Strike Traffic}},
date = {2021-04-18},
organization = {YouTube (dist67)},
url = {https://www.youtube.com/watch?v=ysN-MqyIN7M},
language = {English},
urldate = {2021-04-20}
}
Decoding Cobalt Strike Traffic Cobalt Strike |
2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20210414:april:4a29cb5,
author = {Brad Duncan},
title = {{April 2021 Forensic Quiz: Answers and Analysis}},
date = {2021-04-14},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/27308},
language = {English},
urldate = {2021-04-14}
}
April 2021 Forensic Quiz: Answers and Analysis Anchor BazarBackdoor Cobalt Strike |
2021-04-12 ⋅ Inde ⋅ Chris Campbell @online{campbell:20210412:different:ea9739f,
author = {Chris Campbell},
title = {{A Different Kind of Zoombomb}},
date = {2021-04-12},
organization = {Inde},
url = {https://www.inde.nz/blog/different-kind-of-zoombomb},
language = {English},
urldate = {2022-04-29}
}
A Different Kind of Zoombomb Cobalt Strike |
2021-04-09 ⋅ F-Secure ⋅ Riccardo Ancarani, Giulio Ginesi @online{ancarani:20210409:detecting:01d28ed,
author = {Riccardo Ancarani and Giulio Ginesi},
title = {{Detecting Exposed Cobalt Strike DNS Redirectors}},
date = {2021-04-09},
organization = {F-Secure},
url = {https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors},
language = {English},
urldate = {2021-04-14}
}
Detecting Exposed Cobalt Strike DNS Redirectors Cobalt Strike |
2021-04-07 ⋅ Medium sixdub ⋅ Justin Warner @online{warner:20210407:using:a7d19fd,
author = {Justin Warner},
title = {{Using Kaitai Struct to Parse Cobalt Strike Beacon Configs}},
date = {2021-04-07},
organization = {Medium sixdub},
url = {https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e},
language = {English},
urldate = {2021-04-09}
}
Using Kaitai Struct to Parse Cobalt Strike Beacon Configs Cobalt Strike |
2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt @online{reaves:20210405:trickbot:a6b0592,
author = {Jason Reaves and Joshua Platt},
title = {{TrickBot Crews New CobaltStrike Loader}},
date = {2021-04-05},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c},
language = {English},
urldate = {2021-04-06}
}
TrickBot Crews New CobaltStrike Loader Cobalt Strike TrickBot |
2021-04-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan @online{duncan:20210401:hancitors:8876ca1,
author = {Brad Duncan},
title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}},
date = {2021-04-01},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/},
language = {English},
urldate = {2021-04-06}
}
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool Cobalt Strike Hancitor |
2021-04-01 ⋅ DomainTools ⋅ Joe Slowik @online{slowik:20210401:covid19:6a96e45,
author = {Joe Slowik},
title = {{COVID-19 Phishing With a Side of Cobalt Strike}},
date = {2021-04-01},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#},
language = {English},
urldate = {2021-04-06}
}
COVID-19 Phishing With a Side of Cobalt Strike Cobalt Strike |
2021-03-31 ⋅ Red Canary ⋅ Red Canary @techreport{canary:20210331:2021:cd81f2d,
author = {Red Canary},
title = {{2021 Threat Detection Report}},
date = {2021-03-31},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf},
language = {English},
urldate = {2021-04-06}
}
2021 Threat Detection Report Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot |
2021-03-30 ⋅ GuidePoint Security ⋅ Drew Schmitt @online{schmitt:20210330:yet:9855592,
author = {Drew Schmitt},
title = {{Yet Another Cobalt Strike Stager: GUID Edition}},
date = {2021-03-30},
organization = {GuidePoint Security},
url = {https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/},
language = {English},
urldate = {2021-04-06}
}
Yet Another Cobalt Strike Stager: GUID Edition Cobalt Strike |
2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210329:sodinokibi:4c63e20,
author = {The DFIR Report},
title = {{Sodinokibi (aka REvil) Ransomware}},
date = {2021-03-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/},
language = {English},
urldate = {2021-03-30}
}
Sodinokibi (aka REvil) Ransomware Cobalt Strike IcedID REvil |
2021-03-21 ⋅ YouTube (dist67) ⋅ Didier Stevens @online{stevens:20210321:finding:92a9a4d,
author = {Didier Stevens},
title = {{Finding Metasploit & Cobalt Strike URLs}},
date = {2021-03-21},
organization = {YouTube (dist67)},
url = {https://www.youtube.com/watch?v=WW0_TgWT2gs},
language = {English},
urldate = {2021-03-25}
}
Finding Metasploit & Cobalt Strike URLs Cobalt Strike |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-18 ⋅ DeepInstinct ⋅ Ben Gross @online{gross:20210318:cobalt:5392fb0,
author = {Ben Gross},
title = {{Cobalt Strike – Post-Exploitation Attackers Toolkit}},
date = {2021-03-18},
organization = {DeepInstinct},
url = {https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/},
language = {English},
urldate = {2021-06-22}
}
Cobalt Strike – Post-Exploitation Attackers Toolkit Cobalt Strike |
2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT @techreport{prodaft:20210318:silverfish:f203208,
author = {PRODAFT},
title = {{SilverFish GroupThreat Actor Report}},
date = {2021-03-18},
institution = {PRODAFT Threat Intelligence},
url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf},
language = {English},
urldate = {2021-04-06}
}
SilverFish GroupThreat Actor Report Cobalt Strike Dridex Koadic |
2021-03-16 ⋅ McAfee ⋅ McAfee ATR @techreport{atr:20210316:technical:8c4909a,
author = {McAfee ATR},
title = {{Technical Analysis of Operation Diànxùn}},
date = {2021-03-16},
institution = {McAfee},
url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf},
language = {English},
urldate = {2021-03-22}
}
Technical Analysis of Operation Diànxùn Cobalt Strike |
2021-03-16 ⋅ Elastic ⋅ Joe Desimone @online{desimone:20210316:detecting:4091130,
author = {Joe Desimone},
title = {{Detecting Cobalt Strike with memory signatures}},
date = {2021-03-16},
organization = {Elastic},
url = {https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures},
language = {English},
urldate = {2021-03-22}
}
Detecting Cobalt Strike with memory signatures Cobalt Strike |
2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell @online{campbell:20210311:you:7bd2342,
author = {Josh Campbell},
title = {{You Don't Know the HAFNIUM of it...}},
date = {2021-03-11},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/},
language = {English},
urldate = {2021-03-16}
}
You Don't Know the HAFNIUM of it... CHINACHOPPER Cobalt Strike PowerCat |
2021-03-11 ⋅ Qurium ⋅ Qurium @online{qurium:20210311:myanmar:7bfc8ce,
author = {Qurium},
title = {{Myanmar – Multi-stage malware attack targets elected lawmakers}},
date = {2021-03-11},
organization = {Qurium},
url = {https://www.qurium.org/alerts/targeted-malware-against-crph/},
language = {English},
urldate = {2021-06-21}
}
Myanmar – Multi-stage malware attack targets elected lawmakers Cobalt Strike |
2021-03-10 ⋅ Proofpoint ⋅ Dennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team @online{schwarz:20210310:nimzaloader:f6960d4,
author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team},
title = {{NimzaLoader: TA800’s New Initial Access Malware}},
date = {2021-03-10},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware},
language = {English},
urldate = {2021-03-12}
}
NimzaLoader: TA800’s New Initial Access Malware BazarNimrod Cobalt Strike |
2021-03-09 ⋅ splunk ⋅ Security Research Team @online{team:20210309:cloud:4deeb78,
author = {Security Research Team},
title = {{Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021}},
date = {2021-03-09},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html},
language = {English},
urldate = {2021-03-11}
}
Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021 Cobalt Strike |
2021-03-08 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210308:bazar:ba050d7,
author = {The DFIR Report},
title = {{Bazar Drops the Anchor}},
date = {2021-03-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/},
language = {English},
urldate = {2021-03-10}
}
Bazar Drops the Anchor Anchor BazarBackdoor Cobalt Strike |
2021-03-08 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Katie Nickels, Adam Pennington, Jen Burns @online{nickels:20210308:star:083eb29,
author = {Katie Nickels and Adam Pennington and Jen Burns},
title = {{STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)}},
date = {2021-03-08},
organization = {Youtube (SANS Digital Forensics and Incident Response)},
url = {https://www.youtube.com/watch?v=LA-XE5Jy2kU},
language = {English},
urldate = {2021-03-11}
}
STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R) Cobalt Strike SUNBURST TEARDROP |
2021-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ Didier Stevens @online{stevens:20210307:pcaps:980212d,
author = {Didier Stevens},
title = {{PCAPs and Beacons}},
date = {2021-03-07},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/27176},
language = {English},
urldate = {2021-03-11}
}
PCAPs and Beacons Cobalt Strike |
2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves @online{platt:20210301:nimar:c26af08,
author = {Joshua Platt and Jason Reaves},
title = {{Nimar Loader}},
date = {2021-03-01},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e},
language = {English},
urldate = {2021-03-04}
}
Nimar Loader BazarBackdoor BazarNimrod Cobalt Strike |
2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves @online{platt:20210301:investigation:a7851d5,
author = {Joshua Platt and Jason Reaves},
title = {{Investigation into the state of Nim malware}},
date = {2021-03-01},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811},
language = {English},
urldate = {2021-03-04}
}
Investigation into the state of Nim malware BazarNimrod Cobalt Strike |
2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff @online{loui:20210226:hypervisor:8dadf9c,
author = {Eric Loui and Sergei Frankoff},
title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}},
date = {2021-02-26},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout},
language = {English},
urldate = {2021-05-26}
}
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil |
2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta @online{abdo:20210225:so:88f3400,
author = {Bryce Abdo and Brendan McKeague and Van Ta},
title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}},
date = {2021-02-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html},
language = {English},
urldate = {2021-03-02}
}
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC |
2021-02-24 ⋅ Github (AmnestyTech) ⋅ Amnesty International @online{international:20210224:overview:95b80e0,
author = {Amnesty International},
title = {{Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders}},
date = {2021-02-24},
organization = {Github (AmnestyTech)},
url = {https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam},
language = {English},
urldate = {2021-02-25}
}
Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders OceanLotus Cobalt Strike KerrDown |
2021-02-24 ⋅ VMWare Carbon Black ⋅ Takahiro Haruyama @techreport{haruyama:20210224:knock:f4903a2,
author = {Takahiro Haruyama},
title = {{Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation}},
date = {2021-02-24},
institution = {VMWare Carbon Black},
url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf},
language = {Japanese},
urldate = {2021-02-26}
}
Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation Cobalt Strike |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report @online{report:20210211:hancitor:9fa527e,
author = {The DFIR Report},
title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}},
date = {2021-02-11},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1359669513520873473},
language = {English},
urldate = {2021-02-18}
}
Tweet on Hancitor Activity followed by cobaltsrike beacon Cobalt Strike Hancitor |
2021-02-09 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20210209:learn:c08b657,
author = {Raphael Mudge},
title = {{Learn Pipe Fitting for all of your Offense Projects}},
date = {2021-02-09},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/},
language = {English},
urldate = {2021-02-10}
}
Learn Pipe Fitting for all of your Offense Projects Cobalt Strike |
2021-02-09 ⋅ Securehat ⋅ Securehat @online{securehat:20210209:extracting:0f4ae2f,
author = {Securehat},
title = {{Extracting the Cobalt Strike Config from a TEARDROP Loader}},
date = {2021-02-09},
organization = {Securehat},
url = {https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader},
language = {English},
urldate = {2021-02-10}
}
Extracting the Cobalt Strike Config from a TEARDROP Loader Cobalt Strike TEARDROP |
2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20210203:excel:8e949c9,
author = {Brad Duncan},
title = {{Excel spreadsheets push SystemBC malware}},
date = {2021-02-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/},
language = {English},
urldate = {2021-02-04}
}
Excel spreadsheets push SystemBC malware Cobalt Strike SystemBC |
2021-02-02 ⋅ Committee to Protect Journalists ⋅ Madeline Earp @online{earp:20210202:how:923f969,
author = {Madeline Earp},
title = {{How Vietnam-based hacking operation OceanLotus targets journalists}},
date = {2021-02-02},
organization = {Committee to Protect Journalists},
url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists},
language = {English},
urldate = {2021-02-04}
}
How Vietnam-based hacking operation OceanLotus targets journalists Cobalt Strike |
2021-02-02 ⋅ CRONUP ⋅ Germán Fernández @online{fernndez:20210202:de:6ff4f3a,
author = {Germán Fernández},
title = {{De ataque con Malware a incidente de Ransomware}},
date = {2021-02-02},
organization = {CRONUP},
url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware},
language = {Spanish},
urldate = {2021-03-02}
}
De ataque con Malware a incidente de Ransomware Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report @online{report:20210202:recent:5272ed0,
author = {The DFIR Report},
title = {{Tweet on recent dridex post infection activity}},
date = {2021-02-02},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1356729371931860992},
language = {English},
urldate = {2021-02-04}
}
Tweet on recent dridex post infection activity Cobalt Strike Dridex |
2021-02-01 ⋅ pkb1s.github.io ⋅ Petros Koutroumpis @online{koutroumpis:20210201:relay:596413f,
author = {Petros Koutroumpis},
title = {{Relay Attacks via Cobalt Strike Beacons}},
date = {2021-02-01},
organization = {pkb1s.github.io},
url = {https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/},
language = {English},
urldate = {2021-02-04}
}
Relay Attacks via Cobalt Strike Beacons Cobalt Strike |
2021-02-01 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20210201:bluecrab:df21c0a,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment}},
date = {2021-02-01},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19860/},
language = {English},
urldate = {2021-02-06}
}
BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment Cobalt Strike REvil |
2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210131:bazar:c3b3859,
author = {The DFIR Report},
title = {{Bazar, No Ryuk?}},
date = {2021-01-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/},
language = {English},
urldate = {2021-02-02}
}
Bazar, No Ryuk? BazarBackdoor Cobalt Strike Ryuk |
2021-01-28 ⋅ TrustedSec ⋅ Adam Chester @online{chester:20210128:tailoring:d3f973c,
author = {Adam Chester},
title = {{Tailoring Cobalt Strike on Target}},
date = {2021-01-28},
organization = {TrustedSec},
url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/},
language = {English},
urldate = {2021-01-29}
}
Tailoring Cobalt Strike on Target Cobalt Strike |
2021-01-28 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20210128:bluecrab:44d2e64,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware constantly trying to bypass detection}},
date = {2021-01-28},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19640/},
language = {Korean},
urldate = {2021-02-04}
}
BlueCrab ransomware constantly trying to bypass detection Cobalt Strike REvil |
2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT @online{csirt:20210126:cring:f12c487,
author = {Swisscom CSIRT},
title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}},
date = {2021-01-26},
organization = {Twitter (@swisscom_csirt)},
url = {https://twitter.com/swisscom_csirt/status/1354052879158571008},
language = {English},
urldate = {2021-01-27}
}
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware Cobalt Strike Cring MimiKatz |
2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC) @online{team:20210120:deep:1cc0551,
author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC)},
title = {{Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop}},
date = {2021-01-20},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/},
language = {English},
urldate = {2021-01-21}
}
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop Cobalt Strike SUNBURST TEARDROP |
2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20210118:raindrop:9ab1262,
author = {Threat Hunter Team},
title = {{Raindrop: New Malware Discovered in SolarWinds Investigation}},
date = {2021-01-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware},
language = {English},
urldate = {2021-01-21}
}
Raindrop: New Malware Discovered in SolarWinds Investigation Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie @online{mackenzie:20210117:conti:db7f1cb,
author = {Peter Mackenzie},
title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}},
date = {2021-01-17},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352},
language = {English},
urldate = {2021-01-21}
}
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders Cobalt Strike Conti |
2021-01-15 ⋅ Medium Dansec ⋅ Dan Lussier @online{lussier:20210115:detecting:fecd6c3,
author = {Dan Lussier},
title = {{Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike}},
date = {2021-01-15},
organization = {Medium Dansec},
url = {https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64},
language = {English},
urldate = {2021-01-21}
}
Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike Cobalt Strike |
2021-01-14 ⋅ PTSecurity ⋅ PTSecurity @online{ptsecurity:20210114:higaisa:326f8ea,
author = {PTSecurity},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2},
language = {English},
urldate = {2021-01-18}
}
Higaisa or Winnti? APT41 backdoors, old and new FunnySwitch |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John Hultquist @online{read:20210112:unc2452:6e54c6c,
author = {Ben Read and John Hultquist},
title = {{UNC2452: What We Know So Far}},
date = {2021-01-12},
organization = {BrightTALK (FireEye)},
url = {https://www.brighttalk.com/webcast/7451/462719},
language = {English},
urldate = {2021-01-18}
}
UNC2452: What We Know So Far Cobalt Strike SUNBURST TEARDROP |
2021-01-12 ⋅ Fox-IT ⋅ Wouter Jansen @online{jansen:20210112:abusing:c38eeb6,
author = {Wouter Jansen},
title = {{Abusing cloud services to fly under the radar}},
date = {2021-01-12},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/},
language = {English},
urldate = {2021-01-18}
}
Abusing cloud services to fly under the radar Cobalt Strike |
2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210111:trickbot:d1011f9,
author = {The DFIR Report},
title = {{Trickbot Still Alive and Well}},
date = {2021-01-11},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/},
language = {English},
urldate = {2021-01-11}
}
Trickbot Still Alive and Well Cobalt Strike TrickBot |
2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna @online{ramakrishna:20210111:new:296b621,
author = {Sudhakar Ramakrishna},
title = {{New Findings From Our Investigation of SUNBURST}},
date = {2021-01-11},
organization = {SolarWinds},
url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/},
language = {English},
urldate = {2021-01-18}
}
New Findings From Our Investigation of SUNBURST Cobalt Strike SUNBURST TEARDROP |
2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves @online{reaves:20210110:man1:54a4162,
author = {Jason Reaves},
title = {{MAN1, Moskal, Hancitor and a side of Ransomware}},
date = {2021-01-10},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618},
language = {English},
urldate = {2021-01-11}
}
MAN1, Moskal, Hancitor and a side of Ransomware Cobalt Strike Hancitor SendSafe VegaLocker |
2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli @online{ramilli:20210109:command:d720b27,
author = {Marco Ramilli},
title = {{Command and Control Traffic Patterns}},
date = {2021-01-09},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/},
language = {English},
urldate = {2021-05-17}
}
Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
2021-01-09 ⋅ Connor McGarr's Blog ⋅ Connor McGarr @online{mcgarr:20210109:malware:dde1353,
author = {Connor McGarr},
title = {{Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking}},
date = {2021-01-09},
organization = {Connor McGarr's Blog},
url = {https://connormcgarr.github.io/thread-hijacking/},
language = {English},
urldate = {2021-01-11}
}
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking Cobalt Strike |
2021-01-07 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210107:aversary:9771829,
author = {Insikt Group®},
title = {{Aversary Infrastructure Report 2020: A Defender's View}},
date = {2021-01-07},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf},
language = {English},
urldate = {2021-01-11}
}
Aversary Infrastructure Report 2020: A Defender's View Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-06 ⋅ Red Canary ⋅ Tony Lambert @online{lambert:20210106:hunting:272410b,
author = {Tony Lambert},
title = {{Hunting for GetSystem in offensive security tools}},
date = {2021-01-06},
organization = {Red Canary},
url = {https://redcanary.com/blog/getsystem-offsec/},
language = {English},
urldate = {2021-01-11}
}
Hunting for GetSystem in offensive security tools Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20210105:earth:d7bb547,
author = {Trend Micro Research},
title = {{Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration}},
date = {2021-01-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html},
language = {English},
urldate = {2021-01-10}
}
Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration Cobalt Strike |
2021-01-04 ⋅ Medium haggis-m ⋅ Michael Haag @online{haag:20210104:malleable:ab64356,
author = {Michael Haag},
title = {{Malleable C2 Profiles and You}},
date = {2021-01-04},
organization = {Medium haggis-m},
url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929},
language = {English},
urldate = {2021-01-05}
}
Malleable C2 Profiles and You Cobalt Strike |
2021 ⋅ Mandiant ⋅ Mandiant @online{mandiant:2021:mtrends:4d981a4,
author = {Mandiant},
title = {{M-TRENDS 2021}},
date = {2021},
organization = {Mandiant},
url = {https://www.mandiant.com/media/10916/download},
language = {English},
urldate = {2021-11-02}
}
M-TRENDS 2021 Cobalt Strike SUNBURST |
2021 ⋅ Talos ⋅ Talos Incident Response @techreport{response:2021:evicting:c795470,
author = {Talos Incident Response},
title = {{Evicting Maze}},
date = {2021},
institution = {Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf},
language = {English},
urldate = {2021-05-26}
}
Evicting Maze Cobalt Strike Maze |
2021 ⋅ Symantec ⋅ Symantec Threat Hunter Team @techreport{team:2021:supply:ad422b5,
author = {Symantec Threat Hunter Team},
title = {{Supply Chain Attacks:Cyber Criminals Target the Weakest Link}},
date = {2021},
institution = {Symantec},
url = {https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf},
language = {English},
urldate = {2022-02-01}
}
Supply Chain Attacks:Cyber Criminals Target the Weakest Link Cobalt Strike Raindrop SUNBURST TEARDROP |
2021 ⋅ Github (WBGlIl) ⋅ WBGlIl @online{wbglil:2021:book:7ff34b3,
author = {WBGlIl},
title = {{A book on cobaltstrike}},
date = {2021},
organization = {Github (WBGlIl)},
url = {https://wbglil.gitbook.io/cobalt-strike/},
language = {Chinese},
urldate = {2021-11-29}
}
A book on cobaltstrike Cobalt Strike |
2021 ⋅ Talos ⋅ Talos Incident Response @techreport{response:2021:cobalt:f4412fa,
author = {Talos Incident Response},
title = {{Cobalt Strikes Out}},
date = {2021},
institution = {Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf},
language = {English},
urldate = {2021-05-26}
}
Cobalt Strikes Out Cobalt Strike |
2021 ⋅ SecureWorks @online{secureworks:2021:threat:dbd7ed7,
author = {SecureWorks},
title = {{Threat Profile: GOLD DRAKE}},
date = {2021},
url = {http://www.secureworks.com/research/threat-profiles/gold-drake},
language = {English},
urldate = {2021-05-28}
}
Threat Profile: GOLD DRAKE Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp |
2021 ⋅ AWAKE ⋅ Awake Security @online{security:2021:breaking:3bdfe99,
author = {Awake Security},
title = {{Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)}},
date = {2021},
organization = {AWAKE},
url = {https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/},
language = {English},
urldate = {2022-06-09}
}
Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR) Cobalt Strike IcedID PhotoLoader |
2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:bce1d06,
author = {SecureWorks},
title = {{Threat Profile: GOLD WINTER}},
date = {2021},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-winter},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD WINTER Cobalt Strike Hades Meterpreter GOLD WINTER |
2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:45f61e0,
author = {SecureWorks},
title = {{Threat Profile: GOLD WATERFALL}},
date = {2021},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-waterfall},
language = {English},
urldate = {2021-05-31}
}
Threat Profile: GOLD WATERFALL Cobalt Strike DarkSide GOLD WATERFALL |
2020-12-26 ⋅ Medium grimminck ⋅ Stefan Grimminck @online{grimminck:20201226:spoofing:a0a5622,
author = {Stefan Grimminck},
title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}},
date = {2020-12-26},
organization = {Medium grimminck},
url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b},
language = {English},
urldate = {2021-01-01}
}
Spoofing JARM signatures. I am the Cobalt Strike server now! Cobalt Strike |
2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén @online{whln:20201222:collaboration:5d2ad28,
author = {Mattias Wåhlén},
title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}},
date = {2020-12-22},
organization = {TRUESEC},
url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/},
language = {English},
urldate = {2021-01-01}
}
Collaboration between FIN7 and the RYUK group, a Truesec Investigation Carbanak Cobalt Strike Ryuk |
2020-12-21 ⋅ Fortinet ⋅ Udi Yavo @online{yavo:20201221:what:716b31d,
author = {Udi Yavo},
title = {{What We Have Learned So Far about the “Sunburst”/SolarWinds Hack}},
date = {2020-12-21},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack},
language = {English},
urldate = {2021-01-18}
}
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack Cobalt Strike SUNBURST TEARDROP |
2020-12-20 ⋅ Randhome ⋅ Etienne Maynier @online{maynier:20201220:analyzing:3e15960,
author = {Etienne Maynier},
title = {{Analyzing Cobalt Strike for Fun and Profit}},
date = {2020-12-20},
organization = {Randhome},
url = {https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/},
language = {English},
urldate = {2020-12-23}
}
Analyzing Cobalt Strike for Fun and Profit Cobalt Strike |
2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ Sophos Cyber Security Team @online{team:20201215:solarwindsthreathunt:4357421,
author = {Sophos Cyber Security Team},
title = {{solarwinds-threathunt}},
date = {2020-12-15},
organization = {Github (sophos-cybersecurity)},
url = {https://github.com/sophos-cybersecurity/solarwinds-threathunt},
language = {English},
urldate = {2020-12-15}
}
solarwinds-threathunt Cobalt Strike SUNBURST |
2020-12-15 ⋅ PICUS Security ⋅ Süleyman Özarslan @online{zarslan:20201215:tactics:bba1b4f,
author = {Süleyman Özarslan},
title = {{Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach}},
date = {2020-12-15},
organization = {PICUS Security},
url = {https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach},
language = {English},
urldate = {2020-12-17}
}
Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach Cobalt Strike SUNBURST |
2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20201214:threat:032b92d,
author = {Unit 42},
title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}},
date = {2020-12-14},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: SolarStorm and SUNBURST Customer Coverage Cobalt Strike SUNBURST |
2020-12-11 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team @online{team:20201211:mountlocker:9c495cb,
author = {BlackBerry Research and Intelligence team},
title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}},
date = {2020-12-11},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates},
language = {English},
urldate = {2020-12-14}
}
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates Cobalt Strike Mount Locker |
2020-12-10 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42 @online{unit42:20201210:threat:6ac31af,
author = {Unit42},
title = {{Threat Brief: FireEye Red Team Tool Breach}},
date = {2020-12-10},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: FireEye Red Team Tool Breach Cobalt Strike |
2020-12-10 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201210:no:9fd2ae1,
author = {Intel 471},
title = {{No pandas, just people: The current state of China’s cybercrime underground}},
date = {2020-12-10},
organization = {Intel 471},
url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/},
language = {English},
urldate = {2020-12-10}
}
No pandas, just people: The current state of China’s cybercrime underground Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201209:its:c312acc,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}},
date = {2020-12-09},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf},
language = {English},
urldate = {2020-12-15}
}
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES) Cobalt Strike DoppelPaymer QakBot REvil |
2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20201209:quarterly:9ed3062,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends from Fall 2020}},
date = {2020-12-09},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html},
language = {English},
urldate = {2020-12-10}
}
Quarterly Report: Incident Response trends from Fall 2020 Cobalt Strike IcedID Maze RansomEXX Ryuk |
2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20201209:recent:0992506,
author = {Brad Duncan},
title = {{Recent Qakbot (Qbot) activity}},
date = {2020-12-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/26862},
language = {English},
urldate = {2020-12-10}
}
Recent Qakbot (Qbot) activity Cobalt Strike QakBot |
2020-12-08 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20201208:red:8ccdfcf,
author = {Raphael Mudge},
title = {{A Red Teamer Plays with JARM}},
date = {2020-12-08},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/},
language = {English},
urldate = {2021-01-11}
}
A Red Teamer Plays with JARM Cobalt Strike |
2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary) @online{redcanary:20201202:increased:5db5dce,
author = {twitter (@redcanary)},
title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}},
date = {2020-12-02},
organization = {Red Canary},
url = {https://twitter.com/redcanary/status/1334224861628039169},
language = {English},
urldate = {2020-12-08}
}
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware Cobalt Strike Egregor QakBot |
2020-12-01 ⋅ 360.cn ⋅ jindanlong @online{jindanlong:20201201:hunting:b9e2674,
author = {jindanlong},
title = {{Hunting Beacons}},
date = {2020-12-01},
organization = {360.cn},
url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950},
language = {English},
urldate = {2021-01-10}
}
Hunting Beacons Cobalt Strike |
2020-12-01 ⋅ mez0.cc ⋅ mez0 @online{mez0:20201201:cobalt:38336ed,
author = {mez0},
title = {{Cobalt Strike PowerShell Execution}},
date = {2020-12-01},
organization = {mez0.cc},
url = {https://mez0.cc/posts/cobaltstrike-powershell-exec/},
language = {English},
urldate = {2020-12-14}
}
Cobalt Strike PowerShell Execution Cobalt Strike |
2020-11-30 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20201130:threat:2633df5,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them}},
date = {2020-11-30},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/},
language = {English},
urldate = {2020-12-01}
}
Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them Cobalt Strike |
2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201130:its:1b6b681,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations}},
date = {2020-11-30},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf},
language = {English},
urldate = {2020-12-14}
}
It's not FINished The Evolving Maturity in Ransomware Operations Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
2020-11-27 ⋅ Macnica ⋅ Hiroshi Takeuchi @online{takeuchi:20201127:analyzing:4089f84,
author = {Hiroshi Takeuchi},
title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}},
date = {2020-11-27},
organization = {Macnica},
url = {https://blog.macnica.net/blog/2020/11/dtrack.html},
language = {Japanese},
urldate = {2020-12-08}
}
Analyzing Organizational Invasion Ransom Incidents Using Dtrack Cobalt Strike Dtrack |
2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus @online{rochberger:20201126:cybereason:8301aeb,
author = {Lior Rochberger and Cybereason Nocturnus},
title = {{Cybereason vs. Egregor Ransomware}},
date = {2020-11-26},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware},
language = {English},
urldate = {2020-12-08}
}
Cybereason vs. Egregor Ransomware Cobalt Strike Egregor IcedID ISFB QakBot |
2020-11-25 ⋅ SentinelOne ⋅ Jim Walter @online{walter:20201125:egregor:5727f7a,
author = {Jim Walter},
title = {{Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone}},
date = {2020-11-25},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/},
language = {English},
urldate = {2020-12-08}
}
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone Cobalt Strike Egregor |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-20 ⋅ F-Secure Labs ⋅ Riccardo Ancarani @online{ancarani:20201120:detecting:79afa40,
author = {Riccardo Ancarani},
title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}},
date = {2020-11-20},
organization = {F-Secure Labs},
url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis},
language = {English},
urldate = {2020-11-23}
}
Detecting Cobalt Strike Default Modules via Named Pipe Analysis Cobalt Strike |
2020-11-20 ⋅ 360 netlab ⋅ JiaYu @online{jiayu:20201120:blackrota:ee43da1,
author = {JiaYu},
title = {{Blackrota, a highly obfuscated backdoor developed by Go}},
date = {2020-11-20},
organization = {360 netlab},
url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/},
language = {Chinese},
urldate = {2020-11-23}
}
Blackrota, a highly obfuscated backdoor developed by Go Cobalt Strike |
2020-11-17 ⋅ cyble ⋅ Cyble @online{cyble:20201117:oceanlotus:d33eb97,
author = {Cyble},
title = {{OceanLotus Continues With Its Cyber Espionage Operations}},
date = {2020-11-17},
organization = {cyble},
url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/},
language = {English},
urldate = {2020-11-18}
}
OceanLotus Continues With Its Cyber Espionage Operations Cobalt Strike Meterpreter |
2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse @online{althouse:20201117:easily:172bd6d,
author = {John Althouse},
title = {{Easily Identify Malicious Servers on the Internet with JARM}},
date = {2020-11-17},
organization = {Salesforce Engineering},
url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a},
language = {English},
urldate = {2020-12-03}
}
Easily Identify Malicious Servers on the Internet with JARM Cobalt Strike TrickBot |
2020-11-15 ⋅ Trustnet ⋅ Michael Wainshtain @online{wainshtain:20201115:from:719b7ff,
author = {Michael Wainshtain},
title = {{From virus alert to PowerShell Encrypted Loader}},
date = {2020-11-15},
organization = {Trustnet},
url = {https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/},
language = {English},
urldate = {2021-07-26}
}
From virus alert to PowerShell Encrypted Loader Cobalt Strike |
2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20201109:fake:c6dd7b3,
author = {Ionut Ilascu},
title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/},
language = {English},
urldate = {2020-11-11}
}
Fake Microsoft Teams updates lead to Cobalt Strike deployment Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
2020-11-06 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research @online{adair:20201106:oceanlotus:f7b11ac,
author = {Steven Adair and Thomas Lancaster and Volexity Threat Research},
title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}},
date = {2020-11-06},
organization = {Volexity},
url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/},
language = {English},
urldate = {2020-11-09}
}
OceanLotus: Extending Cyber Espionage Operations Through Fake Websites Cobalt Strike KerrDown APT32 |
2020-11-06 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20201106:cobalt:05fe8fc,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}},
date = {2020-11-06},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/},
language = {English},
urldate = {2020-11-09}
}
Cobalt Strike 4.2 – Everything but the kitchen sink Cobalt Strike |
2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ Ryan Tracey, Drew Schmitt, CRYPSIS @online{tracey:20201106:indicators:1ec9384,
author = {Ryan Tracey and Drew Schmitt and CRYPSIS},
title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}},
date = {2020-11-06},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/},
language = {English},
urldate = {2020-11-12}
}
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777 Cobalt Strike PyXie RansomEXX |
2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez @online{kremez:20201106:anatomy:b2ce3ae,
author = {Vitali Kremez},
title = {{ |