| SYMBOL | COMMON_NAME | aka. SYNONYMS |
win.cobalt_strike (Back to overview)
Cobalt Strike
aka: Agentemis, BEACON, CobaltStrike
Actor(s): APT 29, APT32, APT41, Anunak, Cobalt, Codoso, CopyKittens, DarkHydrus, FIN6, Leviathan, Mustang Panda, Shell Crew, Stone Panda, UNC1878, UNC2452, Winnti Umbrella
Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.
The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
References
| 2021-10-08 ⋅ 0ffset Blog ⋅ SQUIRRELWAFFLE – Analysing The Main Loader Cobalt Strike Squirrelwaffle |
| 2021-10-07 ⋅ Netskope ⋅ SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot Cobalt Strike QakBot Squirrelwaffle |
| 2021-10-05 ⋅ Blackberry ⋅ Drawing a Dragon: Connecting the Dots to Find APT41 Cobalt Strike Ghost RAT |
| 2021-10-04 ⋅ Sophos ⋅ Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack ATOMSILO Cobalt Strike |
| 2021-10-04 ⋅ The DFIR Report ⋅ BazarLoader and the Conti Leaks BazarBackdoor Cobalt Strike Conti |
| 2021-10-03 ⋅ Github (0xjxd) ⋅ SquirrelWaffle - From Maldoc to Cobalt Strike Cobalt Strike Squirrelwaffle |
| 2021-10-01 ⋅ 0ffset Blog ⋅ SQUIRRELWAFFLE – Analysing the Custom Packer Cobalt Strike Squirrelwaffle |
| 2021-09-30 ⋅ Masters of Mimicry: new APT group ChamelGang and its arsenal Cobalt Strike |
| 2021-09-30 ⋅ CrowdStrike ⋅ Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense Cobalt Strike |
| 2021-09-28 ⋅ Zscaler ⋅ Squirrelwaffle: New Loader Delivering Cobalt Strike Cobalt Strike Squirrelwaffle |
| 2021-09-27 ⋅ Cynet ⋅ A Virtual Baffle to Battle Squirrelwaffle Cobalt Strike Squirrelwaffle |
| 2021-09-24 ⋅ Trend Micro ⋅ Examining the Cring Ransomware Techniques Cobalt Strike Cring MimiKatz |
| 2021-09-22 ⋅ CISA ⋅ Alert (AA21-265A) Conti Ransomware Cobalt Strike Conti |
| 2021-09-21 ⋅ GuidePoint Security ⋅ A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike Cobalt Strike |
| 2021-09-21 ⋅ Medium elis531989 ⋅ The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle” Cobalt Strike Squirrelwaffle |
| 2021-09-21 ⋅ Sophos ⋅ Cring ransomware group exploits ancient ColdFusion server Cobalt Strike Cring |
| 2021-09-21 ⋅ skyblue.team blog ⋅ Scanning VirusTotal's firehose Cobalt Strike |
| 2021-09-17 ⋅ Malware Traffic Analysis ⋅ 2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike Cobalt Strike Squirrelwaffle |
| 2021-09-17 ⋅ CrowdStrike ⋅ Falcon OverWatch Hunts Down Adversaries Where They Hide BazarBackdoor Cobalt Strike |
| 2021-09-17 ⋅ Medium inteloperator ⋅ The default: 63 6f 62 61 6c 74 strike Cobalt Strike |
| 2021-09-16 ⋅ Twitter (@GossiTheDog) ⋅ Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell Cobalt Strike MgBot |
| 2021-09-16 ⋅ Medium Shabarkin ⋅ Pointer: Hunting Cobalt Strike globally Cobalt Strike |
| 2021-09-16 ⋅ RiskIQ ⋅ Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit Cobalt Strike Ryuk |
| 2021-09-15 ⋅ Microsoft ⋅ Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability Cobalt Strike |
| 2021-09-14 ⋅ Recorded Future ⋅ Full-Spectrum Cobalt Strike Detection Cobalt Strike |
| 2021-09-13 ⋅ The DFIR Report ⋅ BazarLoader to Conti Ransomware in 32 Hours BazarBackdoor Cobalt Strike Conti |
| 2021-09-10 ⋅ Gigamon ⋅ Rendering Threats: A Network Perspective Cobalt Strike |
| 2021-09-09 ⋅ Trend Micro ⋅ Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs Cobalt Strike |
| 2021-09-08 ⋅ Arash's Blog ⋅ Hook Heaps and Live Free Cobalt Strike |
| 2021-09-07 ⋅ Medium michaelkoczwara ⋅ Cobalt Strike C2 Hunting with Shodan Cobalt Strike |
| 2021-09-06 ⋅ kienmanowar Blog ⋅ Quick analysis CobaltStrike loader and shellcode Cobalt Strike |
| 2021-09-03 ⋅ Sophos ⋅ Conti affiliates use ProxyShell Exchange exploit in ransomware attacks Cobalt Strike Conti |
| 2021-09-03 ⋅ Trend Micro ⋅ The State of SSL/TLS Certificate Usage in Malware C&C Communications AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
| 2021-09-02 ⋅ Twitter (@th3_protoCOL) ⋅ Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos) Cobalt Strike |
| 2021-09-02 ⋅ Medium michaelkoczwara ⋅ Cobalt Strike PowerShell Payload Analysis Cobalt Strike |
| 2021-09-01 ⋅ YouTube (Black Hat) ⋅ Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
| 2021-08-31 ⋅ BreakPoint Labs ⋅ Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign Cobalt Strike |
| 2021-08-30 ⋅ Qianxin ⋅ Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss Cobalt Strike MimiKatz |
| 2021-08-29 ⋅ The DFIR Report ⋅ Cobalt Strike, a Defender’s Guide Cobalt Strike |
| 2021-08-27 ⋅ Morphisec ⋅ ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors Cobalt Strike |
| 2021-08-25 ⋅ Trend Micro ⋅ Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor Cobalt Strike SideWalk |
| 2021-08-24 ⋅ ESET Research ⋅ The SideWalk may be as dangerous as the CROSSWALK Cobalt Strike CROSSWALK SideWalk |
| 2021-08-23 ⋅ FBI ⋅ Indicators of Compromise Associated with OnePercent Group Ransomware Cobalt Strike MimiKatz |
| 2021-08-23 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Keynote: Cobalt Strike Threat Hunting Cobalt Strike |
| 2021-08-19 ⋅ Blackberry ⋅ BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware Cobalt Strike Dridex |
| 2021-08-19 ⋅ Sekoia ⋅ An insider insights into Conti operations – Part two Cobalt Strike Conti |
| 2021-08-18 ⋅ Intezer ⋅ Cobalt Strike: Detect this Persistent Threat Cobalt Strike |
| 2021-08-17 ⋅ Advanced Intelligence ⋅ Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration Cobalt Strike Conti |
| 2021-08-17 ⋅ Sekoia ⋅ An insider insights into Conti operations – Part one Cobalt Strike Conti |
| 2021-08-17 ⋅ Medium michaelkoczwara ⋅ Cobalt Strike Hunting — DLL Hijacking/Attack Analysis Cobalt Strike |
| 2021-08-11 ⋅ Advanced Intelligence ⋅ Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent Cobalt Strike Conti |
| 2021-08-09 ⋅ IstroSec ⋅ APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk) Cobalt Strike |
| 2021-08-05 ⋅ Red Canary ⋅ When Dridex and Cobalt Strike give you Grief Cobalt Strike DoppelDridex DoppelPaymer |
| 2021-08-05 ⋅ Secureworks ⋅ Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32) Cobalt Strike |
| 2021-08-04 ⋅ CrowdStrike ⋅ PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity Cobalt Strike Egregor Mount Locker |
| 2021-08-04 ⋅ Sentinel LABS ⋅ Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations Cobalt Strike |
| 2021-08-04 ⋅ Secureworks ⋅ Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON) Cobalt Strike |
| 2021-08-03 ⋅ Cybereason ⋅ DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos CHINACHOPPER Cobalt Strike MimiKatz Nebulae |
| 2021-08-02 ⋅ Youtube (Forschungsinstitut Cyber Defense) ⋅ The CODE 2021: Workshop presentation and demonstration about CobaltStrike Cobalt Strike |
| 2021-08-01 ⋅ The DFIR Report ⋅ BazarCall to Conti Ransomware via Trickbot and Cobalt Strike BazarBackdoor Cobalt Strike Conti TrickBot |
| 2021-07-30 ⋅ Twitter (@Unit42_Intel) ⋅ Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability BazarBackdoor Cobalt Strike |
| 2021-07-29 ⋅ Microsoft ⋅ BazaCall: Phony call centers lead to exfiltration and ransomware BazarBackdoor Cobalt Strike |
| 2021-07-29 ⋅ Rasta Mouse ⋅ NTLM Relaying via Cobalt Strike Cobalt Strike |
| 2021-07-27 ⋅ Blackberry ⋅ Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy |
| 2021-07-25 ⋅ Medium svch0st ⋅ Guide to Named Pipes and Hunting for Cobalt Strike Pipes Cobalt Strike |
| 2021-07-22 ⋅ Medium michaelkoczwara ⋅ Cobalt Strike Hunting — simple PCAP and Beacon Analysis Cobalt Strike |
| 2021-07-19 ⋅ The DFIR Report ⋅ IcedID and Cobalt Strike vs Antivirus Cobalt Strike IcedID |
| 2021-07-14 ⋅ MDSec ⋅ Investigating a Suspicious Service Cobalt Strike |
| 2021-07-14 ⋅ Kaspersky ⋅ LuminousMoth APT: Sweeping attacks for the chosen few Cobalt Strike |
| 2021-07-14 ⋅ Google ⋅ How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879) Cobalt Strike |
| 2021-07-13 ⋅ YouTube ( Matt Soseman) ⋅ Solarwinds and SUNBURST attacks compromised my lab! Cobalt Strike Raindrop SUNBURST TEARDROP |
| 2021-07-09 ⋅ InfoSec Handlers Diary Blog ⋅ Hancitor tries XLL as initial malware file Cobalt Strike Hancitor |
| 2021-07-08 ⋅ Avast Decoded ⋅ Decoding Cobalt Strike: Understanding Payloads Cobalt Strike Empire Downloader |
| 2021-07-07 ⋅ Trend Micro ⋅ BIOPASS RAT: New Malware Sniffs Victims via Live Streaming BIOPASS Cobalt Strike Derusbi |
| 2021-07-07 ⋅ McAfee ⋅ Ryuk Ransomware Now Targeting Webservers Cobalt Strike Ryuk |
| 2021-07-07 ⋅ Trustwave ⋅ Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails Cobalt Strike REvil |
| 2021-07-06 ⋅ Twitter (@MBThreatIntel) ⋅ Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike Cobalt Strike |
| 2021-07-05 ⋅ Trend Micro ⋅ Tracking Cobalt Strike: A Trend Micro Vision One Investigation Cobalt Strike |
| 2021-07-02 ⋅ MalwareBookReports ⋅ Skip the Middleman: Dridex Document to Cobalt Strike Cobalt Strike Dridex |
| 2021-07-01 ⋅ The Record ⋅ Mongolian certificate authority hacked eight times, compromised with malware Cobalt Strike |
| 2021-07-01 ⋅ Avast Decoded ⋅ Backdoored Client from Mongolian CA MonPass Cobalt Strike |
| 2021-06-30 ⋅ Group-IB ⋅ REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs Cobalt Strike REvil |
| 2021-06-29 ⋅ Proofpoint ⋅ Cobalt Strike: Favorite Tool from APT to Crimeware Cobalt Strike |
| 2021-06-29 ⋅ Accenture ⋅ HADES ransomware operators continue attacks Cobalt Strike Hades MimiKatz |
| 2021-06-28 ⋅ The DFIR Report ⋅ Hancitor Continues to Push Cobalt Strike Cobalt Strike Hancitor |
| 2021-06-22 ⋅ CrowdStrike ⋅ Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators Cobalt Strike |
| 2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs Cobalt Strike Dridex |
| 2021-06-20 ⋅ The DFIR Report ⋅ From Word to Lateral Movement in 1 Hour Cobalt Strike IcedID |
| 2021-06-18 ⋅ SecurityScorecard ⋅ SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought Cobalt Strike |
| 2021-06-17 ⋅ Binary Defense ⋅ Analysis of Hancitor – When Boring Begets Beacon Cobalt Strike Ficker Stealer Hancitor |
| 2021-06-16 ⋅ FireEye ⋅ Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise Cobalt Strike FiveHands |
| 2021-06-16 ⋅ Національної поліції України ⋅ Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies Clop Cobalt Strike FlawedAmmyy |
| 2021-06-15 ⋅ Secureworks ⋅ Hades Ransomware Operators Use Distinctive Tactics and Infrastructure Cobalt Strike Hades |
| 2021-06-12 ⋅ Twitter (@AltShiftPrtScn) ⋅ A thread on RagnarLocker ransomware group's TTP seen in an Incident Response Cobalt Strike RagnarLocker |
| 2021-06-10 ⋅ Group-IB ⋅ Big airline heist APT41 likely behind massive supply chain attack Cobalt Strike |
| 2021-06-09 ⋅ Twitter (@RedDrip7) ⋅ Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1) Cobalt Strike |
| 2021-06-04 ⋅ Inky ⋅ Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts Cobalt Strike |
| 2021-06-04 ⋅ Twitter (@alex_lanstein) ⋅ Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-2021-1879 Cobalt Strike |
| 2021-06-02 ⋅ Medium CyCraft ⋅ China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware Cobalt Strike ColdLock |
| 2021-06-02 ⋅ Sophos ⋅ AMSI bypasses remain tricks of the malware trade Agent Tesla Cobalt Strike Meterpreter |
| 2021-06-01 ⋅ Department of Justice ⋅ Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development Cobalt Strike |
| 2021-06-01 ⋅ SANS ⋅ A Contrarian View on SolarWinds Cobalt Strike Raindrop SUNBURST TEARDROP |
| 2021-06-01 ⋅ SentinelOne ⋅ NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks Cobalt Strike |
| 2021-06-01 ⋅ Microsoft ⋅ New sophisticated email-based attack from NOBELIUM Cobalt Strike |
| 2021-05-29 ⋅ Twitter (@elisalem9) ⋅ Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452 Cobalt Strike |
| 2021-05-28 ⋅ CISA ⋅ Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs Cobalt Strike |
| 2021-05-28 ⋅ CISA ⋅ Malware Analysis Report (AR21-148A): Cobalt Strike Beacon Cobalt Strike |
| 2021-05-27 ⋅ Volexity ⋅ Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns Cobalt Strike |
| 2021-05-26 ⋅ DeepInstinct ⋅ A Deep Dive into Packing Software CryptOne Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader |
| 2021-05-25 ⋅ Huntress Labs ⋅ Cobalt Strikes Again: An Analysis of Obfuscated Malware Cobalt Strike |
| 2021-05-21 ⋅ blackarrow ⋅ Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic Cobalt Strike |
| 2021-05-19 ⋅ Medium Mehmet Ergene ⋅ Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2 Cobalt Strike |
| 2021-05-19 ⋅ Intel 471 ⋅ Look how many cybercriminals love Cobalt Strike BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot |
| 2021-05-18 ⋅ Sophos ⋅ The Active Adversary Playbook 2021 Cobalt Strike MimiKatz |
| 2021-05-17 ⋅ Talos ⋅ Case Study: Incident Response is a relationship-driven business Cobalt Strike |
| 2021-05-16 ⋅ NCSC Ireland ⋅ Ransomware Attack on Health Sector - UPDATE 2021-05-16 Cobalt Strike Conti |
| 2021-05-14 ⋅ Blue Team Blog ⋅ DarkSide Ransomware Operations – Preventions and Detections. Cobalt Strike DarkSide |
| 2021-05-14 ⋅ GuidePoint Security ⋅ From ZLoader to DarkSide: A Ransomware Story DarkSide Cobalt Strike Zloader |
| 2021-05-13 ⋅ AWAKE ⋅ Catching the White Stork in Flight Cobalt Strike MimiKatz RMS |
| 2021-05-12 ⋅ Medium Mehmet Ergene ⋅ Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1 Cobalt Strike |
| 2021-05-12 ⋅ Conti Ransomware Cobalt Strike Conti IcedID |
| 2021-05-11 ⋅ Mal-Eats ⋅ Campo, a New Attack Campaign Targeting Japan Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader |
| 2021-05-11 ⋅ FireEye ⋅ Shining a Light on DARKSIDE Ransomware Operations Cobalt Strike DarkSide |
| 2021-05-10 ⋅ ZERO.BS ⋅ Cobaltstrike-Beacons analyzed Cobalt Strike |
| 2021-05-10 ⋅ Mal-Eats ⋅ Overview of Campo, a new attack campaign targeting Japan Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader |
| 2021-05-07 ⋅ TEAMT5 ⋅ Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
| 2021-05-07 ⋅ SophosLabs Uncut ⋅ New Lemon Duck variants exploiting Microsoft Exchange Server CHINACHOPPER Cobalt Strike |
| 2021-05-07 ⋅ Cisco Talos ⋅ Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs CHINACHOPPER Cobalt Strike |
| 2021-05-07 ⋅ Medium svch0st ⋅ Stats from Hunting Cobalt Strike Beacons Cobalt Strike |
| 2021-05-06 ⋅ Trend Micro ⋅ Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party Prometei BlackKingdom Ransomware CHINACHOPPER Cobalt Strike |
| 2021-05-05 ⋅ TRUESEC ⋅ Are The Notorious Cyber Criminals Evil Corp actually Russian Spies? Cobalt Strike Hades WastedLocker |
| 2021-05-05 ⋅ SophosLabs Uncut ⋅ Intervention halts a ProxyLogon-enabled attack Cobalt Strike |
| 2021-05-04 ⋅ Medium sergiusechel ⋅ Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives Cobalt Strike |
| 2021-05-02 ⋅ The DFIR Report ⋅ Trickbot Brief: Creds and Beacons Cobalt Strike TrickBot |
| 2021-04-29 ⋅ NTT ⋅ The Operations of Winnti group Cobalt Strike ShadowPad Spyder Winnti |
| 2021-04-27 ⋅ Trend Micro ⋅ Legitimate Tools Weaponized for Ransomware in 2021 Cobalt Strike MimiKatz |
| 2021-04-27 ⋅ Trend Micro ⋅ Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability CHINACHOPPER Cobalt Strike |
| 2021-04-26 ⋅ getrevue ⋅ Hunting Cobalt Strike DNS redirectors by using ZoomEye Cobalt Strike |
| 2021-04-26 ⋅ nviso ⋅ Anatomy of Cobalt Strike’s DLL Stager Cobalt Strike |
| 2021-04-24 ⋅ Non-offensive security ⋅ Detect Cobalt Strike server through DNS protocol Cobalt Strike |
| 2021-04-23 ⋅ Twitter (@vikas891) ⋅ Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals Cobalt Strike DoppelPaymer |
| 2021-04-22 ⋅ Twitter (@AltShiftPrtScn) ⋅ Twwet On TTPs seen in IR used by DOPPEL SPIDER Cobalt Strike DoppelPaymer |
| 2021-04-21 ⋅ SophosLabs Uncut ⋅ Nearly half of malware now use TLS to conceal communications Agent Tesla Cobalt Strike Dridex SystemBC |
| 2021-04-20 ⋅ Medium walmartglobaltech ⋅ CobaltStrike Stager Utilizing Floating Point Math Cobalt Strike |
| 2021-04-19 ⋅ Netresec ⋅ Analysing a malware PCAP with IcedID and Cobalt Strike traffic Cobalt Strike IcedID |
| 2021-04-18 ⋅ YouTube (dist67) ⋅ Decoding Cobalt Strike Traffic Cobalt Strike |
| 2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ April 2021 Forensic Quiz: Answers and Analysis Anchor BazarBackdoor Cobalt Strike |
| 2021-04-09 ⋅ F-Secure ⋅ Detecting Exposed Cobalt Strike DNS Redirectors Cobalt Strike |
| 2021-04-07 ⋅ Medium sixdub ⋅ Using Kaitai Struct to Parse Cobalt Strike Beacon Configs Cobalt Strike |
| 2021-04-05 ⋅ Medium walmartglobaltech ⋅ TrickBot Crews New CobaltStrike Loader Cobalt Strike TrickBot |
| 2021-04-01 ⋅ Palo Alto Networks Unit 42 ⋅ Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool Cobalt Strike Hancitor |
| 2021-04-01 ⋅ DomainTools ⋅ COVID-19 Phishing With a Side of Cobalt Strike Cobalt Strike |
| 2021-03-31 ⋅ Red Canary ⋅ 2021 Threat Detection Report Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot |
| 2021-03-30 ⋅ GuidePoint Security ⋅ Yet Another Cobalt Strike Stager: GUID Edition Cobalt Strike |
| 2021-03-29 ⋅ The DFIR Report ⋅ Sodinokibi (aka REvil) Ransomware Cobalt Strike IcedID REvil |
| 2021-03-21 ⋅ YouTube (dist67) ⋅ Finding Metasploit & Cobalt Strike URLs Cobalt Strike |
| 2021-03-21 ⋅ Blackberry ⋅ 2021 Threat Report Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
| 2021-03-18 ⋅ DeepInstinct ⋅ Cobalt Strike – Post-Exploitation Attackers Toolkit Cobalt Strike |
| 2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ SilverFish GroupThreat Actor Report Cobalt Strike Dridex Koadic |
| 2021-03-16 ⋅ McAfee ⋅ Technical Analysis of Operation Diànxùn Cobalt Strike |
| 2021-03-16 ⋅ Elastic ⋅ Detecting Cobalt Strike with memory signatures Cobalt Strike |
| 2021-03-11 ⋅ Cyborg Security ⋅ You Don't Know the HAFNIUM of it... CHINACHOPPER Cobalt Strike PowerCat |
| 2021-03-11 ⋅ Qurium ⋅ Myanmar – Multi-stage malware attack targets elected lawmakers Cobalt Strike |
| 2021-03-10 ⋅ Proofpoint ⋅ NimzaLoader: TA800’s New Initial Access Malware BazarNimrod Cobalt Strike |
| 2021-03-09 ⋅ splunk ⋅ Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021 Cobalt Strike |
| 2021-03-08 ⋅ The DFIR Report ⋅ Bazar Drops the Anchor Anchor BazarBackdoor Cobalt Strike |
| 2021-03-08 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R) Cobalt Strike SUNBURST TEARDROP |
| 2021-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ PCAPs and Beacons Cobalt Strike |
| 2021-03-01 ⋅ Medium walmartglobaltech ⋅ Nimar Loader BazarBackdoor BazarNimrod Cobalt Strike |
| 2021-03-01 ⋅ Medium walmartglobaltech ⋅ Investigation into the state of Nim malware BazarNimrod Cobalt Strike |
| 2021-02-26 ⋅ CrowdStrike ⋅ Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil |
| 2021-02-25 ⋅ FireEye ⋅ So Unchill: Melting UNC2198 ICEDID to Ransomware Operations MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC |
| 2021-02-24 ⋅ Github (AmnestyTech) ⋅ Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders OceanLotus Cobalt Strike KerrDown |
| 2021-02-24 ⋅ VMWare Carbon Black ⋅ Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation Cobalt Strike |
| 2021-02-23 ⋅ CrowdStrike ⋅ 2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
| 2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ Tweet on Hancitor Activity followed by cobaltsrike beacon Cobalt Strike Hancitor |
| 2021-02-09 ⋅ Cobalt Strike ⋅ Learn Pipe Fitting for all of your Offense Projects Cobalt Strike |
| 2021-02-09 ⋅ Securehat ⋅ Extracting the Cobalt Strike Config from a TEARDROP Loader Cobalt Strike TEARDROP |
| 2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Excel spreadsheets push SystemBC malware Cobalt Strike SystemBC |
| 2021-02-02 ⋅ Committee to Protect Journalists ⋅ How Vietnam-based hacking operation OceanLotus targets journalists Cobalt Strike |
| 2021-02-02 ⋅ CRONUP ⋅ De ataque con Malware a incidente de Ransomware Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
| 2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ Tweet on recent dridex post infection activity Cobalt Strike Dridex |
| 2021-02-01 ⋅ pkb1s.github.io ⋅ Relay Attacks via Cobalt Strike Beacons Cobalt Strike |
| 2021-02-01 ⋅ AhnLab ⋅ BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment Cobalt Strike REvil |
| 2021-01-31 ⋅ The DFIR Report ⋅ Bazar, No Ryuk? BazarBackdoor Cobalt Strike Ryuk |
| 2021-01-28 ⋅ TrustedSec ⋅ Tailoring Cobalt Strike on Target Cobalt Strike |
| 2021-01-28 ⋅ AhnLab ⋅ BlueCrab ransomware constantly trying to bypass detection Cobalt Strike REvil |
| 2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware Cobalt Strike Cring MimiKatz |
| 2021-01-20 ⋅ Microsoft ⋅ Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop Cobalt Strike SUNBURST TEARDROP |
| 2021-01-18 ⋅ Symantec ⋅ Raindrop: New Malware Discovered in SolarWinds Investigation Cobalt Strike Raindrop SUNBURST TEARDROP |
| 2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders Cobalt Strike Conti |
| 2021-01-15 ⋅ Medium Dansec ⋅ Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike Cobalt Strike |
| 2021-01-14 ⋅ PTSecurity ⋅ Higaisa or Winnti? APT41 backdoors, old and new Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
| 2021-01-12 ⋅ BrightTALK (FireEye) ⋅ UNC2452: What We Know So Far Cobalt Strike SUNBURST TEARDROP |
| 2021-01-12 ⋅ Fox-IT ⋅ Abusing cloud services to fly under the radar Cobalt Strike |
| 2021-01-11 ⋅ The DFIR Report ⋅ Trickbot Still Alive and Well Cobalt Strike TrickBot |
| 2021-01-11 ⋅ SolarWinds ⋅ New Findings From Our Investigation of SUNBURST Cobalt Strike SUNBURST TEARDROP |
| 2021-01-10 ⋅ Medium walmartglobaltech ⋅ MAN1, Moskal, Hancitor and a side of Ransomware Cobalt Strike Hancitor SendSafe VegaLocker |
| 2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
| 2021-01-09 ⋅ Connor McGarr's Blog ⋅ Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking Cobalt Strike |
| 2021-01-07 ⋅ Recorded Future ⋅ Aversary Infrastructure Report 2020: A Defender's View Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2 |
| 2021-01-06 ⋅ Red Canary ⋅ Hunting for GetSystem in offensive security tools Cobalt Strike Empire Downloader Meterpreter PoshC2 |
| 2021-01-05 ⋅ Trend Micro ⋅ Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration Cobalt Strike |
| 2021-01-04 ⋅ Medium haggis-m ⋅ Malleable C2 Profiles and You Cobalt Strike |
| 2021 ⋅ Talos ⋅ Evicting Maze Cobalt Strike Maze |
| 2021 ⋅ Talos ⋅ Cobalt Strikes Out Cobalt Strike |
| 2021 ⋅ Threat Profile: GOLD DRAKE Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp |
| 2021 ⋅ Secureworks ⋅ Threat Profile: GOLD WINTER Cobalt Strike Hades Meterpreter GOLD WINTER |
| 2021 ⋅ Secureworks ⋅ Threat Profile: GOLD WATERFALL Cobalt Strike DarkSide GOLD WATERFALL |
| 2020-12-26 ⋅ Medium grimminck ⋅ Spoofing JARM signatures. I am the Cobalt Strike server now! Cobalt Strike |
| 2020-12-22 ⋅ TRUESEC ⋅ Collaboration between FIN7 and the RYUK group, a Truesec Investigation Carbanak Cobalt Strike Ryuk |
| 2020-12-21 ⋅ Fortinet ⋅ What We Have Learned So Far about the “Sunburst”/SolarWinds Hack Cobalt Strike SUNBURST TEARDROP |
| 2020-12-20 ⋅ Randhome ⋅ Analyzing Cobalt Strike for Fun and Profit Cobalt Strike |
| 2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ solarwinds-threathunt Cobalt Strike SUNBURST |
| 2020-12-15 ⋅ PICUS Security ⋅ Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach Cobalt Strike SUNBURST |
| 2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Threat Brief: SolarStorm and SUNBURST Customer Coverage Cobalt Strike SUNBURST |
| 2020-12-11 ⋅ Blackberry ⋅ MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates Cobalt Strike Mount Locker |
| 2020-12-10 ⋅ Palo Alto Networks Unit 42 ⋅ Threat Brief: FireEye Red Team Tool Breach Cobalt Strike |
| 2020-12-10 ⋅ Intel 471 ⋅ No pandas, just people: The current state of China’s cybercrime underground Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
| 2020-12-09 ⋅ FireEye ⋅ It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES) Cobalt Strike DoppelPaymer QakBot REvil |
| 2020-12-09 ⋅ Cisco ⋅ Quarterly Report: Incident Response trends from Fall 2020 Cobalt Strike IcedID Maze RansomEXX Ryuk |
| 2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Recent Qakbot (Qbot) activity Cobalt Strike QakBot |
| 2020-12-08 ⋅ Cobalt Strike ⋅ A Red Teamer Plays with JARM Cobalt Strike |
| 2020-12-02 ⋅ Red Canary ⋅ Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware Cobalt Strike Egregor QakBot |
| 2020-12-01 ⋅ 360.cn ⋅ Hunting Beacons Cobalt Strike |
| 2020-12-01 ⋅ mez0.cc ⋅ Cobalt Strike PowerShell Execution Cobalt Strike |
| 2020-11-30 ⋅ Microsoft ⋅ Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them Cobalt Strike |
| 2020-11-30 ⋅ FireEye ⋅ It's not FINished The Evolving Maturity in Ransomware Operations Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
| 2020-11-27 ⋅ Macnica ⋅ Analyzing Organizational Invasion Ransom Incidents Using Dtrack Cobalt Strike Dtrack |
| 2020-11-26 ⋅ Cybereason ⋅ Cybereason vs. Egregor Ransomware Cobalt Strike Egregor IcedID ISFB QakBot |
| 2020-11-25 ⋅ SentinelOne ⋅ Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone Cobalt Strike Egregor |
| 2020-11-20 ⋅ ZDNet ⋅ The malware that usually installs ransomware and you need to remove right away Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
| 2020-11-20 ⋅ F-Secure Labs ⋅ Detecting Cobalt Strike Default Modules via Named Pipe Analysis Cobalt Strike |
| 2020-11-20 ⋅ 360 netlab ⋅ Blackrota, a highly obfuscated backdoor developed by Go Cobalt Strike |
| 2020-11-17 ⋅ cyble ⋅ OceanLotus Continues With Its Cyber Espionage Operations Cobalt Strike Meterpreter |
| 2020-11-17 ⋅ Salesforce Engineering ⋅ Easily Identify Malicious Servers on the Internet with JARM Cobalt Strike TrickBot |
| 2020-11-15 ⋅ Trustnet ⋅ From virus alert to PowerShell Encrypted Loader Cobalt Strike |
| 2020-11-09 ⋅ Bleeping Computer ⋅ Fake Microsoft Teams updates lead to Cobalt Strike deployment Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
| 2020-11-06 ⋅ Volexity ⋅ OceanLotus: Extending Cyber Espionage Operations Through Fake Websites Cobalt Strike KerrDown APT32 |
| 2020-11-06 ⋅ Cobalt Strike ⋅ Cobalt Strike 4.2 – Everything but the kitchen sink Cobalt Strike |
| 2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777 Cobalt Strike PyXie RansomEXX |
| 2020-11-06 ⋅ Advanced Intelligence ⋅ Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike BazarBackdoor Cobalt Strike Ryuk |
| 2020-11-05 ⋅ The DFIR Report ⋅ Ryuk Speed Run, 2 Hours to Ransom BazarBackdoor Cobalt Strike Ryuk |
| 2020-11-05 ⋅ Twitter (@ffforward) ⋅ Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK Cobalt Strike Ryuk Zloader |
| 2020-11-04 ⋅ VMRay ⋅ Trick or Threat: Ryuk ransomware targets the health care industry BazarBackdoor Cobalt Strike Ryuk TrickBot |
| 2020-11-03 ⋅ InfoSec Handlers Diary Blog ⋅ Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike Cobalt Strike |
| 2020-11-03 ⋅ Kaspersky Labs ⋅ APT trends report Q3 2020 WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
| 2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ UNC 1878 Indicators from Threatconnect BazarBackdoor Cobalt Strike Ryuk |
| 2020-10-29 ⋅ RiskIQ ⋅ Ryuk Ransomware: Extensive Attack Infrastructure Revealed Cobalt Strike Ryuk |
| 2020-10-29 ⋅ Red Canary ⋅ A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak Cobalt Strike Ryuk TrickBot |
| 2020-10-29 ⋅ Github (Swisscom) ⋅ List of CobaltStrike C2's used by RYUK Cobalt Strike |
| 2020-10-28 ⋅ FireEye ⋅ Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser BazarBackdoor Cobalt Strike Ryuk UNC1878 |
| 2020-10-27 ⋅ Sophos Managed Threat Response (MTR) ⋅ MTR Casebook: An active adversary caught in the act Cobalt Strike |
| 2020-10-18 ⋅ The DFIR Report ⋅ Ryuk in 5 Hours BazarBackdoor Cobalt Strike Ryuk |
| 2020-10-14 ⋅ RiskIQ ⋅ A Well-Marked Trail: Journeying through OceanLotus's Infrastructure Cobalt Strike |
| 2020-10-14 ⋅ Sophos ⋅ They’re back: inside a new Ryuk ransomware attack Cobalt Strike Ryuk SystemBC |
| 2020-10-12 ⋅ Advanced Intelligence ⋅ "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon BazarBackdoor Cobalt Strike Ryuk |
| 2020-10-11 ⋅ Github (StrangerealIntel) ⋅ Chimera, APT19 under the radar ? Cobalt Strike Meterpreter |
| 2020-10-08 ⋅ The DFIR Report ⋅ Ryuk’s Return BazarBackdoor Cobalt Strike Ryuk |
| 2020-10-08 ⋅ Bayerischer Rundfunk ⋅ There is no safe place Cobalt Strike |
| 2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns BazarBackdoor Cobalt Strike Ryuk TrickBot |
| 2020-10-01 ⋅ Wired ⋅ Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency Cobalt Strike Meterpreter |
| 2020-10-01 ⋅ US-CERT ⋅ Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
| 2020-09-29 ⋅ CrowdStrike ⋅ Getting the Bacon from the Beacon Cobalt Strike |
| 2020-09-29 ⋅ Github (Apr4h) ⋅ CobaltStrikeScan Cobalt Strike |
| 2020-09-24 ⋅ US-CERT ⋅ Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor Cobalt Strike Meterpreter |
| 2020-09-21 ⋅ Cisco Talos ⋅ The art and science of detecting Cobalt Strike Cobalt Strike |
| 2020-09-18 ⋅ Trend Micro ⋅ U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks Cobalt Strike ColdLock |
| 2020-09-03 ⋅ Viettel Cybersecurity ⋅ APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2) Cobalt Strike |
| 2020-09-01 ⋅ Cisco Talos ⋅ Quarterly Report: Incident Response trends in Summer 2020 Cobalt Strike LockBit Mailto Maze Ryuk |
| 2020-08-31 ⋅ The DFIR Report ⋅ NetWalker Ransomware in 1 Hour Cobalt Strike Mailto MimiKatz |
| 2020-08-20 ⋅ Seebug Paper ⋅ Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks Cobalt Strike Empire Downloader PoshC2 |
| 2020-08-19 ⋅ TEAMT5 ⋅ 調查局 08/19 公布中國對台灣政府機關駭侵事件說明 Cobalt Strike Waterbear |
| 2020-08-14 ⋅ Twitter (@VK_intel) ⋅ Tweet on Zloader infection leading to Cobaltstrike Installation Cobalt Strike Zloader |
| 2020-08-06 ⋅ Wired ⋅ Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
| 2020-08-04 ⋅ BlackHat ⋅ Operation Chimera - APT Operation Targets Semiconductor Vendors Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
| 2020-07-29 ⋅ Kaspersky Labs ⋅ APT trends report Q2 2020 PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
| 2020-07-26 ⋅ Shells.System blog ⋅ In-Memory shellcode decoding to evade AVs/EDRs Cobalt Strike |
| 2020-07-22 ⋅ On the Hunt ⋅ Analysing Fileless Malware: Cobalt Strike Beacon Cobalt Strike |
| 2020-07-21 ⋅ Malwarebytes ⋅ Chinese APT group targets India and Hong Kong using new variant of MgBot malware KSREMOTE Cobalt Strike MgBot |
| 2020-07-07 ⋅ MWLab ⋅ Cobalt Strike stagers used by FIN6 Cobalt Strike |
| 2020-06-23 ⋅ NCC Group ⋅ WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Cobalt Strike ISFB WastedLocker |
| 2020-06-23 ⋅ Symantec ⋅ Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Cobalt Strike REvil |
| 2020-06-22 ⋅ Sentinel LABS ⋅ Inside a TrickBot Cobalt Strike Attack Server Cobalt Strike TrickBot |
| 2020-06-22 ⋅ Talos Intelligence ⋅ IndigoDrop spreads via military-themed lures to deliver Cobalt Strike Cobalt Strike IndigoDrop |
| 2020-06-19 ⋅ Zscaler ⋅ Targeted Attack Leverages India-China Border Dispute to Lure Victims Cobalt Strike |
| 2020-06-19 ⋅ Youtube (Raphael Mudge) ⋅ Beacon Object Files - Luser Demo Cobalt Strike |
| 2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks TwoFace Cobalt Strike Empire Downloader |
| 2020-06-17 ⋅ Malwarebytes ⋅ Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature Cobalt Strike |
| 2020-06-15 ⋅ NCC Group ⋅ Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability Cobalt Strike |
| 2020-06-09 ⋅ Github (Sentinel-One) ⋅ CobaltStrikeParser Cobalt Strike |
| 2020-05-28 ⋅ Microsoft ⋅ Breaking down NOBELIUM’s latest early-stage toolset Cobalt Strike |
| 2020-05-14 ⋅ Lab52 ⋅ The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
| 2020-05-11 ⋅ SentinelOne ⋅ The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration Cobalt Strike |
| 2020-04-24 ⋅ The DFIR Report ⋅ Ursnif via LOLbins Cobalt Strike LOLSnif TeamSpy |
| 2020-04-16 ⋅ Medium CyCraft ⋅ Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures Cobalt Strike MimiKatz Operation Skeleton Key |
| 2020-04-02 ⋅ Darktrace ⋅ Catching APT41 exploiting a zero-day vulnerability Cobalt Strike |
| 2020-03-26 ⋅ VMWare Carbon Black ⋅ The Dukes of Moscow Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke |
| 2020-03-25 ⋅ Wilbur Security ⋅ Trickbot to Ryuk in Two Hours Cobalt Strike Ryuk TrickBot |
| 2020-03-25 ⋅ FireEye ⋅ This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits Speculoos Cobalt Strike |
| 2020-03-22 ⋅ Malware and Stuff ⋅ Mustang Panda joins the COVID-19 bandwagon Cobalt Strike |
| 2020-03-20 ⋅ RECON INFOSEC ⋅ Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41) Cobalt Strike |
| 2020-03-04 ⋅ CrowdStrike ⋅ 2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
| 2020-03-04 ⋅ Cobalt Strike ⋅ Cobalt Strike joins Core Impact at HelpSystems, LLC Cobalt Strike |
| 2020-03-03 ⋅ PWC UK ⋅ Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom |
| 2020-02-20 ⋅ McAfee ⋅ CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II Cobalt Strike LockerGoga Maze MegaCortex |
| 2020-02-19 ⋅ FireEye ⋅ M-Trends 2020 Cobalt Strike Grateful POS LockerGoga QakBot TrickBot |
| 2020-02-18 ⋅ Trend Micro ⋅ Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations Cobalt Strike HyperBro PlugX Trochilus RAT |
| 2020-02-18 ⋅ Cisco Talos ⋅ Building a bypass with MSBuild Cobalt Strike GRUNT MimiKatz |
| 2020-02-13 ⋅ Qianxin ⋅ APT Report 2019 Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
| 2020 ⋅ Secureworks ⋅ GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz |
| 2020 ⋅ Secureworks ⋅ BRONZE RIVERSIDE Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda |
| 2020 ⋅ Secureworks ⋅ GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt |
| 2020 ⋅ Secureworks ⋅ GOLD NIAGARA Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7 |
| 2020 ⋅ Secureworks ⋅ TIN WOODLAWN Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32 |
| 2020 ⋅ Secureworks ⋅ GOLD DUPONT Cobalt Strike Defray PyXie GOLD DUPONT |
| 2020 ⋅ Secureworks ⋅ BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX Mustang Panda |
| 2020 ⋅ Secureworks ⋅ BRONZE MOHAWK AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan |
| 2019-12-12 ⋅ FireEye ⋅ Cyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
| 2019-12-05 ⋅ Github (blackorbird) ⋅ APT32 Report Cobalt Strike |
| 2019-12-05 ⋅ Cobalt Strike 4.0 – Bring Your Own Weaponization Cobalt Strike |
| 2019-11-29 ⋅ Deloitte ⋅ Cyber Threat Intelligence & Incident Response Cobalt Strike |
| 2019-11-19 ⋅ FireEye ⋅ Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
| 2019-11-05 ⋅ tccontre Blog ⋅ CobaltStrike - beacon.dll : Your No Ordinary MZ Header Cobalt Strike |
| 2019-09-22 ⋅ Check Point Research ⋅ Rancor: The Year of The Phish 8.t Dropper Cobalt Strike |
| 2019-06-13 ⋅ Sekoia ⋅ Hunting and detecting Cobalt Strike Cobalt Strike |
| 2019-06-04 ⋅ Bitdefender ⋅ An APT Blueprint: Gaining New Visibility into Financial Threats More_eggs Cobalt Strike |
| 2019-05-08 ⋅ Verizon Communications Inc. ⋅ 2019 Data Breach Investigations Report BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam |
| 2019-04-24 ⋅ Weixin ⋅ "Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed Cobalt Strike SOUNDBITE |
| 2019-04-15 ⋅ PenTestPartners ⋅ Cobalt Strike. Walkthrough for Red Teamers Cobalt Strike |
| 2019-04 ⋅ Macnica Networks ⋅ OceanLotus Attack on Southeast Asian Automotive Industry CACTUSTORCH Cobalt Strike |
| 2019-04-01 ⋅ Macnica Networks ⋅ Trends in Cyber Espionage Targeting Japan 2nd Half of 2018 Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy |
| 2019-03-24 ⋅ One Night in Norfolk ⋅ JEShell: An OceanLotus (APT32) Backdoor Cobalt Strike KerrDown |
| 2019-02-27 ⋅ Morphisec ⋅ New Global Cyber Attack on Point of Sale Sytem Cobalt Strike |
| 2019-02-26 ⋅ Fox-IT ⋅ Identifying Cobalt Strike team servers in the wild Cobalt Strike |
| 2018-11-19 ⋅ FireEye ⋅ Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign Cobalt Strike |
| 2018-11-18 ⋅ Stranded on Pylos Blog ⋅ CozyBear – In from the Cold? Cobalt Strike APT 29 |
| 2018-10-01 ⋅ Macnica Networks ⋅ Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018 Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm |
| 2018-10-01 ⋅ FireEye ⋅ ATT&CKing FIN7 Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot |
| 2018-10 ⋅ Group-IB ⋅ Hi-Tech Crime Trends 2018 BackSwap Cobalt Strike Cutlet Meterpreter |
| 2018-08-03 ⋅ JPCERT/CC ⋅ Volatility Plugin for Detecting Cobalt Strike Beacon Cobalt Strike |
| 2018-07-31 ⋅ Github (JPCERTCC) ⋅ Scanner for CobaltStrike Cobalt Strike |
| 2018-05-21 ⋅ LAC ⋅ Confirmed new attacks by APT attacker group menuPass (APT10) Cobalt Strike |
| 2017-06-06 ⋅ FireEye ⋅ Privileges and Credentials: Phished at the Request of Counsel Cobalt Strike |
| 2016-10-11 ⋅ Symantec ⋅ Odinaff: New Trojan used in high level financial attacks Cobalt Strike KLRD MimiKatz Odinaff |
| 2012 ⋅ Cobalt Strike ⋅ Cobalt Strike Website Cobalt Strike |