SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobalt_strike (Back to overview)

Cobalt Strike

aka: Agentemis, BEACON, CobaltStrike, cobeacon

Actor(s): APT 29, APT32, APT41, AQUATIC PANDA, Anunak, Cobalt, Codoso, CopyKittens, DarkHydrus, Earth Baxia, FIN6, FIN7, Leviathan, Mustang Panda, Shell Crew, Stone Panda, TianWu, UNC1878, UNC2452, Winnti Umbrella

VTCollection     URLhaus      

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.

References
2024-12-03Hunt.ioHunt.io
Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Cobalt Strike
2024-11-12Recorded FutureInsikt Group
China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike
Cobalt Strike
2024-11-12Recorded FutureInsikt Group
China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike
Cobalt Strike TAG-112
2024-10-31Hunt.ioHunt.io
Tricks, Treats, and Threats: Cobalt Strike & the Goblin Lurking in Plain Sight
Cobalt Strike
2024-10-24SeqriteSubhajeet Singha
Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan
Cobalt Strike Operation Cobalt Whisper
2024-10-23Cisco TalosEdmund Brumaghin, Holger Unterbrink, Jordyn Dunk, Nicole Hoffman
Threat Spotlight: WarmCookie/BadSpace
Cobalt Strike csharp-streamer RAT WarmCookie
2024-10-23Cisco TalosEdmund Brumaghin, Holger Unterbrink, Jordyn Dunk, Nicole Hoffman
Highlighting TA866/Asylum Ambuscade Activity Since 2021
WasabiSeed Cobalt Strike csharp-streamer RAT Resident Rhadamanthys WarmCookie
2024-09-19Trend MicroCyris Tseng, Philip Chen, Pierre Lee, Sunny Lu, Ted Lee
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC (IoCs)
Cobalt Strike Earth Baxia
2024-09-19Trend MicroCyris Tseng, Philip Chen, Pierre Lee, Sunny Lu, Ted Lee
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
Cobalt Strike Earth Baxia
2024-08-29SecuronixDen Iyzvyk, Tim Peck
From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users
Cobalt Strike MimiKatz
2024-08-26The DFIR ReportThe DFIR Report
BlackSuit Ransomware
BlackSuit Cobalt Strike SystemBC
2024-08-23TEAMT5Still Hsu
Sailing the Seven SEAs: Deep Dive into Polaris' Arsenal and Intelligence Insights
Cobalt Strike Hodur PlugX TONESHELL
2024-08-23ITOCHUSuguru Ishimaru, Yusuke Niwa
Pirates of The Nang Hai: Follow the Artifacts No One Know
Cobalt Strike Xiangoop
2024-08-22NTTRintaro Koike
AppDomainManager Injectionを悪用したマルウェアによる攻撃について
Cobalt Strike Earth Baxia
2024-08-21TG SoftC.R.A.M.
Chinese APT abuses MSC files with GrimResource vulnerability
Cobalt Strike Earth Baxia
2024-08-04Twitter (@embee_research)Embee_research
Decoding a Cobalt Strike Downloader Script With CyberChef
Cobalt Strike
2024-07-25SOC PrimeVeronika Telychko
UAC-0057 Attack Detection: A Surge in Adversary Activity Distributing PICASSOLOADER and Cobalt Strike Beacon
Cobalt Strike PicassoLoader Ghostwriter
2024-07-22CensysCensys, Embee_research
A Beginner’s Guide to Hunting Malicious Open Directories
Cobalt Strike Lumma Stealer Vidar
2024-07-18MandiantJared Wilson, Jonathan Lepore, Luis Rocha, Mike Stokkel, Pierre Gerlings, RENATO FONTANA, Stephen Eckels
APT41 Has Arisen From the DUST
Cobalt Strike
2024-07-16Recorded FutureInsikt Group
TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
Cobalt Strike
2024-07-10ZscalerSudeep Singh, Yin Hong Chang
DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1
Cobalt Strike DUSTPAN DUSTTRAP
2024-07-09SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2024
Coper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT QakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver
2024-07-02SekoiaQuentin Bourgue
Exposing FakeBat loader: distribution methods and adversary infrastructure
BlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer NetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar
2024-06-21ElasticJoe Desimone, Samir Bousseaden
GrimResource - Microsoft Management Console for initial access and evasion
Cobalt Strike
2024-05-23CheckpointCheckpoint Research
Sharp dragon expands towards africa and the caribbean
5.t Downloader Cobalt Strike
2024-05-23Check PointCheck Point
Chinese Espionage Campaign Expands to Target Africa and The Caribbean
5.t Downloader Cobalt Strike
2024-05-15MicrosoftMicrosoft Threat Intelligence
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Black Basta Cobalt Strike QakBot
2024-05-15MicrosoftMicrosoft Threat Intelligence
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Black Basta Cobalt Strike QakBot SystemBC
2024-05-14KasperskyBoris Larin, Mert Degirmenci
QakBot attacks with Windows zero-day (CVE-2024-30051)
Cobalt Strike QakBot
2024-05-10Rapid7 LabsEvan McCann, Thomas Elkins, Tyler McGraw
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Black Basta Black Basta Cobalt Strike NetSupportManager RAT
2024-04-24SecuronixDen Iyzvyk, Oleg Kolesnikov, Tim Peck
Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover
Cobalt Strike Latrodectus
2024-04-01The DFIR ReportThe DFIR Report
From OneNote to RansomNote: An Ice Cold Intrusion
Cobalt Strike IcedID Nokoyawa Ransomware PhotoLoader
2024-03-01Medium b.magnezi0xMrMagnezi
Malware Analysis - Cobalt Strike
Cobalt Strike
2024-02-09CensysCensys, Embee_research
A Beginners Guide to Tracking Malware Infrastructure
AsyncRAT BianLian Cobalt Strike QakBot
2024-02-08YouTube (Embee Research)Embee_research
Cobalt Strike Decoding and C2 Extraction - 3 Minute Malware Analysis Speedrun
Cobalt Strike
2024-01-26TrendmicroHara Hiroaki, Masaoki Shoji, Nick Dai, Vickie Su, Yuka Higashi
Spot the Difference: An Analysis of the New LODEINFO Campaign by Earth Kasha
Anel Cobalt Strike LODEINFO NOOPDOOR
2024-01-13YouTube (Embee Research)Embee_research
Cobalt Strike Shellcode Analysis and C2 Extraction
Cobalt Strike
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2024-01-09Recorded FutureInsikt Group
2023 Adversary Infrastructure Report
AsyncRAT Cobalt Strike Emotet PlugX ShadowPad
2024-01-04NetresecErik Hjelmvik
Hunting for Cobalt Strike in PCAP
Cobalt Strike
2023-12-20Twitter (@embee_research)Embee_research
Defeating Obfuscated Malware Scripts - Cobalt Strike
Cobalt Strike
2023-12-19Twitter (@embee_research)Embee_research
Free Ghidra Tutorials for Beginners
Cobalt Strike DarkGate
2023-12-08Twitter (@embee_research)Embee_research
Ghidra Basics - Manual Shellcode Analysis and C2 Extraction
Cobalt Strike
2023-12-04The DFIR ReportThe DFIR Report
SQL Brute Force leads to Bluesky Ransomware
BlueSky Cobalt Strike
2023-11-19Twitter (@embee_research)Embee_research
Combining Pivot Points to Identify Malware Infrastructure - Redline, Smokeloader and Cobalt Strike
Amadey Cobalt Strike RedLine Stealer SmokeLoader
2023-11-14Medium joshuapenny88Joshua Penny
HostingHunter Series: CHANG WAY TECHNOLOGIES CO. LIMITED
Hook Hydra Cobalt Strike SectopRAT
2023-11-10NSFOCUSNSFOCUS
The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
Cobalt Strike Konni DarkCasino Opal Sleet
2023-11-07SOCRadarSOCRadar
New Gootloader Variant “GootBot” Changes the Game in Malware Tactics
GootLoader Cobalt Strike UNC2565
2023-11-06Twitter (@embee_research)Embee_research
Unpacking Malware With Hardware Breakpoints - Cobalt Strike
Cobalt Strike
2023-11-01nccgroupMick Koomen
Popping Blisters for research: An overview of past payloads and exploring recent developments
Blister Cobalt Strike
2023-10-23Twitter (@embee_research)Embee_research
Cobalt Strike .VBS Loader - Decoding with Advanced CyberChef and Emulation
Cobalt Strike
2023-10-20Twitter (@embee_research)Embee_research
Decoding a Cobalt Strike .hta Loader Using CyberChef and Emulation
Cobalt Strike
2023-10-18Twitter (@embee_research)Embee_research
Ghidra Tutorial - Using Entropy To Locate a Cobalt Strike Decryption Function
Cobalt Strike
2023-10-12NetresecErik Hjelmvik
Forensic Timeline of an IcedID Infection
Cobalt Strike IcedID IcedID Downloader
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-10-10SymantecThreat Hunter Team
Grayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan
Cobalt Strike Havoc MimiKatz Grayling
2023-10-03Malware Traffic AnalysisBrad Duncan
2023-10-03 (Tuesday) - PikaBot infection with Cobalt Strike
Cobalt Strike Pikabot
2023-09-22MandiantDan Black, Josh Atkins, Luke Jenkins
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)
2023-09-22Palo Alto Networks Unit 42Lior Rochberger, Robert Falcone, Tom Fakterman
Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda
Cobalt Strike MimiKatz RemCom ShadowPad TONESHELL
2023-09-12ANSSIANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-08-30Trend MicroGilbert Sison, Hara Hiroaki, Lenart Bermejo, Leon M Chang, Ted Lee
Earth Estries Targets Government, Tech for Cyberespionage
Cobalt Strike HemiGate Earth Estries
2023-08-28The DFIR ReportThe DFIR Report
HTML Smuggling Leads to Domain Wide Ransomware
Cobalt Strike IcedID Nokoyawa Ransomware
2023-08-18d01aMohamed Adel
Understanding Syscalls: Direct, Indirect, and Cobalt Strike Implementation
Cobalt Strike
2023-08-18TEAMT5Still Hsu, Zih-Cing Liao
Unmasking CamoFei: An In-depth Analysis of an Emerging APT Group Focused on Healthcare Sectors in East Asia
CatB Cobalt Strike DoorMe GIMMICK
2023-08-17SentinelOneAleksandar Milenkoski, Tom Hegel
Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector
Cobalt Strike HUI Loader BRONZE STARLIGHT
2023-08-07Recorded FutureInsikt Group
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca
2023-07-29GoogleGoogle Cybersecurity Action Team
Threat Horizons August 2023 Threat Horizons Report
SharkBot Cobalt Strike
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-07-07Lab52Lab52
Beyond appearances: unknown actor using APT29’s TTP against Chinese users
Cobalt Strike
2023-06-30K7 SecurityDhanush
Cobalt Strike’s Deployment with Hardware Breakpoint for AMSI Bypass
Cobalt Strike
2023-06-16SOC PrimeVeronika Telychko
PicassoLoader and Cobalt Strike Beacon Detection: UAC-0057 aka GhostWriter Hacking Group Attacks the Ukrainian Leading Military Educational Institution
Cobalt Strike PicassoLoader Ghostwriter
2023-06-15eSentireRussianPanda
eSentire Threat Intelligence Malware Analysis: Resident Campaign
Cobalt Strike Resident Rhadamanthys WarmCookie
2023-06-10The DFIR ReportThe DFIR Report
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
BlackCat Cobalt Strike IcedID
2023-06-08VMRayPatrick Staubmann
Busy Bees - The Transformation of BumbleBee
BumbleBee Cobalt Strike Conti Meterpreter Sliver
2023-06-08Twitter (@embee_research)Embee_research
Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries
Amadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker
2023-05-11cocomelonccocomelonc
Malware development trick - part 28: Dump lsass.exe. Simple C++ example.
Cobalt Strike APT3 Keylogger
2023-04-20SecureworksCounter Threat Unit ResearchTeam
Bumblebee Malware Distributed Via Trojanized Installer Downloads
BumbleBee Cobalt Strike
2023-04-20Github (dodo-sec)dodo-sec
An analysis of syscall usage in Cobalt Strike Beacons
Cobalt Strike
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-03The DFIR ReportThe DFIR Report
Malicious ISO File Leads to Domain Wide Ransomware
Cobalt Strike IcedID Mount Locker
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-30Recorded FutureInsikt Group
With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets
KEYPLUG Cobalt Strike PlugX RedGolf
2023-03-30eSentireeSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar
2023-03-28ExaTrackExaTrack
Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
HelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY
2023-03-10Medium walmartglobaltechJason Reaves, Joshua Platt
From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia
2023-03-01ZscalerMeghraj Nandanwar, Shatak Jain
OneNote: A Growing Threat for Malware Distribution
AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer
2023-02-23BitdefenderBitdefender Team, Martin Zugec
Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966
Cobalt Strike DarkComet QuiteRAT RATel
2023-02-22SymantecSymantec Threat Hunter Team
Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia
Cobalt Strike
2023-02-14CybereasonCybereason Incident Response (IR) team
GootLoader - SEO Poisoning and Large Payloads Leading to Compromise
GootLoader Cobalt Strike SystemBC
2023-02-13KrollLaurie Iacono, Stephen Green
Royal Ransomware Deep Dive
Cobalt Strike Royal Ransom
2023-02-13AhnLabkingkimgim
Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign
Godzilla Webshell ASPXSpy BlueShell CHINACHOPPER Cobalt Strike Ladon MimiKatz Dalbit
2023-02-08Trend MicroTed Lee
Earth Zhulong: Familiar Patterns Target Southeast Asian Firms
Cobalt Strike MACAMAX 1937CN
2023-02-03MandiantGenevieve Stark, Kimberly Goody
Float Like a Butterfly Sting Like a Bee
BazarBackdoor BumbleBee Cobalt Strike
2023-02-02KrollElio Biasiotto, Stephen Green
Hive Ransomware Technical Analysis and Initial Access Discovery
BATLOADER Cobalt Strike Hive
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2023-01-24FortinetGeri Revay
The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar
2023-01-23KrollElio Biasiotto, Stephen Green
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC
2023-01-16IntrinsecIntrinsec
ProxyNotShell – OWASSRF – Merry Xchange
Cobalt Strike SystemBC
2023-01-05SymantecThreat Hunter Team
Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa
CloudEyE Cobalt Strike MimiKatz NetWire RC POORTRY Quasar RAT BlueBottle
2022-12-15MandiantMandiant
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
Cobalt Strike STOWAWAY
2022-12-08Cisco TalosTiago Pereira
Breaking the silence - Recent Truebot activity
Clop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport
2022-12-06EuRepoCCamille Borrett, Kerstin Zettl-Schabath, Lena Rottinger
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER
2022-12-02Palo Alto Networks Unit 42Bob Jung, Dominik Reichel, Esmid Idrizovic
Blowing Cobalt Strike Out of the Water With Memory Analysis
Cobalt Strike
2022-11-15SOC PrimeVeronika Telychko
Somnia Malware Detection: UAC-0118 aka FRwL Launches Cyber Attacks Against Organizations in Ukraine Using Enhanced Malware Strains
Cobalt Strike Vidar UAC-0118
2022-11-09Trend MicroHara Hiroaki, Ted Lee
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
Cobalt Strike MimiKatz Earth Longzhi
2022-11-03paloalto Netoworks: Unit42Chris Navarrete, Durgesh Sangvikar, Matthew Tennis, Siddhart Shibiraj, Yanhui Jia, Yu Fu
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild
Cobalt Strike
2022-11-03Github (chronicle)Chronicle
GCTI Open Source Detection Signatures
Cobalt Strike Sliver
2022-11-03Group-IBRustam Mirkasymov
Financially motivated, dangerously activated: OPERA1ER APT in Africa
Cobalt Strike Common Raven
2022-10-31CynetMax Malyutin
Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware
Black Basta Cobalt Strike QakBot
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-10-13MicrosoftMicrosoft Threat Hunting, MSRC Team
Hunting for Cobalt Strike: Mining and plotting for fun and profit
Cobalt Strike
2022-10-12Trend MicroIan Kenefick, Lucas Silva, Nicole Hernandez
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot
2022-10-03Check PointMarc Salinas Fernandez
Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar
2022-10-03Trend MicroJaromír Hořejší, Joseph Chen
Water Labbu Abuses Malicious DApps to Steal Cryptocurrency
Cobalt Strike Water Labbu
2022-09-26The DFIR ReportThe DFIR Report
BumbleBee: Round Two
BumbleBee Cobalt Strike Meterpreter
2022-09-25YouTube (Arda Büyükkaya)Arda Büyükkaya
Cobalt Strike Shellcode Loader With Rust (YouTube)
Cobalt Strike
2022-09-13AdvIntelAdvanced Intelligence
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot
2022-09-12The DFIR ReportThe DFIR Report
Dead or Alive? An Emotet Story
Cobalt Strike Emotet
2022-09-07GoogleGoogle Threat Analysis Group, Pierre-Marc Bureau
Initial access broker repurposing techniques in targeted attacks against Ukraine
AnchorMail Cobalt Strike IcedID
2022-09-07cybleCyble
Bumblebee Returns With New Infection Technique
BumbleBee Cobalt Strike
2022-09-06Didier StevensDidier Stevens
An Obfuscated Beacon – Extra XOR Layer
Cobalt Strike
2022-09-06CISACISA, FBI, MS-ISAC, US-CERT
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin
2022-09-06cocomelonccocomelonc
Malware development tricks: parent PID spoofing. Simple C++ example.
Cobalt Strike Konni
2022-09-06INCIBE-CERTINCIBE
Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage
2022-09-01Trend MicroTrend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot
2022-09-01Medium michaelkoczwaraMichael Koczwara
Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-08-30eSentireeSentire Threat Response Unit (TRU)
Hacker Infrastructure Used in Cisco Breach Discovered Attacking a Top Workforce Management Corporation & an Affiliate of Russia’s Evil Corp Gang Suspected, Reports eSentire
Cobalt Strike FiveHands UNC2447
2022-08-25SentinelOneJim Walter
BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar
BlueSky Cobalt Strike JuicyPotato
2022-08-22MicrosoftMicrosoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-19nccgroupRoss Inman
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
FAKEUPDATES Cobalt Strike LockBit
2022-08-18Group-IBNikita Rostovtsev
APT41 World Tour 2021 on a tight schedule
Cobalt Strike
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18SophosSean Gallagher
Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT
2022-08-18NSFOCUSNSFOCUS
New APT group MURENSHARK investigative report: Torpedoes hit Turkish Navy
Cobalt Strike
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-17CybereasonCybereason Global SOC Team
Bumblebee Loader – The High Road to Enterprise Domain Control
BumbleBee Cobalt Strike
2022-08-17SecureworksCounter Threat Unit ResearchTeam
DarkTortilla Malware Analysis
Agent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer
2022-08-12SANS ISCBrad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID
2022-08-11Malcatmalcat team
LNK forensic and config extraction of a cobalt strike beacon
Cobalt Strike
2022-08-11SecurityScorecardRobert Ames
The Increase in Ransomware Attacks on Local Governments
BlackCat BlackCat Cobalt Strike LockBit
2022-08-10WeixinRed Raindrop Team
Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe
BumbleBee Cobalt Strike
2022-08-08The DFIR ReportThe DFIR Report
BumbleBee Roasts Its Way to Domain Admin
BumbleBee Cobalt Strike
2022-08-04YouTube (Arda Büyükkaya)Arda Büyükkaya
LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit
2022-08-03Palo Alto Networks Unit 42Brad Duncan
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-08-02Cisco TalosAsheer Malhotra, Vitor Ventura
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka Cobalt Strike Manjusaka
2022-07-30cocomelonc
Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector
2022-07-28SentinelOneJames Haughom, Julien Reisdorffer, Júlio Dantas
Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit
2022-07-27Trend MicroBuddy Tancio, Jed Valderama
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt
2022-07-27ReversingLabsJoseph Edwards
Threat analysis: Follina exploit fuels 'live-off-the-land' attacks
Cobalt Strike MimiKatz
2022-07-27cybleCyble Research Labs
Targeted Attacks Being Carried Out Via DLL SideLoading
Cobalt Strike QakBot
2022-07-22Binary NinjaXusheng Li
Reverse Engineering a Cobalt Strike Dropper With Binary Ninja
Cobalt Strike
2022-07-20NVISO LabsSasja Reynaert
Analysis of a trojanized jQuery script: GootLoader unleashed
GootLoader Cobalt Strike
2022-07-20Advanced IntelligenceMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion
Cobalt Strike
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20MandiantMandiant Threat Intelligence
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-19Palo Alto Networks Unit 42Mike Harbison, Peter Renals
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive
Cobalt Strike EnvyScout Gdrive
2022-07-18Palo Alto Networks Unit 42Unit 42
Obscure Serpens
Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus
2022-07-18CensysCensys
Russian Ransomware C2 Network Discovered in Censys Data
Cobalt Strike DeimosC2 MimiKatz PoshC2
2022-07-13Malwarebytes LabsHossein Jazi, Roberto Santos
Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
Cobalt Strike
2022-07-13Palo Alto Networks Unit 42Chris Navarrete, Durgesh Sangvikar, Siddhart Shibiraj, Yanhui Jia, Yu Fu
Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption
Cobalt Strike
2022-07-11Cert-UACert-UA
UAC-0056 attack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4941)
Cobalt Strike
2022-07-07SANS ISCBrad Duncan
Emotet infection with Cobalt Strike
Cobalt Strike Emotet
2022-07-07IBMCharlotte Hammond, Kat Weinberger, Ole Villadsen
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter
2022-07-06Cert-UACert-UA
UAC-0056 cyberattack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4914)
Cobalt Strike
2022-06-30Trend MicroEmmanuel Panopio, James Panlilio, John Kenneth Reyes, Kenneth Adrian Apostol, Melvin Singwa, Mirah Manlapig, Paolo Ronniel Labrador
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot
2022-06-28LumenBlack Lotus Labs
ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
ZuoRAT Cobalt Strike
2022-06-27Kaspersky ICS CERTArtem Snegirev, Kirill Kruglov
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad
2022-06-26BushidoToken
Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022
Cobalt Strike CredoMap EnvyScout
2022-06-23cybleCyble Research Labs
Matanbuchus Loader Resurfaces
Cobalt Strike Matanbuchus
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-06-21Cisco TalosChris Neal, Flavio Costa, Guilherme Venere
Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz
2022-06-20Cert-UACert-UA
UAC-0098 group cyberattack on critical infrastructure of Ukraine (CERT-UA#4842)
Cobalt Strike
2022-06-17SANS ISCBrad Duncan
Malspam pushes Matanbuchus malware, leads to Cobalt Strike
Cobalt Strike Matanbuchus
2022-06-11Twitter (@MsftSecIntel)Microsoft Threat Intelligence
Tweet on DEV-0401, DEV-0234 exploiting Confluence RCE CVE-2022-26134
Kinsing Mirai Cobalt Strike Lilac Typhoon
2022-06-07AdvIntelMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
BlackCat BlackCat Cobalt Strike
2022-06-07cybleCyble
Bumblebee Loader on The Rise
BumbleBee Cobalt Strike
2022-06-06TrellixTrelix
Growling Bears Make Thunderous Noise
Cobalt Strike HermeticWiper WhisperGate NB65
2022-06-04kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] CobaltStrike SMB Beacon Analysis
Cobalt Strike
2022-06-03AttackIQAttackIQ Adversary Research Team, Jackson Wells
Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group
Cobalt Strike MimiKatz
2022-06-02MandiantMandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-06-02MandiantMandiant
TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-06-01ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Salim Bitam, Seth Goodwin
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-05-25Medium walmartglobaltechJason Reaves, Joshua Platt
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT
2022-05-24BitSightBitSight, João Batista, Pedro Umbelino
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC
2022-05-24The Hacker NewsFlorian Goutin
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot
2022-05-22R136a1Dominik Reichel
Introduction of a PE file extractor for various situations
Cobalt Strike Matanbuchus
2022-05-20CybleincCyble
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon
Cobalt Strike
2022-05-20AhnLabASEC
Why Remediation Alone Is Not Enough When Infected by Malware
Cobalt Strike DarkSide
2022-05-20sonatypeAx Sharma
New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux
Cobalt Strike
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-18PRODAFT Threat IntelligencePRODAFT
Wizard Spider In-Depth Analysis
Cobalt Strike Conti WIZARD SPIDER
2022-05-17Trend MicroTrend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot
2022-05-12Red CanaryLauren Podber, Tony Lambert
Gootloader and Cobalt Strike malware analysis
GootLoader Cobalt Strike
2022-05-12Red CanaryLauren Podber, Tony Lambert
The Goot cause: Detecting Gootloader and its follow-on activity
GootLoader Cobalt Strike
2022-05-12Intel 471Intel 471
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-05-12TEAMT5Leon Chang, Silvia Yeh
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu
2022-05-11NTTRyu Hiyoshi
Operation RestyLink: Targeted attack campaign targeting Japanese companies
Cobalt Strike
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-10Marco Ramilli's BlogMarco Ramilli
A Malware Analysis in RU-AU conflict
Cobalt Strike
2022-05-09TEAMT5TeamT5
Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services
Cobalt Strike
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09The DFIR ReportThe DFIR Report
SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit
2022-05-09cocomelonccocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2022-05-08IronNetBrent Eskridge, Joey Fitzpatrick, Michael Leardi
Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine
Cobalt Strike
2022-05-06The Hacker NewsRavie Lakshmanan
This New Fileless Malware Hides Shellcode in Windows Event Logs
Cobalt Strike
2022-05-06Palo Alto Networks Unit 42Chris Navarrete, Durgesh Sangvikar, Siddhart Shibiraj, Yanhui Jia, Yu Fu
Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding
Cobalt Strike
2022-05-06Twitter (@MsftSecIntel)Microsoft Security Intelligence
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity
FAKEUPDATES Blister Cobalt Strike LockBit
2022-05-05Cisco TalosAliza Berk, Asheer Malhotra, Jung soo An, Justin Thattil, Kendall McKay
Mustang Panda deploys a new wave of malware targeting Europe
Cobalt Strike Meterpreter PlugX PUBLOAD
2022-05-04Twitter (@felixw3000)Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-05-04KasperskyDenis Legezo
A new secret stash for “fileless” malware
Cobalt Strike
2022-05-03Cluster25Cluster25
The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet
Cobalt Strike IsaacWiper PyXie
2022-05-03Recorded FutureInsikt Group®
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike EnvyScout
2022-05-03Recorded FutureInsikt Group
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike
2022-05-02MacnicaHiroshi Takeuchi
Attack Campaigns that Exploit Shortcuts and ISO Files
Cobalt Strike
2022-05-02Cisco TalosJAIME FILSON, Kendall McKay, Paul Eubanks
Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive
2022-04-28PWCPWC UK
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen
2022-04-28MandiantAnders Vejlby, John Wolfram, Nick Simonian, Sarah Hawley, Tyler McLellan
Trello From the Other Side: Tracking APT29 Phishing Campaigns
Cobalt Strike
2022-04-27Sentinel LABSJames Haughom, Jim Walter, Júlio Dantas
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit
2022-04-27MandiantMandiant
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
Cobalt Strike Raindrop SUNBURST TEARDROP
2022-04-27ANSSIANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-04-27Sentinel LABSJames Haughom, Jim Walter, Júlio Dantas
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit BRONZE STARLIGHT
2022-04-27TrendmicroDaniel Lunghi, Jaromír Hořejší
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka
2022-04-27TrendmicroTrendmicro
IOCs for Earth Berberoka - Windows
AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka
2022-04-26Intel 471Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-26Trend MicroLord Alfred Remorin, Ryan Flores, Stephen Hilt
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT
2022-04-25The DFIR ReportThe DFIR Report
Quantum Ransomware
Cobalt Strike IcedID
2022-04-25MorphisecMorphisec Labs
New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader
2022-04-21ZeroSecAndy Gill
Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6
Cobalt Strike
2022-04-19Blake's R&Dbmcder02
Extracting Cobalt Strike from Windows Error Reporting
Cobalt Strike
2022-04-19VaronisNadav Ovadia
Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz
2022-04-18SentinelOneJames Haughom
From the Front Lines | Peering into A PYSA Ransomware Attack
Chisel Chisel Cobalt Strike Mespinoza
2022-04-18vanmieghemVincent Van Mieghem
A blueprint for evading industry leading endpoint protection in 2022
Cobalt Strike
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt
2022-04-14CynetMax Malyutin
Orion Threat Alert: Flight of the BumbleBee
BumbleBee Cobalt Strike
2022-04-13ESET ResearchJean-Ian Boutin, Tomáš Procházka
ESET takes part in global operation to disrupt Zloader botnets
Cobalt Strike Zloader
2022-04-13MicrosoftMicrosoft 365 Defender Threat Intelligence Team
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader
2022-04-08Infinitum LabsArda Büyükkaya
Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
Cobalt Strike MimiKatz
2022-04-07InQuestNick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-07splunkSplunk Threat Research Team
You Bet Your Lsass: Hunting LSASS Access
Cobalt Strike MimiKatz
2022-04-06Github (infinitumlabs)Arda Büyükkaya
Karakurt Hacking Team Indicators of Compromise (IOC)
Cobalt Strike
2022-04-04MandiantBrendan McKeague, Bryce Abdo, Ioana Teaca, Zander Work
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite
2022-03-31nccgroupAlex Jessop, Nikolaos Pantazopoulos, RIFT: Research and Intelligence Fusion Team, Simon Biggs
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot
2022-03-31SC MediaSC Staff
Novel obfuscation leveraged by Hive ransomware
Cobalt Strike Hive
2022-03-30PrevailionPrevailion
Wizard Spider continues to confound
BazarBackdoor Cobalt Strike Emotet
2022-03-30Bleeping ComputerBill Toulas
Phishing campaign targets Russian govt dissidents with Cobalt Strike
Unidentified PS 002 (RAT) Cobalt Strike
2022-03-29Malwarebytes LabsHossein Jazi
New spear phishing campaign targets Russian dissidents
Unidentified PS 002 (RAT) Cobalt Strike
2022-03-29SentinelOneAntonis Terefos, James Haughom, Jeff Cavanaugh, Jim Walter, Nick Fox, Shai Tilias
From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Cobalt Strike Hive
2022-03-28Medium walmartglobaltechJason Reaves
CobaltStrike UUID stager
Cobalt Strike
2022-03-25nccgroupYun Zheng Hu
Mining data from Cobalt Strike beacons
Cobalt Strike
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-22NVISO LabsDidier Stevens
Cobalt Strike: Overview – Part 7
Cobalt Strike
2022-03-22Red CanaryRed Canary
2022 Threat Detection Report
FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT
2022-03-21Threat PostLisa Vaas
Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot
2022-03-21eSentireeSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2022-03-17GoogleBenoit Sevens, Google Threat Analysis Group, Vladislav Stolyarov
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-03-16SANS ISCBrad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-03-16InfoSec Handlers Diary BlogBrad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-03-16paloalto Netoworks: Unit42Andrew Guan, Chris Navarrete, Durgesh Sangvikar, Siddhart Shibiraj, Yanhui Jia, Yu Fu
Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect
Cobalt Strike
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
2022-03-15PrevailionMatt Stafford, Sherman Smith
What Wicked Webs We Un-weave
Cobalt Strike Conti
2022-03-14Bleeping ComputerBill Toulas
Fake antivirus updates used to deploy Cobalt Strike in Ukraine
Cobalt Strike
2022-03-12Arash's BlogArash Parsa
Analyzing Malware with Hooks, Stomps, and Return-addresses
Cobalt Strike
2022-03-11Cert-UA
Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)
Cobalt Strike
2022-03-09Bleeping ComputerIonut Ilascu
CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot
2022-03-09BreachQuestBernard Silvestrini, Marco Figueroa, Napoleon Bing
The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot
2022-03-08MandiantDouglas Bienstock, Geoff Ackerman, John Wolfram, Rufus Brown, Van Ta
Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
KEYPLUG Cobalt Strike LOWKEY
2022-03-07The DFIR ReportThe DFIR Report
2021 Year In Review
Cobalt Strike
2022-03-04TelsyTelsy
Legitimate Sites Used As Cobalt Strike C2s Against Indian Government
Cobalt Strike
2022-03-03Trend MicroTrend Micro Research
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate
2022-03-01VirusTotalVirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT
2022-02-24FortinetFred Gutierrez
Nobelium Returns to the Political World Stage
Cobalt Strike
2022-02-24CynetMax Malyutin
New Wave of Emotet – When Project X Turns Into Y
Cobalt Strike Emotet
2022-02-23AdvIntelVitali Kremez, Yelisey Boguslavskiy
24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)
Cobalt Strike Conti
2022-02-23SophosLabs UncutAndrew Brandt
Dridex bots deliver Entropy ransomware in recent attacks
Cobalt Strike Dridex Entropy
2022-02-23cyber.wtf blogLuca Ebach
What the Pack(er)?
Cobalt Strike Emotet
2022-02-22Bleeping ComputerBill Toulas
Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck
2022-02-22eSentireeSentire Threat Response Unit (TRU)
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2022-02-21The DFIR Report
Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot
2022-02-21ASEC
Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
Cobalt Strike Lemon Duck
2022-02-20Medium SOCFortressSOCFortress
Detecting Cobalt Strike Beacons
Cobalt Strike
2022-02-18Huntress LabsMatthew Brennan
Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection
Cobalt Strike
2022-02-16Security OnionDoug Burks
Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08
Cobalt Strike Emotet
2022-02-15eSentireeSentire Threat Response Unit (TRU)
Increase in Emotet Activity and Cobalt Strike Deployment
Cobalt Strike Emotet
2022-02-10CybereasonCybereason Global SOC Team
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot
2022-02-09vmwareVMWare
Exposing Malware in Linux-Based Multi-Cloud Environments
ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike
2022-01-31CyberArkArash Parsa
Analyzing Malware with Hooks, Stomps and Return-addresses
Cobalt Strike
2022-01-28MorphisecMorphisec Labs
Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk
Cobalt Strike
2022-01-27JSAC 2021Hajime Yanagishita, Kiyotaka Tamada, Suguru Ishimaru, You Nakatsuru
What We Can Do against the Chaotic A41APT Campaign
CHINACHOPPER Cobalt Strike HUI Loader SodaMaster
2022-01-26BlackberryCodi Starks, Ryan Gibson, Will Ikard
Log4U, Shell4Me
Cobalt Strike
2022-01-25CynetOrion Threat Research and Intelligence Team
Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky
2022-01-24The DFIR ReportThe DFIR Report
Cobalt Strike, a Defender’s Guide – Part 2
Cobalt Strike
2022-01-20MorphisecMichael Gorelik
Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk
Cobalt Strike
2022-01-19SophosColin Cowie, Mat Gangwer, Sophos MTR Team, Stan Andic
Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike
Cobalt Strike Zloader
2022-01-19ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Seth Goodwin
Collecting Cobalt Strike Beacons with the Elastic Stack
Cobalt Strike
2022-01-19ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Seth Goodwin
Extracting Cobalt Strike Beacon Configurations
Cobalt Strike
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2022-01-18Recorded FutureInsikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-17Trend MicroCedric Pernet, Daniel Lunghi, Gloria Chen, Jaromír Hořejší, Joseph Chen, Kenney Lu
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca
2022-01-16forensicitguyTony Lambert
Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
CACTUSTORCH Cobalt Strike
2022-01-15Huntress LabsTeam Huntress
Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401)
Cobalt Strike
2022-01-11CybereasonChen Erlich, Daichi Shimabukuro, Niv Yona, Ofir Ozer, Omri Refaeli
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2022-01-11Twitter (@cglyer)Christopher Glyer
Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware
Cobalt Strike NightSky
2022-01-11Medium walmartglobaltechJason Reaves, Joshua Platt
Signed DLL campaigns as a service
BATLOADER Cobalt Strike ISFB Zloader
2022-01-09forensicitguyTony Lambert
Inspecting a PowerShell Cobalt Strike Beacon
Cobalt Strike
2022-01-06Sekoiasekoia
NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies
Cobalt Strike EnvyScout
2022-01-01Silent PushSilent Push
Consequences- The Conti Leaks and future problems
Cobalt Strike Conti
2021-12-29Blake's R&DBlake
Cobalt Strike DFIR: Listening to the Pipes
Cobalt Strike
2021-12-29CrowdStrikeBenjamin Wiley, Falcon OverWatch Team
OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt
Cobalt Strike
2021-12-28Morphus LabsRenato Marinho
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
Cobalt Strike
2021-12-22TelsyTelsy Research Team
Phishing Campaign targeting citizens abroad using COVID-19 theme lures
Cobalt Strike
2021-12-16Red CanaryThe Red Canary Team
Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle
2021-12-16TEAMT5Aragorn Tseng, Charles Li, Peter Syu, Tom Lai
Winnti is Coming - Evolution after Prosecution
Cobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder
2021-12-10AccentureAccenture
Karakurt rises from its lair
Cobalt Strike Karakurt
2021-12-07Bleeping ComputerLawrence Abrams
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Cobalt Strike Emotet
2021-12-06CERT-FRCERT-FR
Phishing campaigns by the Nobelium intrusion set
Cobalt Strike
2021-12-06MandiantAshraf Abdalhalim, Ben Read, Doug Bienstock, Gabriella Roncone, Jonathan Leathery, Josh Madeley, Juraj Sucik, Luis Rocha, Luke Jenkins, Manfred Erjak, Marius Fodoreanu, Microsoft Detection and Response Team (DART), Microsoft Threat Intelligence Center (MSTIC), Mitchell Clarke, Parnian Najafi, Sarah Hawley, Wojciech Ledzion
Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot
2021-12-02CERT-FRCERT-FR
Phishing Campaigns by the Nobelium Intrusion Set
Cobalt Strike
2021-11-30SymantecSymantec Threat Hunter Team
Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands
2021-11-29MandiantBrandan Schondorfer, Tyler McLellan
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
Cobalt Strike ROLLCOAST
2021-11-29The DFIR ReportThe DFIR Report
CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti
2021-11-19Trend MicroAbdelrhman Sharshar, Mohamed Fahmy, Sherif Magdy
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle
2021-11-17Trend MicroAbdelrhman Sharshar, Mohamed Fahmy, Ryan Maglaque, Sherif Magdy
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT
2021-11-17nvisoDidier Stevens
Cobalt Strike: Decrypting Obfuscated Traffic – Part 4
Cobalt Strike
2021-11-17Twitter (@Unit42_Intel)Unit 42
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot
2021-11-17Black Hills Information SecurityKyle Avery
DNS Over HTTPS for Cobalt Strike
Cobalt Strike
2021-11-16CiscoAsheer Malhotra, Chetan Raghuprasad, Vanja Svajcer
Attackers use domain fronting technique to target Myanmar with Cobalt Strike
Cobalt Strike
2021-11-16BlackberryDean Given, Eoin Wickens, Jim Simpson, Marta Janus, T.J. O'Leary, Tom Bonner
Finding Beacons in the dark
Cobalt Strike
2021-11-16IronNetIronNet Threat Research, Joey Fitzpatrick, Morgan Demboski, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil
2021-11-15TRUESECFabio Viggiani
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot
2021-11-13Just StillStill Hsu
Threat Spotlight - Domain Fronting
Cobalt Strike
2021-11-12MalwarebytesHossein Jazi
A multi-stage PowerShell based attack targets Kazakhstan
Cobalt Strike
2021-11-11CynetMax Malyutin
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot
2021-11-10SekoiaCyber Threat Intelligence team
Walking on APT31 infrastructure footprints
Rekoobe Unidentified ELF 004 Cobalt Strike
2021-11-10AT&TJosh Gomez
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti
2021-11-09CybereasonAleksandar Milenkoski, Eli Salem
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-11-05Twitter (@Unit42_Intel)Unit 42
Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops
BazarBackdoor Cobalt Strike
2021-11-03nvisoDidier Stevens
Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3
Cobalt Strike
2021-11-03Didier StevensDidier Stevens
New Tool: cs-extract-key.py
Cobalt Strike
2021-11-02Intel 471Intel 471
Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti
2021-11-02unh4ckCyb3rSn0rlax
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti
2021-11-02boschko.ca blogOlivier Laflamme
Cobalt Strike Process Injection
Cobalt Strike
2021-11-01AccentureCurt Wilson, Heather Larrieu, Katrina Hill
Diving into double extortion campaigns
Cobalt Strike MimiKatz
2021-11-01The DFIR Report@iiamaleks, @samaritan_o
From Zero to Domain Admin
Cobalt Strike Hancitor
2021-10-29EuropolEuropol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-29Національна поліція УкраїниНаціональна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-27nvisoDidier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2
Cobalt Strike
2021-10-26Cisco TalosEdmund Brumaghin, Mariano Graziano, Nick Mavis
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-10-26unh4ckHamza OUADIA
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti
2021-10-26ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-10-21nvisoDidier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1
Cobalt Strike
2021-10-21CrowdStrikeAlex Clinton, Tasha Robinson
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet
2021-10-18The DFIR ReportThe DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker
2021-10-18paloalto Netoworks: Unit42Brad Duncan
Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike
2021-10-18SymantecThreat Hunter Team
Harvester: Nation-state-backed group uses new toolset to target victims in South Asia
Cobalt Strike Graphon
2021-10-14Medium walmartglobaltechJason Reaves
Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)
2021-10-13BlackberryBlackBerry Research & Intelligence Team
BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book
Cobalt Strike
2021-10-12MandiantAlyssa Rahman
Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
Cobalt Strike
2021-10-11AccentureAccenture Cyber Threat Intelligence
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil
2021-10-080ffset BlogChuong Dong
SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle
2021-10-07NetskopeGhanashyam Satpathy, Gustavo Palazolo
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle
2021-10-07MandiantMandiant Research Team
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot
2021-10-06BlackberryBlackberry Research
Finding Beacons in the Dark
Cobalt Strike
2021-10-05BlackberryThe BlackBerry Research & Intelligence Team
Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT
2021-10-04The DFIR ReportThe DFIR Report
BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti
2021-10-04SophosChaitanya Ghorpade, Kajal Katiyar, Krisztián Diriczi, Rahil Shah, Sean Gallagher, Vikas Singh
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike
2021-10-03Github (0xjxd)Joel Dönne
SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-10-010ffset BlogChuong Dong
SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle
2021-09-30CrowdStrikeFalcon OverWatch Team
Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense
Cobalt Strike
2021-09-30PT Expert Security Center
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike
2021-09-30PTSecurityPT ESC Threat Intelligence
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike
2021-09-29Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti
2021-09-29Malware Traffic AnalysisBrad Duncan
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor
2021-09-29Malware Traffic AnalysisBrad Duncan
Hancitor with Cobalt Strike
Cobalt Strike Hancitor
2021-09-28ZscalerAvinash Kumar, Brett Stone-Gross
Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-09-27CynetMax Malyutin
A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle
2021-09-26NSFOCUSJie Ji
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile
2021-09-24Trend MicroWarren Sto.Tomas
Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz
2021-09-22CISAUS-CERT
Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti
2021-09-21Medium elis531989Eli Salem
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle
2021-09-21GuidePoint SecurityDrew Schmitt
A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike
Cobalt Strike
2021-09-21SophosAndrew Brandt, Chaitanya Ghorpade, Krisztián Diriczi, Shefali Gupta, Vikas Singh
Cring ransomware group exploits ancient ColdFusion server
Cobalt Strike Cring
2021-09-21skyblue.team blogskyblue team
Scanning VirusTotal's firehose
Cobalt Strike
2021-09-21eSentireeSentire
Ransomware Hackers Attack a Top Safety Testing Org. Using Tactics and Techniques Borrowed from Chinese Espionage Groups
Cobalt Strike MimiKatz UNC215
2021-09-17Medium inteloperatorIntel Operator
The default: 63 6f 62 61 6c 74 strike
Cobalt Strike
2021-09-17Malware Traffic AnalysisBrad Duncan
2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle
2021-09-17CrowdStrikeFalcon OverWatch Team
Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike
2021-09-16RiskIQRiskIQ
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk
2021-09-16Medium ShabarkinPavel Shabarkin
Pointer: Hunting Cobalt Strike globally
Cobalt Strike
2021-09-16Twitter (@GossiTheDog)Kevin Beaumont
Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell
Cobalt Strike MgBot
2021-09-15MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
Cobalt Strike
2021-09-14Recorded FutureInsikt Group®
Full-Spectrum Cobalt Strike Detection
Cobalt Strike
2021-09-13The DFIR ReportThe DFIR Report
BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti
2021-09-12Medium michaelkoczwaraMichael Koczwara
Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444
Cobalt Strike
2021-09-10GigamonJoe Slowik
Rendering Threats: A Network Perspective
BumbleBee Cobalt Strike
2021-09-09Trend MicroTrend Micro
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
BumbleBee Cobalt Strike
2021-09-08Arash's BlogArash Parsa
Hook Heaps and Live Free
Cobalt Strike
2021-09-07Medium michaelkoczwaraMichael Koczwara
Cobalt Strike C2 Hunting with Shodan
Cobalt Strike
2021-09-06kienmanowar Blogm4n0w4r
Quick analysis CobaltStrike loader and shellcode
Cobalt Strike
2021-09-03SophosAnand Ajjan, Andrew Ludgate, Gabor Szappanos, Peter Mackenzie, Sean Gallagher, Sergio Bestulic, Syed Zaidi
Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
Cobalt Strike Conti
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-09-02Twitter (@th3_protoCOL)Colin, GaborSzappanos
Tweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in replies by GaborSzappanos)
Cobalt Strike
2021-09-02Medium michaelkoczwaraMichael Koczwara
Cobalt Strike PowerShell Payload Analysis
Cobalt Strike
2021-09-01YouTube (Black Hat)Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-08-31BreakPoint LabsBreakPoint Labs
Cobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign
Cobalt Strike
2021-08-30QianxinRed Raindrop Team
Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz
2021-08-29The DFIR ReportThe DFIR Report
Cobalt Strike, a Defender’s Guide
Cobalt Strike
2021-08-27MorphisecMorphisec Labs
ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors
Cobalt Strike
2021-08-27AonAon’s Cyber Labs, Noah Rubin
Cobalt Strike Configuration Extractor and Parser
Cobalt Strike
2021-08-25Trend MicroHara Hiroaki, Ted Lee
Earth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor
Cobalt Strike DUSTPAN SideWalk
2021-08-24ESET ResearchMathieu Tartare, Thibaut Passilly
The SideWalk may be as dangerous as the CROSSWALK
Cobalt Strike CROSSWALK SideWalk SparklingGoblin
2021-08-24Trend MicroHara Hiroaki, Ted Lee
Earth Baku Returns
Cobalt Strike CROSSWALK DUSTPAN SideWalk
2021-08-23FBIFBI
Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz
2021-08-23Youtube (SANS Digital Forensics and Incident Response)Chad Tilbury
Keynote: Cobalt Strike Threat Hunting
Cobalt Strike
2021-08-19BlackberryBlackBerry Research & Intelligence Team
BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex TA575
2021-08-19Sekoiasekoia
An insider insights into Conti operations – Part two
Cobalt Strike Conti
2021-08-18IntezerRyan Robinson
Cobalt Strike: Detect this Persistent Threat
Cobalt Strike
2021-08-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
Hunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration
Cobalt Strike Conti
2021-08-17Sekoiasekoia
An insider insights into Conti operations – Part one
Cobalt Strike Conti
2021-08-17Medium michaelkoczwaraMichael Koczwara
Cobalt Strike Hunting — DLL Hijacking/Attack Analysis
Cobalt Strike
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-11Advanced IntelligenceVitali Kremez
Secret "Backdoor" Behind Conti Ransomware Operation: Introducing Atera Agent
Cobalt Strike Conti
2021-08-09IstroSecLadislav Bačo
APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)
Cobalt Strike
2021-08-05SecureworksCounter Threat Unit ResearchTeam
Detecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)
Cobalt Strike
2021-08-05Red CanaryBrian Donohue, Dan Cotton, Tony Lambert
When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer
2021-08-04SecureworksCounter Threat Unit ResearchTeam
Detecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)
Cobalt Strike
2021-08-04Sentinel LABSGal Kristal
Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations
Cobalt Strike
2021-08-04CrowdStrikeCrowdStrike Intelligence Team, CrowdStrike IR, Falcon OverWatch Team
PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker Prophet Spider
2021-08-03CybereasonAssaf Dahan, Daniel Frank, Lior Rochberger, Tom Fakterman
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae
2021-08-02Youtube (Forschungsinstitut Cyber Defense)Alexander Rausch, Konstantin Klinger
The CODE 2021: Workshop presentation and demonstration about CobaltStrike
Cobalt Strike
2021-08-01The DFIR ReportThe DFIR Report
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot
2021-07-30Twitter (@Unit42_Intel)Unit 42
Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability
BazarBackdoor Cobalt Strike
2021-07-29Rasta MouseRasta Mouse
NTLM Relaying via Cobalt Strike
Cobalt Strike
2021-07-29MicrosoftMicrosoft 365 Defender Threat Intelligence Team
BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor Cobalt Strike
2021-07-27BlackberryBlackBerry Research & Intelligence Team
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2021-07-25Medium svch0stsvch0st
Guide to Named Pipes and Hunting for Cobalt Strike Pipes
Cobalt Strike
2021-07-22Medium michaelkoczwaraMichael Koczwara
Cobalt Strike Hunting — simple PCAP and Beacon Analysis
Cobalt Strike
2021-07-19The DFIR ReportThe DFIR Report
IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID
2021-07-14KasperskyAseel Kayal, Mark Lechtik, Paul Rascagnères
LuminousMoth APT: Sweeping attacks for the chosen few
Cobalt Strike
2021-07-14MDSecChris Basnett
Investigating a Suspicious Service
Cobalt Strike
2021-07-14GoogleClement Lecigne, Google Threat Analysis Group, Maddie Stone
How We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-1879)
Cobalt Strike
2021-07-13YouTube ( Matt Soseman)Matt Soseman
Solarwinds and SUNBURST attacks compromised my lab!
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-07-09InfoSec Handlers Diary BlogBrad Duncan
Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor
2021-07-08Avast DecodedThreat Intelligence Team
Decoding Cobalt Strike: Understanding Payloads
Cobalt Strike Empire Downloader
2021-07-08Recorded FutureInsikt Group
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
Cobalt Strike Earth Lusca
2021-07-07TrustwaveNikita Kazymirskyi, Rodel Mendrez
Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
Cobalt Strike REvil
2021-07-07McAfeeMcAfee Labs
Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk
2021-07-07Trend MicroGloria Chen, Jaromír Hořejší, Joseph C Chen, Kenney Lu
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi
2021-07-06Twitter (@MBThreatIntel)Malwarebytes Threat Intelligence
Tweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike
Cobalt Strike
2021-07-05Trend MicroAbraham Camba, Buddy Tancio, Catherine Loveria, Ryan Maglaque
Tracking Cobalt Strike: A Trend Micro Vision One Investigation
Cobalt Strike
2021-07-03Medium AK1001AK1001
Analyzing Cobalt Strike PowerShell Payload
Cobalt Strike
2021-07-02MalwareBookReportsmuzi
Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex
2021-07-01The RecordCatalin Cimpanu
Mongolian certificate authority hacked eight times, compromised with malware
Cobalt Strike
2021-07-01Avast DecodedIgor Morgenstern, Jan Vojtěšek, Luigino Camastra
Backdoored Client from Mongolian CA MonPass
Cobalt Strike FishMaster
2021-07-01Avast DecodedIgor Morgenstern, Jan Vojtěšek, Luigino Camastra
Backdoored Client from Mongolian CA MonPass
Cobalt Strike Earth Lusca
2021-06-30Group-IBOleg Skulkin
REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs
Cobalt Strike REvil
2021-06-29ProofpointDaniel Blackford, Selena Larson
Cobalt Strike: Favorite Tool from APT to Crimeware
Cobalt Strike
2021-06-29AccentureAccenture Security
HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz
2021-06-28The DFIR ReportThe DFIR Report
Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor
2021-06-22Twitter (@Cryptolaemus1)Cryptolaemus, dao ming si, Kirk Sayre
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex
2021-06-22CrowdStrikeThe Falcon Complete Team
Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators
Cobalt Strike
2021-06-20The DFIR ReportThe DFIR Report
From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID
2021-06-18SecurityScorecardRyan Sherstobitoff
SecurityScorecard Finds USAID Hack Much Larger Than Initially Thought
Cobalt Strike
2021-06-17Binary DefenseBrandon George
Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor
2021-06-16Національної поліції УкраїниНаціональна поліція України
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy
2021-06-16FireEyeJared Wilson, Justin Moore, Mike Hunhoff, Nick Harbour, Robert Dean, Tyler McLellan
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM
2021-06-16MandiantJared Wilson, Jordan Nuce, Justin Moore, Mike Hunhoff, Nick Harbour, Robert Dean, Tyler McLellan
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM
2021-06-15SecureworksCounter Threat Unit ResearchTeam
Hades Ransomware Operators Use Distinctive Tactics and Infrastructure
Cobalt Strike Hades
2021-06-12Twitter (@AltShiftPrtScn)Peter Mackenzie
A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker
2021-06-10Group-IBNikita Rostovcev
Big airline heist APT41 likely behind massive supply chain attack
Cobalt Strike
2021-06-09Twitter (@RedDrip7)RedDrip7
Tweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)
Cobalt Strike
2021-06-04InkyRoger Kay
Colonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts
Cobalt Strike
2021-06-04Twitter (@alex_lanstein)Alex Lanstein
Tweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-​2021-1879
Cobalt Strike
2021-06-02Medium CyCraftCyCraft Technology Corp
China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware
Cobalt Strike ColdLock
2021-06-02SophosSean Gallagher
AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter
2021-06-01SentinelOneJuan Andrés Guerrero-Saade
NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks
Cobalt Strike
2021-06-01MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
New sophisticated email-based attack from NOBELIUM
Cobalt Strike
2021-06-01Department of JusticeOffice of Public Affairs
Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development
Cobalt Strike
2021-06-01SANSJake Williams, Kevin Haley
A Contrarian View on SolarWinds
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-05-29Twitter (@elisalem9)Eli Salem
Tweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by NOBELIUM/UNC2452
Cobalt Strike
2021-05-28CISAUS-CERT
Malware Analysis Report (AR21-148A): Cobalt Strike Beacon
Cobalt Strike
2021-05-28CISAUS-CERT
Alert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs
Cobalt Strike
2021-05-28MicrosoftMicrosoft Threat Intelligence Center (MSTIC)
Breaking down NOBELIUM’s latest early-stage toolset
BOOMBOX Cobalt Strike
2021-05-27VolexityDamien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns
Cobalt Strike
2021-05-26DeepInstinctRon Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-25Huntress LabsMatthew Brennan
Cobalt Strikes Again: An Analysis of Obfuscated Malware
Cobalt Strike
2021-05-21blackarrowPablo Ambite
Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
Cobalt Strike
2021-05-21LACYoshihiro Ishikawa
Targeted attack by 'Cobalt Strike loader' that exploits Microsoft's digital signature-Attacker group APT41
Cobalt Strike DUSTPAN
2021-05-19Intel 471Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-19Medium Mehmet ErgeneMehmet Ergene
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2
Cobalt Strike
2021-05-18SophosGreg Iddon, John Shier, Mat Gangwer, Peter Mackenzie
The Active Adversary Playbook 2021
Cobalt Strike MimiKatz
2021-05-17TalosBrad Garnett
Case Study: Incident Response is a relationship-driven business
Cobalt Strike
2021-05-16NCSC IrelandNCSC Ireland
Ransomware Attack on Health Sector - UPDATE 2021-05-16
Cobalt Strike Conti
2021-05-14Blue Team BlogAuth 0r
DarkSide Ransomware Operations – Preventions and Detections.
Cobalt Strike DarkSide
2021-05-14GuidePoint SecurityDrew Schmitt
From ZLoader to DarkSide: A Ransomware Story
DarkSide Cobalt Strike Zloader
2021-05-13AWAKEKieran Evans
Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS
2021-05-12The DFIR Report
Conti Ransomware
Cobalt Strike Conti IcedID
2021-05-12Medium Mehmet ErgeneMehmet Ergene
Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1
Cobalt Strike
2021-05-11FireEyeAlyssa Rahman, Andrew Moore, Brendan McKeague, Jared Wilson, Jeremy Kennelly, Jordan Nuce, Kimberly Goody
Shining a Light on DARKSIDE Ransomware Operations
Cobalt Strike DarkSide
2021-05-11Mal-Eatsmal_eats
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-10ZERO.BSZEROBS
Cobaltstrike-Beacons analyzed
Cobalt Strike
2021-05-10Mal-Eatsmal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-05-07Medium svch0stsvch0st
Stats from Hunting Cobalt Strike Beacons
Cobalt Strike
2021-05-07TEAMT5Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-05-07SophosLabs UncutRajesh Nataraj
New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-07Cisco TalosAndrew Windsor, Caitlin Huey, Edmund Brumaghin
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-05SophosLabs UncutAndrew Brandt, Gabor Szappanos, Peter Mackenzie, Vikas Singh
Intervention halts a ProxyLogon-enabled attack
Cobalt Strike
2021-05-05TRUESECMattias Wåhlén
Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
Cobalt Strike Hades WastedLocker
2021-05-04Medium sergiusechelSergiu Sechel
Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positives
Cobalt Strike
2021-05-02The DFIR ReportThe DFIR Report
Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot
2021-04-29NTTThreat Detection NTT Ltd.
The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca
2021-04-29FireEyeJustin Moore, Raymond Leong, Tyler McLellan
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
Cobalt Strike FiveHands HelloKitty
2021-04-27Trend MicroJanus Agcaoili
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike
2021-04-27Trend MicroEarle Earnshaw, Janus Agcaoili
Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz
2021-04-26getrevueTwitter (@80vul)
Hunting Cobalt Strike DNS redirectors by using ZoomEye
Cobalt Strike
2021-04-26nvisoMaxime Thiebaut
Anatomy of Cobalt Strike’s DLL Stager
Cobalt Strike
2021-04-24Non-offensive securityNon-offensive security team
Detect Cobalt Strike server through DNS protocol
Cobalt Strike
2021-04-23Twitter (@vikas891)Vikas Singh
Tweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals
Cobalt Strike DoppelPaymer
2021-04-22Twitter (@AltShiftPrtScn)Peter Mackenzie
Twwet On TTPs seen in IR used by DOPPEL SPIDER
Cobalt Strike DoppelPaymer
2021-04-21SophosLabs UncutAnand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean Gallagher, Sivagnanam Gn, Suriya Natarajan
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-20Medium walmartglobaltechJason Reaves
CobaltStrike Stager Utilizing Floating Point Math
Cobalt Strike
2021-04-19NetresecErik Hjelmvik
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID
2021-04-18YouTube (dist67)Didier Stevens
Decoding Cobalt Strike Traffic
Cobalt Strike
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-04-12IndeChris Campbell
A Different Kind of Zoombomb
Cobalt Strike
2021-04-09F-SecureGiulio Ginesi, Riccardo Ancarani
Detecting Exposed Cobalt Strike DNS Redirectors
Cobalt Strike
2021-04-07Medium sixdubJustin Warner
Using Kaitai Struct to Parse Cobalt Strike Beacon Configs
Cobalt Strike
2021-04-05Medium walmartglobaltechJason Reaves, Joshua Platt
TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot
2021-04-01DomainToolsJoe Slowik
COVID-19 Phishing With a Side of Cobalt Strike
Cobalt Strike
2021-04-01Palo Alto Networks Unit 42Brad Duncan
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor Moskalvzapoe
2021-03-31Red CanaryRed Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-30GuidePoint SecurityDrew Schmitt
Yet Another Cobalt Strike Stager: GUID Edition
Cobalt Strike
2021-03-29The DFIR ReportThe DFIR Report
Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil
2021-03-21BlackberryBlackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-21YouTube (dist67)Didier Stevens
Finding Metasploit & Cobalt Strike URLs
Cobalt Strike
2021-03-18PRODAFT Threat IntelligencePRODAFT
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-03-18DeepInstinctBen Gross
Cobalt Strike – Post-Exploitation Attackers Toolkit
Cobalt Strike
2021-03-16McAfeeMcAfee ATR
Technical Analysis of Operation Diànxùn
Cobalt Strike
2021-03-16ElasticJoe Desimone
Detecting Cobalt Strike with memory signatures
Cobalt Strike
2021-03-11Cyborg SecurityJosh Campbell
You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat
2021-03-11QuriumQurium
Myanmar – Multi-stage malware attack targets elected lawmakers
Cobalt Strike
2021-03-10ProofpointDennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
NimzaLoader: TA800’s New Initial Access Malware
BazarNimrod Cobalt Strike
2021-03-09splunkSecurity Research Team
Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Cobalt Strike
2021-03-08The DFIR ReportThe DFIR Report
Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike
2021-03-08Youtube (SANS Digital Forensics and Incident Response)Adam Pennington, Jen Burns, Katie Nickels
STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP
2021-03-07InfoSec Handlers Diary BlogDidier Stevens
PCAPs and Beacons
Cobalt Strike
2021-03-01Medium walmartglobaltechJason Reaves, Joshua Platt
Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike
2021-03-01Medium walmartglobaltechJason Reaves, Joshua Platt
Investigation into the state of Nim malware
BazarNimrod Cobalt Strike
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-25FireEyeBrendan McKeague, Bryce Abdo, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-24Github (AmnestyTech)Amnesty International
Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders
OceanLotus Cobalt Strike KerrDown
2021-02-24VMWare Carbon BlackTakahiro Haruyama
Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
Cobalt Strike
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-11Twitter (@TheDFIRReport)The DFIR Report
Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor
2021-02-09SecurehatSecurehat
Extracting the Cobalt Strike Config from a TEARDROP Loader
Cobalt Strike TEARDROP
2021-02-09Cobalt StrikeRaphael Mudge
Learn Pipe Fitting for all of your Offense Projects
Cobalt Strike
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2021-02-02Committee to Protect JournalistsMadeline Earp
How Vietnam-based hacking operation OceanLotus targets journalists
Cobalt Strike
2021-02-02Twitter (@TheDFIRReport)The DFIR Report
Tweet on recent dridex post infection activity
Cobalt Strike Dridex
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01pkb1s.github.ioPetros Koutroumpis
Relay Attacks via Cobalt Strike Beacons
Cobalt Strike
2021-02-01AhnLabASEC Analysis Team
BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment
Cobalt Strike REvil
2021-01-31The DFIR ReportThe DFIR Report
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk
2021-01-28TrustedSecAdam Chester
Tailoring Cobalt Strike on Target
Cobalt Strike
2021-01-28AhnLabASEC Analysis Team
BlueCrab ransomware constantly trying to bypass detection
Cobalt Strike REvil
2021-01-26Twitter (@swisscom_csirt)Swisscom CSIRT
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring MimiKatz
2021-01-20MicrosoftMicrosoft 365 Defender Research Team, Microsoft Cyber Defense Operations Center (CDOC), Microsoft Threat Intelligence Center (MSTIC)
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP
2021-01-18SymantecThreat Hunter Team
Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-01-17Twitter (@AltShiftPrtScn)Peter Mackenzie
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti
2021-01-15Medium DansecDan Lussier
Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike
Cobalt Strike
2021-01-14PTSecurityPT ESC Threat Intelligence
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2021-01-12BrightTALK (FireEye)Ben Read, John Hultquist
UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP
2021-01-12Fox-ITWouter Jansen
Abusing cloud services to fly under the radar
Cobalt Strike
2021-01-11The DFIR ReportThe DFIR Report
Trickbot Still Alive and Well
Cobalt Strike TrickBot
2021-01-11SolarWindsSudhakar Ramakrishna
New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP
2021-01-10Medium walmartglobaltechJason Reaves
MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker Moskalvzapoe
2021-01-09Connor McGarr's BlogConnor McGarr
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Cobalt Strike
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-07Recorded FutureInsikt Group®
Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-06Red CanaryTony Lambert
Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-05Trend MicroTrend Micro Research
Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration
Cobalt Strike Earth Wendigo
2021-01-04Medium haggis-mMichael Haag
Malleable C2 Profiles and You
Cobalt Strike
2021-01-01TalosTalos Incident Response
Cobalt Strikes Out
Cobalt Strike
2021-01-01TalosTalos Incident Response
Evicting Maze
Cobalt Strike Maze
2021-01-01SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD WINTER
Cobalt Strike Hades Meterpreter GOLD WINTER
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD WATERFALL
Cobalt Strike DarkSide GOLD WATERFALL
2021-01-01MandiantMandiant
M-TRENDS 2021
Cobalt Strike SUNBURST
2021-01-01Github (WBGlIl)WBGlIl
A book on cobaltstrike
Cobalt Strike
2021-01-01SymantecSymantec Threat Hunter Team
Supply Chain Attacks:Cyber Criminals Target the Weakest Link
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-01-01AWAKEAwake Security
Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader
2020-12-26Medium grimminckStefan Grimminck
Spoofing JARM signatures. I am the Cobalt Strike server now!
Cobalt Strike
2020-12-22TRUESECMattias Wåhlén
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk
2020-12-21FortinetUdi Yavo
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP
2020-12-20RandhomeEtienne Maynier
Analyzing Cobalt Strike for Fun and Profit
Cobalt Strike
2020-12-15Github (sophos-cybersecurity)Sophos Cyber Security Team
solarwinds-threathunt
Cobalt Strike SUNBURST
2020-12-15PICUS SecuritySüleyman Özarslan
Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
Cobalt Strike SUNBURST
2020-12-14Palo Alto Networks Unit 42Unit 42
Threat Brief: SolarStorm and SUNBURST Customer Coverage
Cobalt Strike SUNBURST
2020-12-11BlackberryBlackBerry Research and Intelligence team
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker
2020-12-10Intel 471Intel 471
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-10Palo Alto Networks Unit 42Unit42
Threat Brief: FireEye Red Team Tool Breach
Cobalt Strike
2020-12-09CiscoCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-09InfoSec Handlers Diary BlogBrad Duncan
Recent Qakbot (Qbot) activity
Cobalt Strike QakBot
2020-12-09FireEyeMitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-08Cobalt StrikeRaphael Mudge
A Red Teamer Plays with JARM
Cobalt Strike
2020-12-02Red Canarytwitter (@redcanary)
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot
2020-12-01mez0.ccmez0
Cobalt Strike PowerShell Execution
Cobalt Strike
2020-12-01360.cnjindanlong
Hunting Beacons
Cobalt Strike
2020-11-30MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them
Cobalt Strike
2020-11-30FireEyeMitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-27MacnicaHiroshi Takeuchi
Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack
2020-11-26CybereasonCybereason Nocturnus, Lior Rochberger
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-11-25SentinelOneJim Walter
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Cobalt Strike Egregor
2020-11-20360 netlabJiaYu
Blackrota, a highly obfuscated backdoor developed by Go
Cobalt Strike
2020-11-20F-Secure LabsRiccardo Ancarani
Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Cobalt Strike
2020-11-20ZDNetCatalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-17cybleCyble
OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter
2020-11-17Salesforce EngineeringJohn Althouse
Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot
2020-11-15TrustnetMichael Wainshtain
From virus alert to PowerShell Encrypted Loader
Cobalt Strike
2020-11-09Bleeping ComputerIonut Ilascu
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader
2020-11-06Cobalt StrikeRaphael Mudge
Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike
2020-11-06Advanced IntelligenceVitali Kremez
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-06VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32
2020-11-06Palo Alto Networks Unit 42CRYPSIS, Drew Schmitt, Ryan Tracey
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX
2020-11-05The DFIR ReportThe DFIR Report
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-05Twitter (@ffforward)TheAnalyst
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader
2020-11-04VMRayGiovanni Vigna
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-11-03InfoSec Handlers Diary BlogRenato Marinho
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
Cobalt Strike
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-30YouTube (Kaspersky Tech)Kris McConkey
Around the world in 80 days 4.2bn packets
Cobalt Strike Derusbi HyperBro Poison Ivy ShadowPad Winnti
2020-10-29Github (Swisscom)Swisscom CSIRT
List of CobaltStrike C2's used by RYUK
Cobalt Strike
2020-10-29Red CanaryThe Red Canary Team
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot
2020-10-29RiskIQRiskIQ
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk
2020-10-28FireEyeDouglas Bienstock, Jeremy Kennelly, Joshua Shilko, Kimberly Goody, Steve Elovitz
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-27Sophos Managed Threat Response (MTR)Greg Iddon
MTR Casebook: An active adversary caught in the act
Cobalt Strike
2020-10-18The DFIR ReportThe DFIR Report
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-14SophosSean Gallagher
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2020-10-14RiskIQJon Gross, Steve Ginty
A Well-Marked Trail: Journeying through OceanLotus's Infrastructure
Cobalt Strike
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-11Github (StrangerealIntel)StrangerealIntel
Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter
2020-10-08The DFIR ReportThe DFIR Report
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-08Bayerischer RundfunkAnn-Kathrin Wetter, Hakan Tanriverdi, Kai Biermann, Max Zierer, Thi Do Nguyen
There is no safe place
Cobalt Strike
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-01US-CERTUS-CERT
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy
2020-10-01WiredAndy Greenberg
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter
2020-09-29CrowdStrikeKareem Hamdan, Lucas Miller
Getting the Bacon from the Beacon
Cobalt Strike
2020-09-29Github (Apr4h)Apra
CobaltStrikeScan
Cobalt Strike
2020-09-24US-CERTUS-CERT
Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter
2020-09-22vmwareOmar Elgebaly, Takahiro Haruyama
Detecting Threats in Real-time With Active C2 Information
Agent.BTZ Cobalt Strike Dacls NetWire RC PoshC2 Winnti
2020-09-21Cisco TalosJoe Marshall, JON MUNSHAW, Nick Mavis
The art and science of detecting Cobalt Strike
Cobalt Strike
2020-09-18Trend MicroTrend Micro
U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
Cobalt Strike ColdLock
2020-09-03Viettel Cybersecurityvuonglvm
APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)
Cobalt Strike
2020-09-01Cisco TalosCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-31The DFIR ReportThe DFIR Report
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-20Seebug PaperMalayke
Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks
Cobalt Strike Empire Downloader PoshC2
2020-08-19TEAMT5TeamT5
調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike Waterbear
2020-08-14Twitter (@VK_intel)Vitali Kremez
Tweet on Zloader infection leading to Cobaltstrike Installation
Cobalt Strike Zloader
2020-08-06WiredAndy Greenberg
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Red Charon
2020-08-04BlackHatChung-Kuan Chen, Inndy Lin, Shang-De Jiang
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Red Charon
2020-07-29Kaspersky LabsGReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-26Shells.System blogAskar
In-Memory shellcode decoding to evade AVs/EDRs
Cobalt Strike
2020-07-22On the HuntNewton Paul
Analysing Fileless Malware: Cobalt Strike Beacon
Cobalt Strike
2020-07-21MalwarebytesHossein Jazi, Jérôme Segura
Chinese APT group targets India and Hong Kong using new variant of MgBot malware
KSREMOTE Cobalt Strike MgBot Evasive Panda
2020-07-07MWLabLadislav Bačo
Cobalt Strike stagers used by FIN6
Cobalt Strike
2020-07-01ContextisLampros Noutsos, Oliver Fay
DLL Search Order Hijacking
Cobalt Strike PlugX
2020-06-23SymantecCritical Attack Discovery and Intelligence Team
Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Cobalt Strike REvil
2020-06-23NCC GroupMichael Sandee, Nikolaos Pantazopoulos, Stefano Antenucci
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker
2020-06-22Sentinel LABSJason Reaves, Joshua Platt
Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot
2020-06-22Talos IntelligenceAsheer Malhotra
IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Cobalt Strike IndigoDrop
2020-06-19ZscalerAtinderpal Singh, Nirmal Singh, Sahil Antil
Targeted Attack Leverages India-China Border Dispute to Lure Victims
Cobalt Strike
2020-06-19Youtube (Raphael Mudge)Raphael Mudge
Beacon Object Files - Luser Demo
Cobalt Strike
2020-06-18Australian Cyber Security CentreAustralian Cyber Security Centre (ACSC)
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader
2020-06-17MalwarebytesHossein Jazi, Jérôme Segura
Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
Cobalt Strike
2020-06-15NCC GroupExploit Development Group
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Cobalt Strike
2020-06-09Github (Sentinel-One)Gal Kristal
CobaltStrikeParser
Cobalt Strike
2020-05-14Lab52Dex
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-05-11SentinelOneGal Kristal
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Cobalt Strike
2020-04-24The DFIR ReportThe DFIR Report
Ursnif via LOLbins
Cobalt Strike LOLSnif TeamSpy
2020-04-16Medium CyCraftCyCraft Technology Corp
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Red Charon
2020-04-02DarktraceMax Heinemeyer
Catching APT41 exploiting a zero-day vulnerability
Cobalt Strike
2020-03-26VMWare Carbon BlackScott Knight
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-03-25Wilbur SecurityJW
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-25FireEyeChristopher Glyer, Dan Perez, Sarah Jones, Steve Miller
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Speculoos Cobalt Strike
2020-03-22Malware and StuffAndreas Klopsch
Mustang Panda joins the COVID-19 bandwagon
Cobalt Strike
2020-03-20RECON INFOSECLuke Rusten
Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)
Cobalt Strike
2020-03-04Cobalt StrikeRaphael Mudge
Cobalt Strike joins Core Impact at HelpSystems, LLC
Cobalt Strike
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-20McAfeeChristiaan Beek, Darren Fitzpatrick, Eamonn Ryan
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex
2020-02-19FireEyeFireEye
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-18Trend MicroCedric Pernet, Daniel Lunghi, Jamz Yaneza, Kenney Lu
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020-02-18Cisco TalosVanja Svajcer
Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40
2020-01-01SecureworksSecureWorks
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA
2020-01-01SecureworksSecureWorks
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10
2020-01-01SecureworksSecureWorks
GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT
2020-01-01SecureworksSecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020-01-01SecureworksSecureWorks
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7
2020-01-01SecureworksSecureWorks
TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32
2020-01-01SecureworksSecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-05Raphael Mudge
Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike
2019-12-05Github (blackorbird)blackorbird
APT32 Report
Cobalt Strike
2019-11-29DeloitteThomas Thomasen
Cyber Threat Intelligence & Incident Response
Cobalt Strike
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-11-05tccontre Blogtccontre
CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Cobalt Strike
2019-09-23MITREMITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-09-22Check Point ResearchCheck Point Research
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike
2019-06-13Sekoiasekoia
Hunting and detecting Cobalt Strike
Cobalt Strike
2019-06-04BitdefenderBitdefender
An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2019-04-24WeixinTencent
"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE
2019-04-15PenTestPartnersNeil Lines
Cobalt Strike. Walkthrough for Red Teamers
Cobalt Strike
2019-04-01Macnica NetworksMacnica Networks
OceanLotus Attack on Southeast Asian Automotive Industry
CACTUSTORCH Cobalt Strike
2019-04-01Macnica NetworksMacnica Networks
Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy
2019-03-24One Night in NorfolkKevin Perlow
JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown
2019-02-27MorphisecAlon Groisman, Michael Gorelik
New Global Cyber Attack on Point of Sale Sytem
Cobalt Strike
2019-02-26Fox-ITFox IT
Identifying Cobalt Strike team servers in the wild
Cobalt Strike
2018-11-19FireEyeAndrew Thompson, Ben Withnell, Jonathan Leathery, Matthew Dunwoody, Michael Matonis, Nick Carr
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Cobalt Strike
2018-11-18Stranded on Pylos BlogJoe
CozyBear – In from the Cold?
Cobalt Strike APT29
2018-10-01FireEyeKatie Nickels, Regina Elwell
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2018-10-01Macnica NetworksMacnica Networks
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-10-01Group-IBGroup-IB
Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter
2018-08-03JPCERT/CCTakuya Endo, Yukako Uchida
Volatility Plugin for Detecting Cobalt Strike Beacon
Cobalt Strike
2018-07-31Github (JPCERTCC)JPCERT/CC
Scanner for CobaltStrike
Cobalt Strike
2018-05-21LACYoshihiro Ishikawa
Confirmed new attacks by APT attacker group menuPass (APT10)
Cobalt Strike
2017-06-06FireEyeIan Ahl
Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike
2017-06-06MandiantIan Ahl
Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike APT19
2017-04-26Youtube (Kaspersky)Kaspersky
China's Evolving Cyber Operations: A Look into APT19's Shift in Tactics
Cobalt Strike APT19
2016-10-11SymantecSymantec Security Response
Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff
2012-01-01Cobalt StrikeCobalt Strike
Cobalt Strike Website
Cobalt Strike
Yara Rules
[TLP:WHITE] win_cobalt_strike_auto (20241030 | Detects win.cobalt_strike.)
rule win_cobalt_strike_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.cobalt_strike."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? eb0a b801000000 e9???????? }
            // n = 4, score = 2000
            //   e9????????           |                     
            //   eb0a                 | dec                 eax
            //   b801000000           | mov                 edx, dword ptr [esp]
            //   e9????????           |                     

        $sequence_1 = { 3bc7 750d ff15???????? 3d33270000 }
            // n = 4, score = 2000
            //   3bc7                 | dec                 eax
            //   750d                 | mov                 dword ptr [esp + 0x30], eax
            //   ff15????????         |                     
            //   3d33270000           | jmp                 0x6e

        $sequence_2 = { ff30 4f ff15???????? 83c604 8b06 }
            // n = 5, score = 1200
            //   ff30                 | dec                 eax
            //   4f                   | arpl                word ptr [eax + 0x3c], ax
            //   ff15????????         |                     
            //   83c604               | dec                 eax
            //   8b06                 | mov                 dword ptr [esp + 0x28], eax

        $sequence_3 = { ff30 8b35???????? e8???????? eb17 }
            // n = 4, score = 1200
            //   ff30                 | push                edi
            //   8b35????????         |                     
            //   e8????????           |                     
            //   eb17                 | push                dword ptr [ebp - 4]

        $sequence_4 = { eb0b 391f 7504 83670400 8b7f20 85ff 75f1 }
            // n = 7, score = 1200
            //   eb0b                 | add                 esi, 4
            //   391f                 | mov                 eax, dword ptr [esi]
            //   7504                 | pop                 ecx
            //   83670400             | test                edi, edi
            //   8b7f20               | jmp                 0xd
            //   85ff                 | mov                 eax, dword ptr [ebp - 0x2c]
            //   75f1                 | add                 eax, 0x10

        $sequence_5 = { eb0b 8b45d4 83c010 8945d4 eb84 e9???????? }
            // n = 6, score = 1200
            //   eb0b                 | dec                 eax
            //   8b45d4               | mov                 dword ptr [esp + 0x28], eax
            //   83c010               | cmp                 eax, edi
            //   8945d4               | jne                 0xf
            //   eb84                 | cmp                 eax, 0x2733
            //   e9????????           |                     

        $sequence_6 = { e8???????? 8bf8 59 59 85ff 7408 ff36 }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   8bf8                 | movzx               edx, word ptr [edx]
            //   59                   | and                 dx, cx
            //   59                   | movzx               ecx, dx
            //   85ff                 | movzx               ecx, cx
            //   7408                 | dec                 eax
            //   ff36                 | mov                 edx, dword ptr [esp + 8]

        $sequence_7 = { e8???????? ff75fc ff15???????? 03fe 2bf8 57 ff75fc }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   ff75fc               | add                 esi, 4
            //   ff15????????         |                     
            //   03fe                 | mov                 eax, dword ptr [esi]
            //   2bf8                 | push                dword ptr [eax]
            //   57                   | dec                 edi
            //   ff75fc               | add                 esi, 4

        $sequence_8 = { ff15???????? 85c0 741d ff15???????? 85c0 }
            // n = 5, score = 1100
            //   ff15????????         |                     
            //   85c0                 | jmp                 0x1d
            //   741d                 | mov                 eax, dword ptr [ebp - 0x10f4]
            //   ff15????????         |                     
            //   85c0                 | add                 eax, 1

        $sequence_9 = { e9???????? 833d????????01 7505 e8???????? }
            // n = 4, score = 1000
            //   e9????????           |                     
            //   833d????????01       |                     
            //   7505                 | cmp                 eax, 0x2733
            //   e8????????           |                     

        $sequence_10 = { 85c0 7405 e8???????? 8b0d???????? 85c9 }
            // n = 5, score = 1000
            //   85c0                 | cmp                 eax, edi
            //   7405                 | jne                 0xf
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   85c9                 | cmp                 eax, 0x2733

        $sequence_11 = { 8bd0 e8???????? 85c0 7e0e }
            // n = 4, score = 1000
            //   8bd0                 | push                dword ptr [edi + 0x1c]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7e0e                 | jne                 0x4c

        $sequence_12 = { ffc3 413bdf 7cde 488b742428 8b85f0170000 }
            // n = 5, score = 800
            //   ffc3                 | je                  0x1f
            //   413bdf               | test                eax, eax
            //   7cde                 | je                  0x1f
            //   488b742428           | test                eax, eax
            //   8b85f0170000         | jne                 0x17

        $sequence_13 = { 81fe00000008 7607 e8???????? eb08 448bce e8???????? 8bd8 }
            // n = 7, score = 800
            //   81fe00000008         | je                  7
            //   7607                 | test                ecx, ecx
            //   e8????????           |                     
            //   eb08                 | test                eax, eax
            //   448bce               | je                  7
            //   e8????????           |                     
            //   8bd8                 | test                ecx, ecx

        $sequence_14 = { e8???????? 85c0 743d ffc3 83fb20 }
            // n = 5, score = 800
            //   e8????????           |                     
            //   85c0                 | mov                 edx, eax
            //   743d                 | test                eax, eax
            //   ffc3                 | jle                 0x12
            //   83fb20               | test                eax, eax

        $sequence_15 = { c744242003000000 ff15???????? 488903 4883f8ff 74b2 8364246000 }
            // n = 6, score = 800
            //   c744242003000000     | je                  0x1f
            //   ff15????????         |                     
            //   488903               | test                eax, eax
            //   4883f8ff             | test                eax, eax
            //   74b2                 | je                  0x1f
            //   8364246000           | test                eax, eax

        $sequence_16 = { 817c2404fca45307 751d 488b442418 8b00 }
            // n = 4, score = 300
            //   817c2404fca45307     | mov                 byte ptr [esp + 0x64], 0x78
            //   751d                 | mov                 byte ptr [esp + 0x65], 0x41
            //   488b442418           | mov                 byte ptr [esp + 0x66], 0
            //   8b00                 | mov                 byte ptr [esp + 0x48], 0x56

        $sequence_17 = { 8b442450 4c8d4c2420 41b820000000 8bd0 488b4c2448 488b442440 }
            // n = 6, score = 300
            //   8b442450             | cmp                 dword ptr [esp + 4], 0x753a4fc
            //   4c8d4c2420           | jne                 0x1f
            //   41b820000000         | dec                 eax
            //   8bd0                 | mov                 eax, dword ptr [esp + 0x18]
            //   488b4c2448           | mov                 eax, dword ptr [eax]
            //   488b442440           | mov                 eax, dword ptr [esp + 0x50]

        $sequence_18 = { 8b4038 488b4c2430 482bc8 488bc1 4889442430 eb5c }
            // n = 6, score = 300
            //   8b4038               | dec                 eax
            //   488b4c2430           | mov                 eax, dword ptr [esp + 0x40]
            //   482bc8               | dec                 eax
            //   488bc1               | lea                 eax, [ecx + eax*4]
            //   4889442430           | dec                 eax
            //   eb5c                 | mov                 dword ptr [esp + 0x48], eax

        $sequence_19 = { c644246345 c644246478 c644246541 c644246600 c644244856 }
            // n = 5, score = 300
            //   c644246345           | mov                 dword ptr [esp], eax
            //   c644246478           | dec                 eax
            //   c644246541           | mov                 eax, dword ptr [esp + 0x58]
            //   c644246600           | movzx               eax, word ptr [eax + 6]
            //   c644244856           | mov                 byte ptr [esp + 0x63], 0x45

        $sequence_20 = { 4863403c 4889442428 48837c242840 722f 48817c242800040000 7324 }
            // n = 6, score = 300
            //   4863403c             | add                 ecx, eax
            //   4889442428           | dec                 eax
            //   48837c242840         | mov                 eax, ecx
            //   722f                 | mov                 eax, dword ptr [eax + 0x38]
            //   48817c242800040000     | dec    eax
            //   7324                 | mov                 ecx, dword ptr [esp + 0x30]

        $sequence_21 = { 488d0481 4889442448 488b442448 8b00 488b8c2498000000 4803c8 488bc1 }
            // n = 7, score = 300
            //   488d0481             | dec                 esp
            //   4889442448           | lea                 ecx, [esp + 0x20]
            //   488b442448           | inc                 ecx
            //   8b00                 | mov                 eax, 0x20
            //   488b8c2498000000     | mov                 edx, eax
            //   4803c8               | dec                 eax
            //   488bc1               | mov                 ecx, dword ptr [esp + 0x48]

        $sequence_22 = { 488b4c2458 488d440118 48890424 488b442458 0fb74006 }
            // n = 5, score = 300
            //   488b4c2458           | dec                 eax
            //   488d440118           | mov                 ecx, dword ptr [esp + 0x58]
            //   48890424             | dec                 eax
            //   488b442458           | lea                 eax, [ecx + eax + 0x18]
            //   0fb74006             | dec                 eax

        $sequence_23 = { 488b1424 0fb712 6623d1 0fb7ca 0fb7c9 488b542408 }
            // n = 6, score = 300
            //   488b1424             | dec                 eax
            //   0fb712               | mov                 eax, dword ptr [esp + 0x48]
            //   6623d1               | mov                 eax, dword ptr [eax]
            //   0fb7ca               | dec                 eax
            //   0fb7c9               | mov                 ecx, dword ptr [esp + 0x98]
            //   488b542408           | dec                 eax

    condition:
        7 of them and filesize < 1015808
}
Download all Yara Rules