{ "id": "1a85bcbb-2268-428d-b4da-28e34d5fec87", "created_at": "2026-04-06T00:16:18.63743Z", "updated_at": "2026-04-10T03:28:46.900436Z", "deleted_at": null, "sha1_hash": "0546a9e8eb733520f2c251997ff5874a82261a80", "title": "CobaltStrike UUID stager", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 892533, "plain_text": "CobaltStrike UUID stager\r\nBy Jason Reaves\r\nPublished: 2022-03-28 · Archived: 2026-04-05 19:09:45 UTC\r\nBy: Jason Reaves\r\nPress enter or click to view image in full size\r\nLots of interesting stagers and loaders exist for CobaltStrike, we’ve talked about a few them written in various\r\nlanguages[1,2,3]. We have been tracking one for over a year now which hexlifies the stager code on board,\r\nrecently we saw a hit for a YARA rule we use to track this stager:\r\nrule cs_hexlified_stager_sc\r\n{\r\nstrings:\r\n$a1 = \"d2648b52308b\" nocase\r\ncondition:\r\nall of them\r\n}\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64\r\nPage 1 of 7\n\nSample:\r\n488d4cbe017c493c66a769ccb203b40cbca3396c654bfff72c1aebeb41f23297\r\nHowever our system for decoding out the shellcode failed so we took a closer look and noticed a few interesting\r\nthings, one the hexlified shellcode was stored as UUIDs[4] and two the sample was signed by NVIDIAs cert\r\nwhich was recently leaked by LAPSUS$[5].\r\nRef: virustotal.com\r\nNormally to decode the shellcode our decoder would simply rip out the hexlified data and rebuild it:\r\ndef decoder(data):\r\n ret = []\r\n c2s = []\r\n blob = re.findall(b'''fce8[0-9a-f]+''', data)\r\n for val in blob:\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64\r\nPage 2 of 7\n\nif len(val)%2 \u003e0:\r\n val = val[:-1]\r\n temp = binascii.unhexlify(val)\r\n s = re.findall(b'[ -~]{4,}', temp)\r\n t = [x.decode('cp1250') for x in s]\r\n c2s.append(t[-1])\r\n ret += t return((ret,c2s))\r\nSince it is UUIDs then the process is still pretty simple but we just need to account for whitespace and then abuse\r\ntry/catch to end the collection:\r\nidx = data.find(b'0089e8fc')\r\nt = data[idx:].split(b'\\x00')\r\ntt = [x for x in t if x != b'']\r\nsc = b''\r\nc2s = []\r\nret = []\r\nfor val in tt:\r\n try:\r\n u = uuid.UUID(val.decode('cp1250'))\r\n sc += u.bytes_le\r\n except:\r\n break\r\nif sc != '':\r\n s = re.findall(b'[ -~]{4,}', sc)\r\n t = [x.decode('cp1250') for x in s]\r\n c2s.append(t[-1])\r\n ret += t\r\nThe debug artifacts in the sample refers to itself as ‘shellcode_uuids’ which can also be used to find another\r\nsample in VirusTotal:\r\na59ab6c4e69fafc927f666cf1afb31a2851a392cc74336d8a31e15daf1f343ff\r\nThe stagers appear to be the same however, so instead of we can search for something different to pivot on:\r\ncontent:\"0089e8fc-\"\r\nThis leads to many more samples and since we already have a decoder we can enumerate the IOCs fairly easily for\r\nthe samples we have accounted for but there are some others mixed in. For example GoLang samples that have\r\nout of order UUIDs compared to the other samples:\r\n07122c83922c50b386a060d4fbf21433042118fccf5bc678f78acd377d5dccfe\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64\r\nPage 3 of 7\n\nTo decode we just find the offset reference to the first UUID in the code and then walk the table to rebuild:\r\nif b'Go build ID' not in data:\r\n t = data[idx:].split(b'\\x00')\r\n tt = [x for x in t if x != b'']\r\nelse:\r\n pe = pefile.PE(data=data)\r\n memdata = pe.get_memory_mapped_image()\r\n idx = memdata.find(b'0089e8fc')\r\n imgbase = pe.OPTIONAL_HEADER.ImageBase\r\n val_to_find = struct.pack('\u003cI', imgbase + idx)\r\n offset = data.find(val_to_find)\r\n blob = data[offset:]\r\n tt = []\r\n done = False\r\n while not done:\r\n temp = struct.unpack_from('\u003cI', blob)[0]\r\n if temp == 0:\r\n break\r\n temp -= imgbase\r\n val = memdata[temp:temp+36]\r\n tt.append(val)\r\n blob = blob[16:]\r\nDecoded data:\r\n['49.234.114.124'] [';}$u', 'D$$[[aYZQ', ']hnet', 'hwiniThLw\u0026', 'WWWWWh:Vy', 'QQhP', 'SPhW', 'RRRSRPh\r\nAlso some other samples that have their structure of UUIDs reversed:\r\n9bfd19e3e459118981bf8ca009acca84f5f079ad3a7baa5eb6a1b20f97d3e922\r\nWe just need to account for the decoded shellcode being 16 meaning we were at the end and we possibly need to\r\nreverse the order:\r\nif len(sc) == 16:\r\n #reversed\r\n tt = re.findall(b'''[a-f0-9]{8}\\-[a-f0-9]{4}\\-[a-f0-9]{4}\\-[a-f0-9]{4}\\-[a-f0-9]{12}''', data)\r\n sc = b''\r\n for val in tt[::-1]:\r\n try:\r\n u = uuid.UUID(val.decode('cp1250'))\r\n sc += u.bytes_le\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64\r\nPage 4 of 7\n\nexcept:\r\n break\r\nDecoded data:\r\n['47.116.23.73'] [';}$u', 'D$$[[aYZQ', ']hnet', 'hwiniThLw\u0026', 'WWWWWh:Vy', 'SPhW', 'RRRSRPh', 'VhuF'\r\nIOCs:\r\n144.168.57.182\r\n49.234.114.124\r\nimg.googlesoftup.com\r\n7355-120-239-40-185.ngrok.io\r\n132.232.40.201\r\n159.75.127.118\r\n81.68.200.63\r\n150.158.166.73\r\n47.116.23.73\r\n8.142.131.209\r\n172.29.25.27\r\n169.254.41.35\r\nUser Agents:\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; Avant Browse\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENIN)\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MAARJS)\r\nUser-Agent: Microsoft Internet Explorer\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS)\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch)\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; Touch; MASPJS)\r\nHashes:\r\nfc16b66c98a897df46a91a4ac913993ef4ebf440250051fef1d3151d5c9faeab\r\nf175df01577971262f662f15e36c633e0dedd6c0fff9c22bcf5f702ddecc05b7\r\ndd4d27b29f656b5ad1f5cd177b138fe011cc98f5383a102c9a363de0a0021226\r\ndd3416fa926a9801928d8dafd595ce6c3f41ad909ef4c25deb1b9b6a928e3749\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64\r\nPage 5 of 7\n\nca9fcd4be0990d19aff9244f47ad05cb033abe4307c51b7b46b635ecca71c3f5\r\nc916d2ee316491ec643b2b029e4e3acced82eeeb6896d42c9e9693e8d0e495ad\r\nc5c586c5c0ad28761dfaef0d049ed4b862be1398ac2fd75cd04e359170777bd8\r\nbc1936c3a33d4e75603341786227bbe8887a19d7b61926ddbe8875fabd1471fe\r\na59ab6c4e69fafc927f666cf1afb31a2851a392cc74336d8a31e15daf1f343ff\r\na3b268e6ecc6d2594d2dfdaeb86c25e9baf337f83659d6a718206474b8c416a1\r\n9bfd19e3e459118981bf8ca009acca84f5f079ad3a7baa5eb6a1b20f97d3e922\r\n8cd86fa95c702dca17ea75893f27ac414e1947fc90ca86bcd38d209ede2ee19b\r\n8c80fa876b01544e85b8588209cefc99827f1a882580778b87274d157b88eda6\r\n8869be33e23370d19c17f33cb5b2e1501b95eafcfd9b71b34bc338f477bc5a3e\r\n80907d4e3519cf212e755b4cc175ce807cf2313ad16d85020f985670be87a4c9\r\n804c3e3709e35949311bae50a1d98d8233c26cf193ff27d439d9da025ab6f94f\r\n6cbe5b78e2c82b3e98fdff531aaf49dd8a7191015af8eb63366eb468693a0532\r\n6237bbef07de46d11d45b4997fc661114f092abcbbe1108b0f6d7508e55e4398\r\n61f47f9b7f68ac996bc3a56c16f7dd4aedbeba6a5d7b46e8406505fc6903524c\r\n588454f02cba40703ed7f6dfe256ecaba3c41bbd80ed1cc0e34ba8d2214c05d0\r\n57c1c1e2f214f4a933fa356219acaec3bb338e6fb15dd6349e6cf04a5289a2e4\r\n53c337b5f52ac1d21ba226e4d027f01a80cc6176cb1d3f1ad1148cf37c8c75eb\r\n488d4cbe017c493c66a769ccb203b40cbca3396c654bfff72c1aebeb41f23297\r\n47df2d7eb512a533511104c939bfa89e6266d3ce9f0ffdced681768e183244a6\r\n44d6dd82e5b7ca8976c50c9165ce822fbef86075a7bde43cfd364e28f30e400c\r\n42d9638489f248f1177b86739d1d9ce2a9f4aa591523cd7655b324853895e857\r\n3ba3aaecbc834da3dba0ec5d20d5c9cb119f27bc660f720f6cc3da929da0e529\r\n398b4205fe8f4d1bf005782bd05730c45c39224c14b2878865dd3d7a255cd20b\r\n38f4167638607dd6a299d3c02ceb984fc4f9d7491d4c25a609186e582e705505\r\n317dc94e847fec42f101709043eff4d705b531b1e1d433f7af1f4ef62185e194\r\n2cfdacdc363ddf146d59add3bf49b49a29df951ff3be4bf35e70c2125b2751d1\r\n2c3db921dd86b801b9e856c28830990311db52b18f3a1f4a100eb84d3aaf55a7\r\n24d66bc81ac389c5580a7de37f531cd89e5dbf97f3048e5164a1cb829d16c51b\r\n24b60dfda87cebafec57f827b0fc534bc3fe3afa178b5f15683fe30bcf4041fe\r\n23084aa205a2a09623752e0fa807c722a9a23c169eb5f7a04fb50a8c4f7a6924\r\n1322219fff925f6081bb38c09d8215b796fbc910003a2df2ad627558479f2cf8\r\n07122c83922c50b386a060d4fbf21433042118fccf5bc678f78acd377d5dccfe\r\n033b1cad6953ad623cbc565fa7afb4751cac1b25f5050dab08646faafff29619\r\nYARA:\r\nrule cs_hexlified_stager_sc\r\n{\r\nstrings:\r\n$a1 = \"d2648b52308b\" nocase\r\ncondition:\r\nall of them\r\n}\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64\r\nPage 6 of 7\n\nReferences\r\n1:https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n2:https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c\r\n3:https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\r\n4:https://en.wikipedia.org/wiki/Universally_unique_identifier\r\n5:https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/\r\nSource: https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64\r\nhttps://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64" ], "report_names": [ "cobaltstrike-uuid-stager-ca7e82f7bb64" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434578, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0546a9e8eb733520f2c251997ff5874a82261a80.pdf", "text": "https://archive.orkl.eu/0546a9e8eb733520f2c251997ff5874a82261a80.txt", "img": "https://archive.orkl.eu/0546a9e8eb733520f2c251997ff5874a82261a80.jpg" } }