{
	"id": "de7d0d09-3dd9-4143-83fb-10fb643c9138",
	"created_at": "2026-04-06T00:06:28.61459Z",
	"updated_at": "2026-04-10T03:24:23.796702Z",
	"deleted_at": null,
	"sha1_hash": "024c5dc052f29d1b09ecd01a50c79cf1ebe66e82",
	"title": "Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1257090,
	"plain_text": "Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver\r\nQBOT and Cobalt Strike\r\nBy Cybereason Nocturnus IR\r\nArchived: 2026-04-05 16:45:59 UTC\r\nAt the beginning of 2021, security researcher Orange Tsai reported a series of vulnerabilities targeting Microsoft Exchange\r\nservers dubbed ProxyLogon. The Cybereason Incident Response team encountered many compromises during the year that\r\ninvolved these vulnerabilities. Additional vulnerabilities were disclosed during the year by Orange and others, including\r\nProxyOracle and the last one in August dubbed ProxyShell. \r\nIn the last few months after the publication of ProxyShell on BlackHat, the Cybereason Incident Response team investigated\r\nseveral cases where various attackers leveraged ProxyShell vulnerability in the wild. \r\nIn this Threat Analysis Report, we are going to share our findings from the latest incident involving ProxyShell. After a\r\nsuccessful exploitation of ProxyShell, the attackers used the Exchange to distribute phishing emails to internal and external\r\nuser accounts with the payload of QBot and DatopLoader. DatopLoader is a malware loader that emerged for the first time\r\nin September 2021. It was first used to distribute the Cobalt Strike attack framework, but recent operations have also\r\nincluded QBot.\r\nQBot is a notorious financial Trojan that recently changed its focus to affiliating with other attackers. Following QBot's\r\nexecution and an initial reconnaissance phase, QBot handed over control to the next step of the attack, Cobalt Strike, which\r\nused numerous Command and Control servers to pursue the attack towards lateral movement across the victim’s domains.\r\nKey Findings\r\nMicrosoft Exchange Vulnerabilities Exploited: The attackers exploited recently disclosed vulnerabilities in\r\nMicrosoft Exchange Servers to gain access to the targeted networks. They then proceeded to use the Exchange\r\nservers to spread phishing emails internally and externally and gain foothold on the victim’s domains.\r\nDatopLoader: Cybereason detected increase in activity from DatopLoader as an initial access mechanism.\r\nAttackers use it to gain a first foothold in the systems and network environments of their victims.\r\nQBot: The QBot gang has recently switched its focus away from being a banking trojan toward partnering\r\nwith other attackers to deliver payloads such as Cobalt Strike and Conti Ransomware.\r\nCobalt Strike: The attackers used Cobalt Strike's remote execution capabilities to migrate laterally across\r\ndifferent systems in the victims' network.\r\nInitial Access - ProxyShell\r\nBefore we go into the weeds of the attack, let's take a deeper look at the initial access vector, the Exchange vulnerability\r\ndubbed as ProxyShell, and understand better the precedence of the attack.\r\nWhat is ProxyShell?\r\nProxyShell is a set of three security vulnerabilities that allow an adversary to perform unauthenticated remote code\r\nexecution (RCE) and email-related tasks on unpatched Microsoft Exchange servers, such as downloading and browsing\r\nthrough emails.\r\nThe three CVEs affect the on-premise Microsoft Exchange servers 2013, 2016 and 2019, and are described as follows:\r\nCVE-2021-34473 - Pre-auth Path Confusion leading to ACL Bypass. Requires no privileges.\r\nCVE-2021-34523 - Elevation of Privileges on Exchange PowerShell backend. Requires no privileges.\r\nCVE-2021-31207 - Post-auth Arbitrary-File-Write leading to RCE. Requires “High” privileges.\r\nProxyShell, along with ProxyLogon and ProxyOracle, are three notable vulnerabilities published in 2021, attacking the\r\nClient Access Services (CAS). CAS are responsible for providing authentication and proxy services for internal and external\r\nclient connections in Exchange servers. ProxyShell was reported by Orange Tsai with collaboration of The Zero Day\r\nInitiative (ZDI). It was first introduced on April 6, 2021 at the Pwn2Own 2021 contest, whereas technical details were first\r\ndisclosed on August 5th at the BlackHat 2021 conference and a more complete article was published on August 16th. \r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 1 of 12\n\nCVE-2021-34473 and CVE-2021-34523 were both patched in April (KB5001779) and disclosed in July, whereas CVE-2021-31207 was patched and disclosed in May (KB5003435). To this date, approximately 8 months after the official fix,\r\nShodan, the popular vulnerability search engine, displays more than 11K Exchange servers vulnerable to ProxyShell:\r\nFigure 1: ProxyShell’s Shodan search query results \r\nNow, as ProxyShell’s background is better understood, we will elaborate on a recent trend Cybereason witnessed in\r\nNovember, 2021, showcasing a particular ProxyShell exploitation attempt. \r\nAttackers’ Initial Access\r\nIn this report, we will discuss a particularly interesting engagement, where the attackers utilized only one of the\r\nvulnerabilities - CVE-2021-34473, to perform unauthenticated email related activity on an Exchange server, leveraging the\r\nvulnerable Exchange backend. This newly gained capability was later in use by the attackers in an attempt to infect other\r\nrecipients via phishing emails as will be described later on. \r\nBased on the impacted Exchange servers’ IIS logs entries and by crossing the User-Agent and the exploitation email\r\nidentifier (which is a non-valuable information but one that must be provided as part of the URI), Cybereason suspects the\r\nattackers most likely took advantage of this publicly available ProxyShell exploitation scripts, leveraging Exchange Web\r\nServices (EWS) to transact email related actions.\r\nThe following is a sample IIS log entry, showcasing an execution result example of the aforementioned scripts on a\r\ncompromised Exchange server:\r\nHTTP\r\nMethod\r\nPOST\r\nURI Query\r\na=a@edu.edu/mapi/emsmdb/?=\u0026Email=autodiscover/autodiscover.json?\r\na=a@edu.edu\u0026CorrelationID=\u003cempty\u003e\r\nURI Stem /autodiscover/autodiscover.json\r\nUser-Agent\r\nMozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/92.0.4515.131 Safari/537.36\r\nFigure 2: ProxyShell IIS log entry example\r\nThis is just one of many requests witnessed with the same nature, stemming from different IP addresses originating from all\r\nover the internet.\r\nTo detect this kind of attempts, especially ProxyShell’s CVE-2021-34473 (Authentication Bypass) and CVE-2021-34523\r\n(Elevation of Privileges), we looked at the Exchange servers’ IIS logs and tracked log entries with a URI containing\r\n“/autodiscover/autodiscover.json” and one of the following strings - ”mapi/nspi”, ”mapi/emsmdb”, ”/EWS”, “powershell” or\r\n”X-Rps-CAT”. \r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 2 of 12\n\nAnother way to detect this kind of exploitation attempts is to run a Yara rule on suspected compromised Exchange servers,\r\nsuch as one published by Florian Roth. To detect ProxyShell’s CVE-2021-31207 activity of post-exploitation privilege\r\nescalation, we looked for suspicious CmdletSucceeded (Event ID 1) events in the MSExchangeManagement event log,\r\nspecifically for the Cmdlets:\r\nNew-ManagementRoleAssignment - with the role “Mailbox Import Export”\r\nNew-MailboxExportRequest - suffixed with “.aspx” in the FilePath argument\r\nIn addition, another data source that we examined looking for malicious Powershell command executions was Exchange log\r\nfiles located in “%ExchangeInstallPath%\\Logging\\CmdletInfra\\Powershell-Proxy\\Cmdlet\\*” with the following conditions: \r\nProcessName contains “w3wp”\r\nPowershell commands contain New-ManagementRoleAssignment”, \"New-MailboxExportRequest\" or\r\n\"New-ExchangeCertificate\"\r\nSpread via Phishing - DatopLoader\r\nFollowing successful exploitations of the ProxyShell vulnerability, the attackers started sending out phishing emails, across\r\nthe organization and outside of it to external emails. These phishing emails were sent as a reply message to legitimate,\r\nhijacked email conversations the attackers stole from within organiziation’s Exchange server utilizing the ProxyShell\r\nvulnerability. These email replies hold a similar structure to the ones being sent recently by DatopLoader’s attackers.\r\nDatopLoader is an emerging threat that compromises victims via malspam campaigns, acting as an access broker to provide\r\nattackers with an initial foothold into systems and victims' network environments:\r\nOne of the\r\nphishing emails that were sent in response to legitimate internal email\r\nIt's noteworthy that although replying to hijacked emails helps attackers establish more legitimacy for their phishing\r\nattempts, they go one step further and modify the typeface and language of the reply messages for each attack to increase the\r\nchances of success. We believe that this is one of the reasons they are becoming increasingly popular and succeeding these\r\ndays.\r\nThe maliciously crafted emails had the following indicative characteristics found in the Exchange message tracking logs:\r\nSource-context field:\r\nContained “MessageClass:IPM.Blabla” \r\nSuffixed with “ClientType:WebServices,\r\nSubmissionAssistant:MailboxTransportSubmissionEmailAssistant”\r\nDirectionality field set to “Originating” meaning these emails were generated on the impacted server itself\r\nOriginal-client-ip field matched with the ProxyShell IIS log entry’s client-ip\r\nAfter these emails are delivered, the victims are lured to click and download a malicious payload, from different links:\r\nFirst link - to download a zip file containing a malicious DatopLoader Excel which will be elaborated further\r\non.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 3 of 12\n\nSecond link - to download a zip file, containing a newer version of DatopLoader.\r\nEach one of the links direct the victims to websites hosting the malicious payloads as zip files. Once a user clicks on one of\r\nthem, it automatically downloads a zip file, containing an Excel file (.xls) with a common phishing related message, luring\r\nthe victim to enable Macro:\r\nExample of a malicious document involved in the attack\r\nOnce it is done, an obfuscated Macro will be executed to create the C:\\Datop folder, and to download three DLL files -\r\ntest.test, test1.test and test2.test from malicious IP addresses. \r\nThese files are then being executed by regsvr32.exe; following successful execution, QBot takes control:\r\nQBot execution flow from regsvr32.exeas seen in the Cybereason XDR Platform\r\nInitial Infection - QBOT\r\nQBot is a well-known banking Trojan (also known as Pinkslipbot, Qakbot, and Quakbot) that evolved into a modular\r\nmalware that allows attackers to perform a variety of malicious operations such as reconnaissance, lateral movement, and\r\nthe delivery of payloads such as Cobalt Strike, Conti Ransomware, and other malware.\r\nIn this case, after a successful test1.test execution via the regsvr32.exe executable, QBot takes charge by reflectively\r\ninjecting its DLL, stager_1.dll to a newly spawned explorer.exe instance. In a chain of events stemming from the new\r\nexplorer.exe, QBot immediately starts with establishing persistence using scheduled tasks and initiating communication with\r\nits Command and Control servers:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 4 of 12\n\nInjected QBot stager_1.dll Explorer.exe as seen in the Cybereason XDR Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 5 of 12\n\nQBot\r\nreconnaissance activity as seen i the Cybereason XDR Platform\r\nRight after, QBot performs several activities including reconnaissance activity such as checking for information about the\r\nhost’s network configuration, Active Directory and available network resources (hosts and network shared devices). Except\r\nfor one freeware tool called Adfind, all of the programs run by the attackers were existing components of the Windows\r\noperating system. Said programs were executed by the code-injected Explorer.exe.\r\nFollowing are the list of the programs and their use by the attackers: \r\nAdfind.exe a publicly available tool to query Active Directory domains. The executable was stored in\r\n%PROGRAMDATA%\\Oracle, %SYSTEMDRIVE%%PROFILESFOLDER%\\Public. One line of command\r\nused by the attackers to generate a list of computers on the network that we observed was the following:\r\nAdfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName \u003e [some.csv]\r\nNet.exe: Windows component with functionality such as gathering system and network information.\r\nnet share, net localgroup, net view /all were the commands used by the attackers.\r\nArp.exe: Used to retrieve Address Resolution Protocol cache.\r\nNslookup.exe: Used to query the Domain Name System to obtain domain name and IP address mappings.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 6 of 12\n\nIpconfig.exe: Used to obtain information about the host’s network interfaces\r\nNetstat.exe: Used to retrieve a list of active connections, listening ports:\r\nnet.exe and nslookup.exe reconnaissance commands as seen in the Cybereason XDR Platform\r\nThere were dozens of connections to QBot Command and Control IP addresses through the explorer.exe process. The same\r\nexplorer.exe process injects code to the original legitimate explorer.exe process, which in its turn spawns legitimate\r\ndllhost.exe processes, to be injected using the Process Hollowing technique. Then, the dllhost.exe processes are being used\r\nto deploy Cobalt Strike Beacons to other machines in the network using the reconnaissance commands discussed earlier:\r\nexplorer.exe spawning dllhost.exe as seen in the Cybereason XDR Platform\r\nLateral Movement - Cobalt Strike\r\nCobalt Strike is a commercial penetration testing tool that allows an attacker to perform penetration tests using a deployed\r\nagent called 'Beacon' on a victim machine.\r\nIn this case, the attackers utilized the Jump psexec and Jump psexec_psh Cobalt Strike’s commands in order to move\r\nlaterally over different machines on available domains in the victims’ network. From that point, the attackers dumped the\r\nSYSTEM, SAM and SOFTWARE hives, in order to steal credentials.\r\nUsing Jump psexec and Jump psexec_psh commands enabled the attackers to remotely install services on victim machines\r\nand to deploy their Beacon. A unique identifier for the two types of command will bea seven randomly generated\r\nalphanumeric characters string.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 7 of 12\n\nThe difference between the two commands resides in what is getting executed by the remote service:\r\njump psexec command uses the same remote code execution method used by Sysinternals' PsExec tool. Using\r\nthis method a Beacon gets copied and executed from the ADMIN$ share:\r\njump psexec_psh on the other hand uses a Base64 encoded powershell command that runs a shellcode which\r\ninstalls the remote beacon.\r\nA useful CyberChef recipe to extract the payload from a Cobalt Strike jump psexec_psh command line can be found here:\r\nThese two commands can be traced using the System event log while looking for service creation events (Event ID - 7045).\r\nTo find Cobalt Strike beacons, look for the following regex patterns in the “Service File Name” field:\r\nJump psexec: \\\\\\\\(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\\\\ADMIN\\$\\\\\\w{7}\\.exe\r\nJump psexec_psh: %COMSPEC%.*? powershell -nop -w hidden -encodedcommand JABz.+\r\nCredential Theft\r\nOne credential theft technique the attackers were seen using is dumping the System, Security and SAM registry hives. The\r\nSystem hive contains information about the Windows system, SAM hive contains hashes of user password and stands for the\r\nSecurity Account Manager, and the Security hive contains security information including security policy and user's\r\npermissions. With those hives the attackers can extract passwords of cached users. (Read more at -\r\nhttps://pure.security/dumping-windows-credentials/)\r\nIn addition, the attackers could leverage ProxyShell to search and download users’ emails containing a specific keyword (the\r\nkeyword “password” was suggested in the original script mentioned earlier). This technique can lead to a compromise of\r\nusers whose password was shared via email.\r\nConclusion\r\nExchange vulnerabilities that we touched on in this article have significant implications for enterprises especially given the\r\nprevalence of Windows Server in business settings. As shown in this post, once attackers successfully create a foothold in a\r\nnetwork by exploiting such vulnerabilities, it becomes relatively easy to move to other hosts on the network and collect\r\ninformation about the internals of the network, use the network to send phishing emails to other organizations for further\r\nexpansion of the attack and sometimes cause unrecoverable damage on the networks. Aside from the vulnerabilities, the use\r\nof DatopLoader as a payload deliverer came to our attention. We believe that we will come across the said deliverer in the\r\nfuture incidents. \r\nIn particular incidents, attacks only went up to the Cobalt Strike attack phase, however other security vendors have reported\r\nthat similar incidents in some cases resulted in ransomware attacks. Regardless, in any phase of exploitation attackers may\r\nhave been able to reach, corporations that went under threat have to put serious amounts of time and effort to recover and\r\nmarshal assets to mitigate and bring the environment to the latest known secure state in a short period of time under\r\ntremendous pressure. \r\nSeveral months have passed since the publication of Windows Exchange Server patches that closes the vulnerability. Yet, It\r\nis noticeable how not many corporations have managed to apply security updates to reduce exploitable services. In order to\r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 8 of 12\n\ncombat this particular known and future unknown threats follow the recommendations below.\r\nCybereason Incident Response\r\nCybereason DFIR team recommends the following:\r\nApply security patches (KB5001779 and KB5003435 as mentioned in the “What is ProxyShell?” section) \r\nMake sure your Exchange servers have Cybereason sensor installed to get protected against this threat\r\nEnable the Anti-Malware feature on the Cybereason NGAV, and enable the Detect and Prevent modes of this\r\nfeature.\r\nEnable the Predictive Ransomware Protection feature and enable the Detect and Prevent modes of this feature.\r\nEnable logging on your Exchange servers\r\nConsider performing Compromise Assessment to your environment focusing on Exchange Vulnerabilities.\r\nConsider a Cybereason IR Retainer to gain immediate containment and expert remediation assistance to\r\nprevent security events from escalating.\r\nCybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere.\r\nLearn more about our Incident Response team, Cybereason XDR powered by Google Chronicle and Extended Detection and\r\nResponse (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an operation-centric\r\napproach to security.\r\nMITRE ATT\u0026CK BREAKDOWN\r\nInitial\r\nAccess\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nmovement\r\nCollectio\r\nExploit\r\nPublic-Facing\r\nApplication\r\nCommand\r\nand\r\nScripting\r\nInterpreter\r\nServer\r\nSoftware\r\nComponent:\r\nWeb Shell\r\nExploitation\r\nfor\r\nPrivilege\r\nEscalation\r\nProcess Injection\r\nOS\r\nCredential\r\nDumping\r\nAccount\r\nDiscovery\r\nInternal\r\nSpear\r\nPhishing\r\nData from\r\nLocal\r\nSystem\r\nPhishing\r\nSoftware\r\nDeployment\r\nTools\r\nCreate or\r\nModify\r\nSystem\r\nProcess\r\nValid\r\nAccounts\r\nDeobfuscate/Decode\r\nFiles or Information\r\nExploitation\r\nfor\r\nCredential\r\nAccess\r\nDomain\r\nTrust\r\nDiscovery\r\nLateral Tool\r\nTransfer\r\nData\r\nStaged\r\n \r\nSystem\r\nServices\r\nScheduled\r\nTask/Job\r\n \r\nExploitation for\r\nDefense Evasion\r\n \r\nNetwork\r\nService\r\nScanning\r\nRemote\r\nServices\r\nEmail\r\nCollectio\r\n   \r\nValid\r\nAccounts\r\n \r\nReflective Code\r\nLoading\r\n \r\nNetwork\r\nShare\r\nDiscovery\r\nSoftware\r\nDeployment\r\nTools\r\n \r\n       \r\nSigned Binary\r\nProxy Execution\r\n \r\nPermission\r\nGroups\r\nDiscovery\r\n   \r\n           \r\nProcess\r\nDiscovery\r\n   \r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 9 of 12\n\nSystem\r\nOwner/User\r\nDiscovery\r\n   \r\nResearchers:\r\nNiv Yona\r\nNiv, IR Practice Director, leads Cybereason's incident response practice in the EMEA region. Niv began his career a decade\r\nago in the Israeli Air Force as a team leader in the security operations center, where he specialized in incident response,\r\nforensics, and malware analysis. In former roles at Cybereason, he focused on threat research that directly enhances product\r\ndetections and the Cybereason threat hunting playbook, as well as the development of new strategic services and offerings.\r\nOfir Ozer\r\nOfir is a Incident Response Engineer at Cybereason who has a keen interest in Windows Internals, reverse engineering,\r\nmemory analysis and network anomalies. He has years of experience in Cyber Security, focusing on Malware Research,\r\nIncident Response and Threat Hunting. Ofir started his career as a Security Researcher in the military forces and then\r\nbecame a malware researcher focusing on Banking Trojans.\r\nChen Erlich\r\nChen has almost a decade of experience in Threat Intelligence \u0026 Research, Incident Response and Threat Hunting. Before\r\njoining Cybereason, Chen spent three years dissecting APTs, investigating underground cybercriminal groups and\r\ndiscovering security vulnerabilities in known vendors. Previously, he served as a Security Researcher in the military forces.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 10 of 12\n\nOmri Refaeli\r\nOmri is an Incident Response Specialist with over 7 years of experience in Digital Forensics \u0026 Incident Response (DFIR),\r\nThreat Hunting, Malware Analysis and Security Research. \r\nPrior to working with Cybereason, Omri provided comprehensive cyber security services to global companies as a senior\r\nconsultant in a global consulting firm, subsequently after discharging from the Israeli Navy's technological unit.\r\nDaichi Shimabukuro\r\nDaichi has 5+ years of experience in Digital Forensics and Incident Response. Prior to joining Cybereason, he was part of a\r\ndigital forensics and litigation handling team at an auditing firm. He mainly focuses on network and memory forensics and\r\ntool development to help incident response. \r\nAbout the Author\r\nCybereason Nocturnus IR\r\nThe Cybereason Nocturnus IR team support our customers with decades of combined experience in Digital Forensics and\r\nIncident Response (DFIR), Threat Hunting, Malware Analysis, Reverse Engineering, Red Teaming, and more. We respond\r\nto intrusions and security incidents worldwide, helping customers discover if they have been breached, and assess how\r\neffective their defenses are through emergency IR, proactive Compromise Assessments and Security Validation/Red\r\nTeaming services. The Cybereason Nocturnus IR team leverage the advanced functionality of the Cybereason Endpoint\r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 11 of 12\n\nProtection Platform in concert with bespoke tooling designed to scale to the speed and impact of modern threats and reverse\r\nthe adversary advantage.\r\nAll Posts by Cybereason Nocturnus IR\r\nSource: https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nhttps://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike\r\nPage 12 of 12\n\nclient connections in Initiative (ZDI). It was Exchange servers. first introduced ProxyShell was on April 6, 2021 reported by Orange at the Pwn2Own 2021 Tsai with collaboration contest, whereas of The Zero technical details Day were first\ndisclosed on August 5th at the BlackHat 2021 conference and a more complete article was published on August 16th.\n   Page 1 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike"
	],
	"report_names": [
		"threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433988,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/024c5dc052f29d1b09ecd01a50c79cf1ebe66e82.pdf",
		"text": "https://archive.orkl.eu/024c5dc052f29d1b09ecd01a50c79cf1ebe66e82.txt",
		"img": "https://archive.orkl.eu/024c5dc052f29d1b09ecd01a50c79cf1ebe66e82.jpg"
	}
}