{
	"id": "d5773ca3-dc0c-49ac-b399-09d9e479e255",
	"created_at": "2026-04-06T00:18:15.367251Z",
	"updated_at": "2026-04-10T13:11:28.025812Z",
	"deleted_at": null,
	"sha1_hash": "0c50229616cbf448ff236f9bb4d848e85828a4e4",
	"title": "Cryptojacking Attack Campaign Against Apache Web Servers Using Cobalt Strike - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1416644,
	"plain_text": "Cryptojacking Attack Campaign Against Apache Web Servers\r\nUsing Cobalt Strike - ASEC\r\nBy ATCP\r\nPublished: 2023-11-13 · Archived: 2026-04-05 13:55:32 UTC\r\nAhnLab Security Emergency response Center (ASEC) is monitoring attacks against vulnerable web servers that\r\nhave unpatched vulnerabilities or are being poorly managed. Because web servers are externally exposed for the\r\npurpose of providing web services to all available users, these become major attack targets for threat actors. Major\r\nexamples of web services that support Windows environments include Internet Information Services (IIS),\r\nApache, Apache Tomcat, and Nginx. While the Apache web service is usually used in Linux environments, there\r\nare some cases where it is used to provide services in Windows environments since it supports Windows as well.\r\nRecently, ASEC identified an attack campaign where the XMRig CoinMiner is installed on Windows web servers\r\nrunning Apache. The threat actor used Cobalt Strike to control the infected system. Cobalt Strike is a commercial\r\npenetration testing tool, and it is recently being used as a medium to dominate the internal system in the majority\r\nof attacks including APT and ransomware.\r\nhttps://asec.ahnlab.com/en/59110/\r\nPage 1 of 7\n\nFigure 1. Cobalt Strike being installed by an Apache web service (httpd.exe)   \r\n1. Attack Targeting Apache Web Servers\r\nTargeted systems were all environments with old versions of the Apache web service and PHP installed. While the\r\nspecific method of attack has not been identified, it is likely that various vulnerability attacks would have been\r\npossible against unpatched Apache web servers. There were also logs of PHP web shell malware strains having\r\nbeen installed.\r\nhttps://asec.ahnlab.com/en/59110/\r\nPage 2 of 7\n\nFigure 2. PHP web shell malware strains used in the attacks   The threat actor uploaded and executed the malware\r\nthrough the installed web shell or through vulnerability attacks. The attack target is the httpd.exe process which is\r\nthe Apache web server. Accordingly, httpd.exe performs malicious behaviors such as creating and running\r\nmalware. Note that behaviors such as creating files for web service processes and executing processes are not\r\nalways used for malicious purposes. These can occur during legitimate update processes or while an administrator\r\nis processing tasks for web server management. As such, there is a limit to anti-malware products such as V3 to\r\nperfectly block such behaviors. AhnLab EDR (Endpoint Detection and Response) is the only next-generation\r\nthreat detection and response solution based on behavior-based engine that exists in South Korea. It provides\r\npowerful threat monitoring, analysis, and response capabilities for endpoint areas. AhnLab EDR constantly\r\ncollects information on suspicious behaviors by type and allows users to accurately recognize threats in detection,\r\nanalysis, and response perspectives. Through this process, a comprehensive analysis can be performed to identify\r\ncauses, make adequate responses, and establish preventative processes. The following is a screen showing the\r\nEDR detection of the threat actor attacking an Apache web service and installing Cobalt Strike. Traces show\r\nhttpd.exe, the Apache web server process, executing Cobalt Strike.\r\nFigure 3. Traces of suspicious files being created in an Apache web server (EDR)  \r\nFigure 4. Traces of suspicious files being executed in an Apache web server (EDR)   \r\n1. Cobalt Strike Used in Attacks\r\nA beacon is the Cobalt Strike’s agent that acts as a backdoor. Cobalt Strike provides beacons in various forms.\r\nDepending on the method, they can be categorized as either stager or stageless. The stager method uses a\r\ndownloader malware that downloads a beacon from an external source and executes it in the memory area.\r\nBecause this method does not actually contain the beacon, it has a small size and requires an additional step for\r\nhttps://asec.ahnlab.com/en/59110/\r\nPage 3 of 7\n\ndownloading the beacon. On the other hand, Cobalt Strike created with the stageless method contains a beacon\r\nwithin and has a file size above a certain threshold.\r\nFigure 5. Stager malware downloading an encrypted beacon   To evade file detection, the threat actor obfuscated\r\nthe malware strains used, even using Golang or PyInstaller. Most malware strains used in the attacks use the\r\nstageless method. However, malware developed with PyInstaller is a downloader malware that uses the stager\r\nmethod (downloads Cobalt Strike and executes it in the memory area).\r\nFigure 6. Obfuscated Cobalt Strike malware strains   Beacons can also communicate with the C\u0026C server via\r\nprotocols such as http, https, and dns. As the beacon installed in the internal network during the lateral movement\r\nstage will not be connected with the external network, an SMB beacon that communicates via the SMB protocol is\r\nused. Because the Cobalt Strike instances used in the attacks were all used for the purpose of controlling the\r\ninfected system after initial penetration, they used the HTTP protocol for communicating with the C\u0026C server.\r\nThe following is a result of using CobaltStrikeParser on an instance of Cobalt Strike used in the attack to extract\r\nhttps://asec.ahnlab.com/en/59110/\r\nPage 4 of 7\n\nthe configuration data [1]. Various settings can be seen, including not only the C\u0026C server address but also user-agent and the target process for injection.\r\nFigure 7. Cobalt Strike settings data   The Cobalt Strike instances used in the attacks have various appearances\r\nsuch as Go and PyInstaller, but in all cases, the same IP address was used for the C\u0026C server. AhnLab has been\r\ndetecting the C\u0026C address used in Cobalt Strike attacks from the past as a malicious URL, which can be also\r\nchecked in AhnLab EDR. The following is evidential data of detecting the behavior of connecting to a malicious\r\nURL as a threat. It shows the information on the malicious URL address and the process that connected to said\r\nURL, as well as the transmitted payload data.\r\nFigure 8. Connecting to Cobalt Strike’s malicious URL (EDR)   \r\nhttps://asec.ahnlab.com/en/59110/\r\nPage 5 of 7\n\n1. Installing Additional Malware\r\nAfter attempting to install Cobalt Strike, there was an attempt to additionally install Gh0st RAT. This was\r\nprobably done because Cobalt Strike did not run correctly due to security products. When control over the infected\r\nsystem is obtained through these attempts, a CoinMiner that mines Monero coins was ultimately installed.\r\nFigure 9. XMRig communications packet   As no logs were identified other than those of installing the remote\r\ncontrol malware and CoinMiner, it is deemed that the ultimate goal of the threat actor is to use the resources of\r\npoorly-managed web servers to mine Monero coins and raise a profit. \r\n1. Conclusion\r\nRecently, attacks involving Cobalt Strike being installed on Windows servers with Apache web service have been\r\nidentified. Seeing from the logs, it can be inferred that the threat actor attacked poorly managed web servers or\r\nthose with unpatched vulnerabilities. Cobalt Strike is a commercial penetration testing tool, and it is recently\r\nbeing used as a medium to dominate the internal system in the majority of attacks including APT and ransomware.\r\nAhnLab products are equipped with a process memory-based detection method and behavior-based detection\r\nfeature that can counter the beacon backdoor which is used from the Cobalt Strike’s initial invasion stage to\r\nspread internally.\r\nFigure 10. Memory detection log for Cobalt Strike   Administrators must check for the file upload vulnerability in\r\nweb servers to prevent the initial infiltration path of web shell uploads in advance. Furthermore, the password\r\nmust be changed periodically and access control measures must be put in place to respond to lateral movement\r\nattacks using stolen account credentials. Also, V3 should be updated to the latest version so that malware infection\r\ncan be prevented. File Detection – Backdoor/Win.CobaltStrike.C5538818 (2023.11.08.00) –\r\nTrojan/Win.Generic.R605627 (2023.09.15.01) – Malware/Win64.RL_Backdoor.R363496 (2021.01.18.05) –\r\nDownloader/Win.CobaltStrike.C5538917 (2023.11.09.01) – Downloader/Win.CobaltStrike.C5538829\r\n(2023.11.08.00) – Backdoor/Win.Gh0stRAT.C4976986 (2023.06.04.01) – Malware/Win32.RL_Generic.R356011\r\n(2020.11.22.01) – CoinMiner/Win.XMRig.C5539322 (2023.11.09.01) – WebShell/PHP.Generic.S1912\r\n(2022.09.27.02) – WebShell/PHP.Small.S1690 (2021.10.26.02) Behavior Detection –\r\nInitialAccess/DETECT.Event.M11450 – Connection/EDR.Behavior.M2650 Memory Detection –\r\nBackdoor/Win.CobaltStrike.XM79 – Downloader/Win.CobaltStrike.XM83\r\nhttps://asec.ahnlab.com/en/59110/\r\nPage 6 of 7\n\nMD5\r\n1842271f3dbb1c73701d8c6ebb3f8638\r\n205c12fabb38b13c42b947e80dc3d53a\r\n36064bd60be19bdd4e4d1a4a60951c5f\r\n594365ee18025eb9c518bb266b64f3d2\r\n5949d13548291566efff20f03b10455c\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//121[.]135[.]44[.]49[:]808/a4vR\r\nhttp[:]//121[.]135[.]44[.]49[:]808/ga[.]js\r\nhttp[:]//121[.]135[.]44[.]49[:]808/ptj\r\nhttp[:]//121[.]135[.]44[.]49[:]808/updates[.]rss\r\nhttp[:]//202[.]30[.]19[.]218[:]521/\r\nAdditional IOCs are available on AhnLab TIP.\r\nTo learn more about AhnLab EDR's advanced behavior-based detection and reponse, please click the banner\r\nbelow\r\nSource: https://asec.ahnlab.com/en/59110/\r\nhttps://asec.ahnlab.com/en/59110/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/59110/"
	],
	"report_names": [
		"59110"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434695,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c50229616cbf448ff236f9bb4d848e85828a4e4.pdf",
		"text": "https://archive.orkl.eu/0c50229616cbf448ff236f9bb4d848e85828a4e4.txt",
		"img": "https://archive.orkl.eu/0c50229616cbf448ff236f9bb4d848e85828a4e4.jpg"
	}
}