{
	"id": "d031ab71-6b88-44bf-81bc-ae9eb1aca905",
	"created_at": "2026-04-06T00:08:34.016405Z",
	"updated_at": "2026-04-10T03:24:24.758132Z",
	"deleted_at": null,
	"sha1_hash": "003198f0b09a084722a50e45dc1e14cf317588bd",
	"title": "IndigoDrop spreads via military-themed lures to deliver Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1992284,
	"plain_text": "IndigoDrop spreads via military-themed lures to deliver Cobalt Strike\r\nBy Asheer Malhotra\r\nPublished: 2020-06-22 · Archived: 2026-04-05 16:39:34 UTC\r\nBy Asheer Malhotra.\r\nCisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents\r\n(maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities.\r\nThese maldocs use malicious macros to deliver a multistage and highly modular infection.\r\nThis campaign appears to target military and government organizations in South Asia.\r\nNetwork-based detection, although important, should be combined with endpoint protections to combat this threat\r\nand provide multiple layers of security.\r\nWhat’s new?\r\nCisco Talos has recently discovered a new campaign distributing a multistage attack used to infect target endpoints with\r\ncustomized Cobalt Strike beacons. Due to the theme of the malicious documents (maldocs) employed, it is highly likely that\r\nmilitary and government organizations in South Asia were targeted by this attack.\r\nHow did it work?\r\nThe attack consists of a highly modular dropper executable we’re calling “IndigoDrop” dropped to a victim’s endpoint using\r\nmaldocs. IndigoDrop is responsible for obtaining the final payload from a download URL for deployment. The final\r\npayloads currently observed by Talos are Cobalt Strike beacons.\r\nIn this post, we illustrate the core technical capabilities of the maldocs, IndigoDrop and the Cobalt strike beacons\r\ncomponents including:\r\nThe maldocs-based infection chain.\r\nIndigoDrop’s functionality.\r\nCommunication mechanisms and infrastructure used to download infection artifacts.\r\nDetailed configurations of the Cobalt Strike beacons.\r\nSo what?\r\nThis attack demonstrates how the adversary operates a targeted attack that:\r\nUses legitimate-looking lures to trick the target into infecting themselves.\r\nEmploys a highly modular infection chain (implemented in the IndigoDrop) to instrument the final payload.\r\nUses an existing offensive framework (Cobalt Strike) to establish control and persist in the target’s network without\r\nhaving to develop a bespoke remote access trojan (RAT).\r\nAnalysis of recently discovered attack-chain variations provides insights into the evolution of this threat. These evolutions\r\nindicate the changes in tactics and techniques of the attackers used to continue attacks while trying to bypass detections.\r\nThis campaign also shows us that while network-based detection is important, it should be complemented with system\r\nbehavior analysis and endpoint protections for additional layers of security.\r\nAnalysis of maldocs\r\nThis attack uses two techniques to deliver malicious macros to be executed on the target’s endpoint:\r\nMalicious macros already embedded, ready to execute.\r\nMalicious macro downloaded as part of an externally linked template that is then injected into the original lure\r\nmaldoc.\r\nMaldoc lures\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 1 of 19\n\nThis attack consisted of maldocs masquerading as internal government or military documents. For example, some of the\r\nmaldocs discovered by Talos masquerade as Incident Action Plan (IAP) documents dictating safeguard procedures for the IT\r\ninfrastructure of the Indian Air Force (IAF).\r\nThese documents are aptly named:\r\nIAP39003.doc - Contains embedded malicious macro.\r\nIAP39031.docx - Uses template injection.\r\nSample content of the maldoc lures:\r\nFake document or weaponized copy?\r\nMany targeted attacks employing maldocs observed by Talos usually consist of utmost a couple of pages of decoy content to\r\nmake them look legitimate. The documents used in this attack, however, contain legitimate content (~64 pages, ~15k\r\nwords), making them seem even more bonafide. Talos also found a benign copy of one of the maldocs indicating that it is\r\nhighly likely that the attackers weaponized and distributed it to targets\r\n(Benign copy hash: 0d16b15972d3d0f8a1481db4e2413a2c519e8ac49cd2bf3fca02cfa3ff0be532).\r\nMalicious VBA Analysis\r\nThis section consists of an analysis of malicious macros used to carry out the attacks using:\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 2 of 19\n\nLocally embedded malicious macros and\r\nMalicious macros embedded in the injected templates downloaded from a remote location.\r\nThe malicious macros carry out the following malicious activities:\r\n1. Parse a Windows executable’s hardcoded bytes into bytes that can be written to a file on disk.\r\n2. The parsed bytes are written to an EXE file in the currently logged in user’s Startup directory: E.g.\r\n%userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\anything.exe\r\n1. Once the malicious EXE (second-stage payload — IndigoDrop ) has been written to the user’s Startup directory the\r\nmacro quits execution without executing the actual second-stage payload.\r\n2. The attack relies on the user either logging in again or restarting the system to activate the second-stage payload on\r\nthe infected endpoint.\r\n3. The second-stage payload in this attack is a custom dropper (IndigoDrop) that carries out a variety of tasks.\r\nMalicious macro code:\r\nMaldoc distribution\r\nOne of the maldocs disclosed here was referred to by a Bit.ly-shortened URL (created Jan. 23, 2020) — hxxp://bit[.]ly/iaf-guidelines — which redirects to hxxp://tecbeck[.]com/IAP39031[.]docx.\r\nIt is highly likely that the attackers hosted the maldocs on a public server and distributed the direct or Bit.ly links to the\r\ntargets in the form of spear-phishing emails. This may be done to bypass detection systems that scan email attachments for\r\nmalware.\r\nStage 2: Dropper binary — IndigoDrop\r\nThe second-stage binary dropped to disk by the maldocs is a malicious dropper/loader we’re calling “IndigoDrop” designed\r\nto download and activate a customized Cobalt Strike beacon (final payload DLL) from another remote location.\r\nBefore we delve into a detailed analysis, some of the key operational features of IndigoDrop are:\r\nHighly modular in nature: IndigoDrop usually consists of three hardcoded locations that can be used to download and\r\nactivate the next payload.\r\nIn this attack, IndigoDrop utilizes both attacker-operated remote locations and public data hosting platforms such as\r\npastebin[.]com to host the next stage payloads.It is highly likely that this dropper may download the final payload\r\nfrom these remote locations (likely done in other variants of the attack).\r\nHowever this instance of the attack downloads a Metasploit shellcode from the hardcoded remote locations. We will\r\nrefer to this Metasploit shellcode as Stage 2A in this post (detailed later-on).The Metasploit shellcode (Stage 2A) is\r\nhosted in the form of a Base64 encoded string on the download locations. This shellcode is base64 decoded,\r\nunhexlified and executed on the endpoint as part of IndigoDrop’s execution.\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 3 of 19\n\nBase64-encoded Metasploit shellcode:\r\nBase64-decoded Metasploit shellcode:\r\nIndigoDrop analysis\r\nThis dropper performs the following actions on the endpoint:\r\nEstablish persistence using the registry Run key for itself in location:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run | iexplorer = cmd /c \u003cfile_path_of_Dropper\u003e /onboot -\r\nhide\r\nE.g.\r\nDownload and execute the Stage 2A Metasploit shellcode.\r\nAnti-Infection Checks: Check the current Username, Computername, parent folder name, MAC addresses, Public IP\r\naddresses against a list of blocked values. If any of the values match, IndigoDrop quits (Blocked values listed in the\r\nIOC section).\r\nStage 2A: Metasploit (MSF) downloader shellcode\r\nThe Metasploit shellcode is a modified reverse HTTP stager meant to download a malicious file from the specified\r\ndownload location. This shellcode (stage 2A) is usually hosted on a public hosting site such as pastebin[.]com.\r\nThe malicious file downloaded is usually a copy of a trojanized jquery[.]min.js file. The malicious jQuery file consists of:\r\nLegitimate JavaScript (JS) code at the top and end of the file.\r\nAt a specific offset in the file is yet another shellcode (referred to as Stage 3A).\r\nThe Metasploit HTTP stager carries out the following actions in sequence:\r\n1. Connect to the malicious attacker-controlled IP address.\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 4 of 19\n\n2. Download the malicious jquery-3.3.0.min[.]js file to an executable memory location.\r\n3. Jump to the malicious shellcode embedded in the jquery file and start executing Stage 3A.\r\nMalicious jquery file:\r\nStage 2A Metasploit shellcode downloading the jQuery file to executable memory and jumping to the specified offset:\r\nStage 3A: Decoder shellcode\r\nThe malicious jQuery file contains the decoder shellcode (Stage 3A) and the final Cobalt Strike beacon DLL. The beacon\r\nDLL is, however, XOR-encoded. It is the responsibility of the decoder shellcode to decode and activate this final payload in\r\nthe dropper process’ memory.\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 5 of 19\n\nDecoder shellcode decoding the final RAT payload:\r\nStage 3B: Cobalt Strike beacon\r\nThe final RAT payload is actually a Cobalt Strike beacon. Once the beacon DLL has been decoded, the decoder shellcode\r\n(Stage 3A) jumps to the beginning of the MZ in memory instead of going to the DllEntryPoint. This is done to calculate and\r\njump to the address to the loader routine (usually also an exported subroutine) that will carry out reflective-DLL-loading of\r\nthe Cobalt Strike beacon DLL in the dropper process’ memory.\r\nCode beginning at the beacon’s base image calculating and jump to address of the reflective loader (via call ebx):\r\nAfter the loader routine has completed setting up the DLL in memory (re-building Imports, base relocations, etc.) it will then\r\njump to the DllEntryPoint (or DllMain) of the beacon to activate the final and most important stage of the infection — the\r\nactual RAT components of the beacon.\r\nConfigurations used\r\nCobalt Strike beacons use configurations specified via “.profile” files in the framework. These configurations describe\r\nvarious characteristics of the malicious payload (beacon binary) including:\r\nC2 configuration\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 6 of 19\n\nCommunication protocols\r\nProcess injection techniques, etc.\r\nThe profiles used in this attack by the beacon binaries attempt to mimic a legitimate jquery request. The most common\r\nconfigurations used in this attack were:\r\nBeacon type = HTTP\r\nCnC URL resource location = /jquery-3.3.1.min.js\r\nHTTP Post location = /jquery-3.3.2.min.js\r\nUser Agent = Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/74.0.3729.157 Safari/537.36\r\nHTTP Get Metadata =\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nHost: code.jquery.com\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\n__cfduid=\r\nCookie\r\nHTTP Post Metadata =\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nHost: code.jquery.com\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\n__cfduid\r\nIdle DNS IP = 74[.]125.196.113 (google[.]com)\r\nSpawn processes =\r\n%windir%\\syswow64\\dllhost.exe\r\n%windir%\\sysnative\\dllhost.exe\r\nProcess injection configuration =\r\nntdll:RtlUserThreadStart\r\nCreateThread\r\nNtQueueApcThread-s\r\nCreateRemoteThread\r\nRtlCreateUserThread\r\nCapabilities\r\nThe Cobalt Strike beacons used in this attack support a wide variety of capabilities (also known as commands) including:\r\nExecution of arbitrary code in target processes via injection.\r\nExecution of arbitrary commands on the infected endpoint.\r\nDownload and upload files.\r\nImpersonate users.\r\nEnumerate, copy, delete, timestomp files.\r\nModify, query the Windows registry.\r\nUse of malleable jquery CnC profiles to impersonate legitimate traffic.\r\nThe overall infection chain is illustrated as follows:\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 7 of 19\n\nPastebin usage:\r\nThis attack utilizes pastebin[.]com extensively to host the Metasploit downloader shellcode (Stage 2A). The shellcode\r\nhosted on pastebin is either created through a guest account or owned by five registered accounts, specifically:\r\nhxxps://pastebin[.]com/u/r_ajeevshikra\r\nhxxps://pastebin[.]com/u/ra_jeevshikra\r\nhxxps://pastebin[.]com/u/raj_eevshikra\r\nhxxps://pastebin[.]com/u/raje_evshikra\r\nhxxps://pastebin[.]com/u/rajeev_shikra\r\nPastebin account operated by the attacker:\r\nThe base64-encoded Metasploit downloader shellcode (Stage 2A) hosted on Pastebin.\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 8 of 19\n\nPython components\r\nTalos also found Python-based modules related to this threat (pyinstaller EXEs). These modules may have been used in a\r\ndifferent campaign or deployed by the Cobalt Strike beacons as part of this attack. Two python modules discovered served\r\nthe following purposes:\r\nGather initial system information and send it to the C2 server.\r\nExtract credentials from the infected system and print to console.\r\nSysinfo gathering capabilities of the Python modules:\r\nCredentials stolen from the endpoint by the other python module were from:\r\nGoogle Chrome\r\nMicrosoft Edge\r\nOpera\r\nMozilla Firefox\r\nWiFi credentials\r\nCredential-stealing module of the attack (snip):\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 9 of 19\n\nEvolution of attacks\r\nTalos discovered multiple variants of the attack instrumenting the Metasploit shellcode and ultimately activating the final\r\npayload (Cobalt Strike beacons).\r\nThis section shows the evolution of the attack and the introduction/modification of its features at different stages of the\r\nengineering process.\r\nApr. 2018: No droppers\r\nThis is the earliest discovered variant of the attack. The threat also begins with a maldoc containing a malicious macro. The\r\npayload dropped to disk is a “.crt” file. This file is decoded by the malicious macro using ‘certutil’ to obtain the next stage\r\npayload binary (EXE) which is then executed on the target endpoint.\r\nThe payload activated by the macro is not a dropper. This early variant of the attack does not utilize an intermediate dropper\r\nto download and activate the final beacon on the endpoint.\r\nInstead, the binary decoded and executed on the endpoint by the malicious macro is just an SMB-based Cobalt Strike\r\nbeacon. This SMB beacon continues to appear in maldocs created as late as September 2019.\r\nMay 2019: Cobalt Strike Macros\r\nAround May 2019, the attackers tested the use of VBA macro based stagers generated by Cobalt Strike. This attack-chain\r\nconsists of a maldoc with an embedded macro. The macro consists of code that can inject the hardcoded MSF downloader\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 10 of 19\n\nshellcode (Stage 2A) into a benign 32-bit process.\r\nThe macro code used to inject shellcode into rundll32.exe contacts the local team server 192[.]168.146.137/eKYS for\r\ninfection tests:\r\nSept 2019: Test samples and embedded MSF shellcode\r\nThe attackers started experimenting with and testing custom droppers in September 2019 to include a new module — the\r\nnext stage (Stage 2A) Metasploit downloader shellcode. The Metasploit downloader shellcode was embedded in the test\r\nsamples and connected to a local IP address to download the third-stage payloads (Stages 3x). The dropper seen here is the\r\nearliest discovered instance of IndigoDrop.\r\nMetasploit downloader connecting to a local IP in the dropper:\r\nSept. 2019: Productionized samples and embedded MSF shellcode\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 11 of 19\n\nThe attackers finalized their attack structure in September 2019 and started distributing copies of IndigoDrop. These\r\ndroppers were based on earlier test samples (also built in September 2019) and similarly contained embedded MSF\r\ndownloader shellcode. These droppers now connected to public IPs operated by the attackers to download the third-stage\r\npayloads.\r\nSeptember 2019: Python Downloaders; No MSF shellcode\r\nAround the end of September 2019, the attackers started utilizing another infection tactic: The use of Python plus EXE-based downloaders/droppers.\r\nThese droppers were multi-staged where:\r\nThe actual dropper was a malicious EXE file.\r\nThis dropper would extract an embedded DLL and drop it to disk.\r\nThe dropper then activates the DLL using rundll32.exe.\r\nThe DLL is responsible for downloading and executing the third-stage payload from an attacker operated server.\r\nThe DLL does this by executing minimal python code using the python27.dll library.\r\nThese droppers did not utilize the embedded MSF shellcode like their predecessors. Instead, the shellcode was hosted on an\r\nattacker-controlled and operated server.\r\nPython code executed by the Python library in the downloader:\r\nDecoded base64 Python code:\r\nOct. 2019: //Pastebin usage begins here\r\nThe attackers started using pastebin[.]com to host their MSF downloader shellcode (Stage 2A) in October 2019. The\r\nIndigoDrop samples built during this time period now also included the capabilities to persist another component of the\r\ninfection (usually located at “%userprofile%\\AppData\\Local\\Microsoft\\svchost.exe” ) via registry and the Windows Startup\r\nfolder:\r\nIndigoDrop downloading the MSF shellcode from Pastebin:\r\nLate October 2019 - Present: Multiple Pastebins and anti-Infection checks\r\nHaving realized the utility of Pastebin, the attackers upgraded their IndigoDrop implementations to use multiple Pastebins to\r\ndownload the MSF shellcode. The multiple pastes were meant to be backups of each other if any of them were removed. The\r\nattackers used a combination of Pastebins and attacker-operated download servers, as backups if the pastes were removed.\r\nThese IndigoDrop instances also introduced the Anti-Infection checks (detailed earlier) to the infection chain.\r\nBase64-encoded Pastebin and attacker-downloaded URL in an IndigoDrop sample:\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 12 of 19\n\nThe evolution of attacks is illustrated here:\r\nConclusion\r\nThis investigation illustrates an attacker using multiple tools and techniques to implement their full attack chain. A variety of\r\ninfection artifacts are utilized ranging from bespoke tools (IndigoDrop) to customizable adversarial tools (Cobalt Strike\r\nbeacons). The attackers also use a combination of public and private servers to host their malicious payloads with a growing\r\ntrend towards the sole usage of public servers.\r\nThe use of military-themed maldocs (lures) indicates that government and military organizations in South Asia may be the\r\ntargets of this threat actor. The maldocs contain bonafide content and are most likely weaponized copies of benign\r\ndocuments known to peek the interests of their targets.\r\nThe attack variants discovered over time show us that the threat actor can evolve their TTPs in a short period of time. The\r\nearliest observable campaigns of this actor date back to April 2018 and continue to operate today along with the most recent\r\nevolutions of the attacks. Evidence of rapid ideation, testing and production of new and diversified modules and IndigoDrop\r\niterations indicates highly motivated and agile adversaries. The use of adversarial frameworks like Cobalt Strike suggests\r\nthat the attackers are looking to expand their malicious arsenal at a significant rate with self-authored and customizable\r\nartifacts.\r\nModern-day malware attack chains consist of multiple stages and operational entities. These artifacts and entities may be\r\nhosted locally or on remote servers. For example, this attack consists of multiple shellcodes hosted on remote locations\r\ndownloaded by a local component (IndigoDrop) during runtime to instrument the attack chain. Thus, while network-based\r\ndetection is important, it should be complemented with system behavior analysis and endpoint protections.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 13 of 19\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below\r\nis a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites\r\nand detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System\r\n(NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nThreat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether\r\nusers are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this\r\nspecific threat. For specific OSqueries on this threat, click below:\r\nIndicators Of Compromise (IOCs)\r\nThe following IOCs are related to this threat.\r\nMaldoc Hashes\r\n7a5b645a6ea07f1420758515661051cff71cdb34d2df25de6a62ceb15896a1b6\r\nb11dbaf0dd37dd4079bfdb0c6246e53bc75b25b3a260c380bb92fcaec30ec89b\r\naeb38a11ffc62ead9cdabba1e6aa5fce28502a361725f69586c70e16de70df2c\r\n71c88a59b16dbcf7f061d01ea2015658136a8d4af60beb01caa94eeb74c733cd\r\nab209db9694a3b69427fc5857a8a47d0822db4d8372434fc091dfc3e85510719\r\n4a6990be2d43f482fe2ab377b5e798da47ba7e02f23dfb6dba26b5011e222d25\r\n7deeb35d7e88b769d286cc7892ee5966a27c39f03c8ac12dec21733faeffa350\r\nDropper Hashes\r\n3bb90869523233cf965cf4a171d255c891c0179afd6d28198aa2af4e934f0055\r\n570ef552b426f8337514ebdcb5935a132e5a8851a7252528c49d6d0d4aba34d9\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 14 of 19\n\n059606e707a90333528043bdefbc7a55a27205aabed0ccd46c3966c2a53eea4e\r\n1cda23e924ca606593a31ad54973266676c6540487a3baa29992c172d380bbd6\r\n23091a9383704d22468f6e54babd57e64ced344900e5d3d693daf8bf609c997b\r\na2bf84f96f8d616ea248ac8f7bbb9d31b22920be4b3991982be0a88326303470\r\n3cfbf274265860f176d6dbfad4df45a9c6953b71f9f439c87aeac36b38fde5b5\r\nc31afceaef91380c658e4d77a78689cafb0f4179f3b251200e969195cbf4cf7b\r\n1c3f185951b21d35f13b2a999a5d4d6b6db8f4b913e3b198fb2c86d4cd0b7781\r\n852d4c98a786cb2b0fb10b4513163e3934b66e4d95a66de8ddcc6abc066dc61d\r\n78ff0507cac9828fb94595d702cd2c22b8bec7a57c2159b78c924c0d0d5f8ccb\r\ne40bdd8ff9e6432008afd54d6d526049ac6bd925dadc2b5a38f78c96df950d1a\r\ncc0787025b297ed80e322d30b655d7c84c7c3a0d18c2089b4f545a03214b7557\r\ne2db20377e8cc65c4cf262df15e47fc21b9a9f83fb7931d44b8d28c6b9ffc0f1\r\na319395e6cf01edb4c6ca879f36a11f4cf33b58657de379123851c63da6a3ef4\r\nbec281baf1312fd059a315d5890ac3c959909047b3473103b069e5ca2ba2fdd1\r\ne9b00f6f47eb70b35713bf7afd345a197f6d290afb8d2684afd8345edc086b29\r\nc9ee415401566139237b14373f6a7a36013b6af693c729b9a5c21cc40e0ad5c6\r\nf9a344c251dc391c5d12e8011185fe033b5ae902c5a866ccd8d8b49881b17151\r\n3e196c77c006e299f26fb05df15644366433fceed73219e0ba6acef0b881531b\r\n5a1a9a6bfc422bd547536e340725328cb04fd72587d83f7e06682abdeddb69a7\r\n95bb65edc9e8e070680e0c85f72927a2bbb553f96fc1078d85e7df7a02c15165\r\n365af2ddad27701d9d17a069b21dc95d39a2d2c5f78bea655db9123ff05fe086\r\nb9c703dba1977fb34e9f6ac49ccdd0efb752ed010939d54f30f8d91358a9214d\r\n7b0494937fd5a2bedf94999553d37e6049e45b935732a594e833078ed483a5ed\r\nd6f62ce9696887693081373b87792fa53617f8412fa8e6b1a7de1a01070a9bae\r\nd3f3df7cf1ece2519829ee75d29ca054e8233896b7fe50b41eaafda497ff0498\r\n82155aaf86ba3555d5e809500c67da51e1586a6a97a9755870e22900c8790019\r\nb3650199d6713d669992eebb3c4f05c80a97c470596170b5be16257b73785957\r\n8f1abb122f35e66f20bd345323fb5eb8dbdbde785137c80c1e55fdaf525520bd\r\naa05a822f26a493efb27046f772790cc67cca29cd9f842b7bc6df2b391ce2ff8\r\n59fd696f95182be1a51011caec172c5461ddacd556a43c329d939842cf7e7d7f\r\nPython module EXEs\r\n3aa06700a22808978744aa83d9e084c358517f60525c89236f142b7aa2ce0bef\r\n85e69341f2fe9b97cf0bc81dc63917e62bb17072bcd20fc6125d241623e68660\r\n3066e859109397180c63797c4b779633569ac0c88b54c7cf73752f7895f39629\r\n4260de850b4003c9d4663afea00ba57ec02761f687dba1117ded0a8b20c6b5bb\r\na657bb83fe62e4b555d20463bf090f3349e55e1560507f2197a42c2c3f152667\r\nce438b0d30dd1c221e3c7ab99585acb4254deaf68bdfb8fc73eb206d8fd04771\r\nCobalt Strike Beacon Hashes\r\n482858b70888acf67a5c2d30ddee61ca7b57ff856feaad9a2fa2b5d4bc0bbd7d\r\n689f7d3f0def72248c4ff4b30da5022ec808a20e99b139e097c2a0d0ba5bab66\r\ndbb5bba499e0ab07e545055d46acf3f78b5ed35fff83d9c88ce57c6455c02091\r\ne37a0b4145f22ce7f7478918320c019a6014060cb033aafec18a8d130c4c426b\r\n4b0c2f790c7b9c84517648bb36964c859629736dab1fa5466d91bd23f69c9b55\r\nc2d9bbd5163a8e733483bf5d0d4959f053a2307d275b81eb38e69d87f1f5df7e\r\na0cfec815cb74a7671265fd5e0790a2a79c05fe0ef16d2d0c87584049d06658b\r\nMalicious JQuery Files containing the beacons\r\n1ea22d132c1d478347d7e4e72d79bae29f18df9bec5a3016a5a9971f702a8095\r\nb9efca96d451c0b4028b6081456c1ddd3035ab39e6a60bdd831bcf4a472a31ae\r\nb081b818e5fbd5d2741822c9e161e536a8497764fab5ac79143614bbce8308f6\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 15 of 19\n\nd2fd448a386416fdad0059be1bb61f49e99fc76e7efbd5f5e377dbbf6e7e3599\r\nbdbc9dc2f2812a9808357aafe908e7206c9168bc7fea761dec871926de23eec0\r\nMaldoc distribution URLs\r\nhxxp://bit[.]ly/iaf-guidelines\r\nhxxp://tecbeck[.]com/IAP39031[.]docx\r\nhxxp://bitly[.]com/38A5BEO\r\nCobalt Strike beacon CnC URLs\r\nhxxp://134[.]209.196.51/jquery-3.3.1.min.js\r\nhxxp://134[.]209.196.51/jquery-3.3.2.min.js\r\nhxxp://139[.]59.1.154/ca\r\nhxxp://139[.]59.1.154/submit.php\r\nhxxp://139[.]59.79.105/jquery-3.3.1.min.js\r\nhxxp://139[.]59.79.105/jquery-3.3.2.min.js\r\nhxxp://188[.]166.14.73/jquery-3.3.1.min.js\r\nhxxp://188[.]166.14.73/jquery-3.3.2.min.js\r\nIP Addresses\r\n134[.]209.196.51\r\n134[.]209.200.91\r\n139[.]59.1.154\r\n139[.]59.79.105\r\n139[.]59.81.167\r\n157[.]245.78.153\r\n165[.]22.201.190\r\n178[.]62.210.85\r\n188[.]166.14.73\r\n188[.]166.25.156\r\n202[.]59.79.131\r\nMSF shellcode URLs\r\nhxxp://139[.]59.1.154:8201/cmelkmkl.txt\r\nhxxp://157[.]245.78.153/11.txt\r\nhxxp://157[.]245.78.153/12.txt\r\nhxxp://157[.]245.78.153/21.txt\r\nhxxp://157[.]245.78.153/22.txt\r\nhxxp://157[.]245.78.153/31.txt\r\nhxxp://157[.]245.78.153/32.txt\r\nhxxp://157[.]245.78.153/41.txt\r\nhxxp://157[.]245.78.153/42.txt\r\nhxxp://157[.]245.78.153/51.txt\r\nhxxp://157[.]245.78.153/52.txt\r\nhxxp://202[.]59.79.131/7XyT\r\nhxxp://202[.]59.79.131/o2Q7NGUwpFfDzcLMnkuMyAy-IGt8KERPl-6lrRhxcbPJkZwAr33\r\nhxxp://202[.]59.79.131:8080/8g-QvDrvM4hSI0c3D6iC8Aib6wZbs\r\njQuery/Decoder shellcode URLs\r\nhxxp://134[.]209.196.51/jquery-3.3.0.min.js\r\nhxxp://134[.]209.200.91/jquery-3.3.0.min.js\r\nhxxp://139[.]59.1.154/ToKN\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 16 of 19\n\nhxxp://139[.]59.79.105/jquery-3.3.0.min.js\r\nhxxp://139[.]59.81.167/jquery-3.3.0.min.js\r\nhxxp://165[.]22.201.190/jquery-3.3.0.min.js\r\nhxxp://188[.]166.14.73/jquery-3.3.0.min.js\r\nhxxp://188[.]166.25.156/jquery-3.3.0.min.js\r\nhxxp://202[.]59.79.131/YZn_pcfLiUILewp6Vuku9gvUqfMFnPLBP5Aju9QS709n4zRAd-3e4IuPF5kv0uhXSAiJqurq5yPJ-B9zSZ5rHig07RcWcQPIPD04YZhq1JCGWwYI-AfFFHI0qj4LRDhsuaBdQEihGmxzZ8obxUbv5RUfaxm7XwOkWJK8D9xK5gibPGGBiNs41hYB0Kar325FCcCJAIFIzWOw9WLOt6EfrW\r\nMSF shellcode Pastebin URLs\r\nhxxps://pastebin[.]com/raw/zT57Pkzj\r\nhxxps://pastebin[.]com/raw/kf3y5uzt\r\nhxxps://pastebin[.]com/raw/ftfSHyPz\r\nhxxps://pastebin[.]com/raw/hAKzruWe\r\nhxxps://hastebin[.]com/raw/ufaxamogav\r\nhxxps://pastebin[.]com/raw/KzmUrrnB\r\nhxxps://pastebin[.]com/raw/aMfFtqjq\r\nhxxps://pastebin[.]com/raw/Q6bMcduX\r\nhxxps://pastebin[.]com/raw/7VmV7jXA\r\nhxxps://pastebin[.]com/raw/8E8YCryu\r\nhxxps://pastebin[.]com/raw/1tKX0v5U\r\nhxxps://pastebin[.]com/raw/kpn2k1jc\r\nhxxps://pastebin[.]com/raw/xiV89Xa9\r\nhxxps://pastebin[.]com/raw/ZMTjGJUn\r\nhxxps://pastebin[.]com/raw/CRuQvJk1\r\nhxxps://pastebin[.]com/raw/zbL0w8sm\r\nhxxps://pastebin[.]com/raw/yP7eQKsv\r\nhxxps://pastebin[.]com/raw/1Q7jYDmz\r\nhxxps://pastebin[.]com/raw/vc8TUZPN\r\nhxxps://pastebin[.]com/raw/R0HzuGWE\r\nhxxps://pastebin[.]com/raw/ehQyY1YX\r\nhxxps://pastebin[.]com/raw/LRztjgkq\r\nhxxps://pastebin[.]com/raw/QyDZhfer\r\nhxxps://pastebin[.]com/raw/MQUG0Q07\r\nhxxps://pastebin[.]com/raw/LtVteHbz\r\nhxxps://pastebin[.]com/raw/k2PQZqzF\r\nhxxps://pastebin[.]com/raw/azzHZ11B\r\nhxxps://pastebin[.]com/raw/4u1ScSn7\r\nhxxps://pastebin[.]com/raw/5tSnVWcn\r\nhxxps://pastebin[.]com/raw/a0kPq7bq\r\nhxxps://pastebin[.]com/raw/cK8nhTYw\r\nhxxps://pastebin[.]com/raw/p34D4vbL\r\nhxxps://pastebin[.]com/raw/YVvG43bi\r\nhxxps://pastebin[.]com/raw/iyKjw7jR\r\nhxxps://pastebin[.]com/raw/0hAzfmrR\r\nhxxps://pastebin[.]com/raw/aGSg1f3Y\r\nhxxps://pastebin[.]com/raw/i5JkU138\r\nhxxps://pastebin[.]com/raw/LQjs18Cy\r\nhxxps://pastebin[.]com/raw/rHeWv7t0\r\nhxxps://pastebin[.]com/raw/bqL6CSp3\r\nhxxps://pastebin[.]com/raw/WJFvRHXv\r\nIndigoDrop’s anti-infection checks\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 17 of 19\n\nUsernames blocked\r\nadmin\r\n8a3YwFo8xYlc\r\niBqxaDRj5T\r\ndPNNfpR\r\nfnIcszErnay\r\ny9NzUJ\r\n0sNBuzz63Nl8\r\nZJsji0QShXfiM\r\n3ALPeOppOKOEk\r\nC4EZdigYE64r\r\n0M7vKY\r\n6oVAnp\r\nA0T6Z0j1NFrrQ\r\nJohnson\r\nOlivia\r\nVh2ij\r\n5Li9Ls\r\nyMBCh9wwy\r\nFWpuxsyMQZZNW\r\nAdmin\r\nLisa\r\nQYbRCr\r\nTyLbns\r\nH0USlDC58dVLE\r\nRmJCA\r\nAdministrator_\r\nComputer names blocked\r\nuser-pc\r\n8a3YwFo8xYlc-PC\r\niBqxaDRj5T-PC\r\ndPNNfpR-PC\r\nfnIcszErnay-PC\r\ny9NzUJ-PC\r\n0sNBuzz63Nl8-PC\r\nAVN671124898447\r\nGXKKQO724201067\r\nart-PC\r\nC4EZdigYE64r-PC\r\n0M7vKY-PC\r\n6oVAnp-PC\r\nTFT153265618011\r\nAXWF10479288957\r\nJohnson-PC\r\nDesktop-HRW10\r\nVh2ij-PC\r\n5Li9Ls-PC\r\nyMBCh9wwy-PC\r\nPGHFTIGN5920348\r\nCPCTBGSA2018901\r\nADMINIS-HJ9SRP3\r\nLisa-PC\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 18 of 19\n\nQYbRCr-PC\r\nTyLbns-PC\r\nSESW54921970303\r\nRmJCA-PC\r\nImmediate parent folder names blocked\r\nDownloads\r\nmydownload\r\nDesktop\r\nsystem32\r\nTemp\r\nMAC addresses blocked\r\n00[:]07:e9:e4:ce:4d\r\n60[:]02:92:e5:2f:30\r\n60[:]02:92:77:fc:94\r\n52[:]54:00:12:34:56\r\n08[:]00:27:55:12:e3\r\n60[:]02:92:89:76:36\r\n00[:]00:00:00:00:00:00:e0\r\nIP Addresses blocked\r\n51[.]68.93.185\r\n79[.]104.209.156\r\n89[.]208.29.214\r\n95[.]25.130.162\r\n51[.]15.76.60\r\n62[.]102.148.68\r\n207[.]102.138.40\r\n51[.]83.15.56\r\n109[.]70.100.24\r\n109[.]70.100.29\r\n128[.]90.148.185\r\n78[.]142.19.43\r\n46[.]165.254.166\r\n221[.]191.21.11\r\n153[.]201.39.205\r\n92[.]211.106.185\r\n51[.]68.91.152\r\n89[.]208.29.215\r\n185[.]220.101.35\r\n95[.]26.100.11\r\nSource: https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nhttps://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html"
	],
	"report_names": [
		"indigodrop-maldocs-cobalt-strike.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434114,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/003198f0b09a084722a50e45dc1e14cf317588bd.pdf",
		"text": "https://archive.orkl.eu/003198f0b09a084722a50e45dc1e14cf317588bd.txt",
		"img": "https://archive.orkl.eu/003198f0b09a084722a50e45dc1e14cf317588bd.jpg"
	}
}