{ "id": "4dc242b8-8ec2-4842-a2a7-e1af13bc879b", "created_at": "2026-04-06T00:19:15.874267Z", "updated_at": "2026-04-10T13:12:33.109662Z", "deleted_at": null, "sha1_hash": "1b22d34782cd0151a5d776f27352589c2df3ad7a", "title": "Hunting and detecting Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1984643, "plain_text": "Hunting and detecting Cobalt Strike\r\nBy Erwan Chevalier,\u0026nbsp;Narimane Lavay\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2021-03-24 · Archived: 2026-04-05 20:14:48 UTC\r\nTable of contents\r\nWhy should defenders focus on Cobalt Strike hunting and detection ?\r\nIn a few words, how does Cobalt Strike work?\r\nThis is how we hunt for Cobalt Strike C2 servers\r\nKeep a close eye on default certificates\r\nWhat does the HTTP response tell us?\r\nLet’s check a malleable C2 profile\r\nHow can we detect Cobalt Strike with our SIEM?\r\nBeaconing network traffic\r\nDetects when an attacker elevate its privileges using svc-exe and move laterally using PsExec\r\nPipes to detect them all\r\nDefault payload\r\nHow to mitigate Cobalt Strike?\r\nTake a tour of our XDR platform\r\nIn the last SEKOIA.IO Threat \u0026 Detection Lab we dealt with a Man-in-the-middle (MITM) phishing attack\r\nleveraging Evilginx2, an offensive tool allowing two-factor authentication bypass. Here, we are tackling a much\r\nbigger threat given the frequency it is abused by diverse threat actors.\r\nIn this blogpost, we describe step by step how to ensure a proactive and defensive posture against Cobalt Strike,\r\none of the most powerful pentesting tools hijacked by attackers in their numerous campaigns.\r\nWe show examples of how to track Cobalt Strike command and control servers (C2) and Malleable profiles by\r\nfocusing on their SSL certificates and HTTP responses.\r\nWe also describe ways to detect: (i) Cobalt Strike payloads such as the DNS beacon based on the nature and\r\nvolume of Cobalt Strike DNS requests, (ii) Cobalt Strike privilege escalation with the Cobalt Strike built-in\r\nservice svc-exe, (iii) Cobalt Strike lateral movement with the Cobalt Strike built-in service PsExec and (iv) Cobalt\r\nStrike beacons communication through named pipes.\r\nWhy should defenders focus on Cobalt Strike hunting and detection ?\r\nWhat do APT29, APT32, APT 41, APT19, UNC2452, FIN6, Wizard Spider and most of the cybercriminals have\r\nin common in their toolset?\r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 1 of 12\n\nWell, as shown on the figure above, the answer is Cobalt Strike.\r\nWhat is cobalt strike ?\r\nCobalt Strike is a commercial, post-exploitation agent, designed to allow pentesters to execute attacks and emulate\r\npost-exploitation actions of advanced threat actors. It aims at mimicking threat actors’ tactics, techniques and\r\nprocedures to test the defenses of the target. However, over the last years, it’s purposes were hijacked by attackers\r\nwho managed to crack its official versions and leverage them in their attacks thus taking advantage of Cobalt\r\nStrike’s remote access and defense evasion capabilities. \r\nCobalt Strike is now widely being used by threat actors regardless of their capabilities, skill sets, the sophistication\r\nof their attacks or the objectives of their campaigns. To mention just a few examples, it has been leveraged in the\r\nrecent advanced and state-sponsored SolarWinds supply chain attacks [1], as well as in the frequent and offensive\r\ncampaigns conducted by different cybercriminals groups such as Wizard Spider [2], [3] and the Egregor group [4]\r\nultimately delivering ransomware payloads.\r\nIn 2020, it was seen as one the most leveraged pentesting tools by attackers, alongside Mimikatz and PowerShell\r\nEmpire [5]. Overall, in Q4 of 2020, 66% of all ransomware attacks involved Cobalt Strike payloads [6].\r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 2 of 12\n\nTherefore, all these data highlight our need as a defender to be aware and up to date regarding the threat posed by\r\nthe use of Cobalt Strike for malicious purposes.\r\nIn a few words, how does Cobalt Strike work?\r\nHow does a cobalt strike work ?\r\nCobalt Strike works in a client/server mode. The server is known as the Team Server, it runs on a Linux system,\r\ncontrols the beacon payload and receives all information from the infected hosts. The client software (known as\r\nthe Aggressor) runs on multiple operating systems and enables the user to connect to different Team Servers in\r\norder to configure the beacon, deliver the payload and fully use all of Cobalt Strike’s features remotely.\r\nBeacon is the Cobalt Strike payload, highly configurable through the so-called “Malleable C2 profiles” allowing it\r\nto communicate with its server through HTTP, HTTPS or DNS. It works in asynchronous or interactive mode, and\r\ncan build stageless or staged payload, offering overall considerable flexibility.\r\nOnce connected to its C2 server, the user configures a “listener” (HTTP, DNS …) and a stageless or staged beacon\r\n(Windows PE, PowerShell …). The beacon delivery can be directly achieved from the Cobalt Strike server or\r\nthrough another user tool.\r\nThis tool is straightforward to use and very well documented [7] which explains its increasing popularity.\r\nTo adopt a proactive posture and protect our customers from attacks leveraging Cobalt Strike, we have focused on\r\nboth tracking Cobalt Strike servers and implementing up-to-date rules capable of detecting each version of Cobalt\r\nStrike.\r\nAttacks performed with leaked versions of Cobalt Strike are generally carried out with old versions depending on\r\nhow easy it is to find these leaks. For this lab session we chose to use the version 4.2 (released the 06/11/2020),\r\nwhich has been leaked on hacker forums and was easy to stumble upon.\r\nThe latest 4.3 version was just released (03/03/2021). Aside from the usual new features and bug fixes for each\r\nrelease, we have witnessed some efforts to fix the most specific technical details that help detect Cobalt Strike. We\r\ndiscuss some of them in this article, but it is undoubtedly a never ending game.\r\nTélécharger\r\nThis is how we hunt for Cobalt Strike C2 servers\r\nWe currently possess more than 50 trackers for Cobalt Strike C2 servers and Malleable profiles, which enabled us\r\nto feed, with high confidence, our Intelligence database with more than 10.000 IPs in 2020, that detected Cobalt\r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 3 of 12\n\nStrike intrusions. To know more about our hunting results, you can read our analysis following this link.\r\nYou will find below an example of three features you can track to spot Cobalt Strike servers. Several trackers are\r\nvalid for old versions of Cobalt Strike. But as you will notice when considering the number of servers we still\r\ndetect by dint of these trackers, they are still effective. As said previously, threat actors usually use leaked versions\r\nwhich are not necessarily the most recent ones.\r\nKeep a close eye on default certificates\r\nCobalt Strike servers come with a default certificate displaying specific values for the serial number, the issuer,\r\nthe subject and the certificate validity as shown below.\r\nIf they have not been modified by the attackers, these servers can be easily spotted using a shodan request. At the\r\ntime of writing, 700 servers match this certificate serial number.\r\nWhat does the HTTP response tell us?\r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 4 of 12\n\nFor Cobalt Strike versions prior to version 3.13, the http response displays an extraneous space at the end of the\r\nhttp status.\r\nAt the time of writing, we can still catch 30 servers using this tracker. The same detection could be done using\r\nSnort rules.\r\nLet’s check a malleable C2 profile\r\nAs mentioned earlier, Malleable C2 profiles allow to customize Cobalt Strike, which also  means that some public\r\nconfiguration could be used to track C2 servers.\r\nHere is an example of a malleable C2 profile, with a self-signed certificate [8] that we can hunt using shodan.\r\nThe certificate issuer information (common name, organization, organization unit, location,  and country) matched\r\nwith 116 servers online in 2020.\r\nHow can we detect Cobalt Strike with our SIEM?\r\nWe performed some attacks using Cobalt Strike beacons in laboratory conditions, so we could figure out some\r\nways to detect it with our SIEM SEKOIA.IO.\r\nFor this blogpost, we chose to focus on an attack that was carried out using a DNS beacon as a first stage listener\r\nand the SMB beacon for lateral movement. We then managed to detect each step using either Cobalt Strike leaked\r\nsource code or the generated logs.\r\nTo detect it using the following rules you will need to have access these events logs:\r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 5 of 12\n\nMicrosoft-Windows-Sysmon/Operational (and the relevant symon config, especially for Named Pipe)\r\nMicrosoft-Windows-Windows Defender/Operational (or any other AntiVirus logs)\r\nDNS and Proxy logs\r\nHere is an explanation of rules that can be implemented into your SIEM to specifically detect this attack.\r\nDNS beaconing is a very useful feature, which allows to bypass any other HTTP filtering or proxy inspection that\r\nmay exist in the targeted company.\r\nLast year the Cobalt Strike source code (4.0 version) was leaked, and a security researcher quickly spotted some\r\ninteresting characteristics for DNS beaconing:\r\nThe mentioned source code reveals that Cobalt Strike is using three constant DNS labels in pair with DNS\r\nquestion type: “cdn” for A type, “api” for TXT type and “www6” for AAAA type. That means that at some point\r\nwhen the beacon will try to reach its C2 server, aside from two random labels and the one chosen by the user, that\r\nconstant string will be used: it is very convenient in terms of detection and enables us to build this kind of rule:\r\n(dnsquery.value LIKE ‘www6.%’ AND dnsquery.type = ‘AAAA’) OR (dnsquery.value LIKE ‘cdn.%’ AND dnsquery.type = ‘\r\nUsing this rule we were able to detect the first stage of our attack that leveraged the DNS beacon as shown below.\r\nThe rule needs some exceptions (e.g. cdn.onenote.net, cdn.fwupd.org) in order to avoid possible false positives in\r\nyour DNS traffic, but seems reliable. Latest Cobalt Strike 4.3 version brings new options to override the default\r\nvalues through a Malleable C2 profile [9]. With the previous versions attackers will need to modify the source\r\ncode or patch their beacon binaries.\r\nBeaconing network traffic\r\nAnother behavior that can be detected relies on the interval value between two beacon network requests, which\r\nhas no “sleep” time by default. This configuration could be modified with a Malleable C2 profile.\r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 6 of 12\n\nTherefore, working with Cobalt Strike in interactive mode will generate a considerable amount of network\r\nrequests especially with some beacon (e.g. DNS) when it comes to downloading/uploading files. That could be\r\nleveraged for detection using classical behavior rules.\r\nDuring our attack, we observed that for both DNS and HTTP beacons, even with only the beacon activity (no\r\nexfiltration or command), the total DNS/HTTP requests from the infected host exceeded 200 requests by minutes.\r\nThe rule could take this form:\r\nselection DNS/HTTP requests | count() by minute src_ip \u003e 200\r\nDetects when an attacker elevate its privileges using svc-exe and move laterally\r\nusing PsExec\r\nWe managed to elevate our privileges within the victim system. We chose to achieve this using svc-exe, which is a\r\nbuilt-in Cobalt Strike exploit. \r\nMars, a red-hot information stealer\r\nIt will drop an executable that runs a payload, create a service to run it, assume control of the payload, and cleanup\r\nthe service and executable. Thus allowing us to get SYSTEM.\r\nThen, we wanted to perform a lateral movement and jump to the new targeted host. We chose to do so leveraging\r\nan SMB beacon which is a good candidate frequently leveraged in attacks.\r\nWe ran a command on Cobalt Strike that leverages psexec64 as follows:\r\n$ jump psexec64 \u003chost-ip\u003e \u003cname-of-our-SMB-beacon-listener\u003e\r\nThis is one of the features that make Cobalt Strike a strong and efficient tool. It relies on native Windows APIs\r\nand not a third-party protocol stack, thus increasing its defense evasion capabilities. Hence, Cobalt Strike has a\r\nbuilt-in PsExec, which strength lies in its ability to launch interactive command-prompts on remote systems. It can\r\nbe run on the victim’s system since it uses native Windows components. \r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 7 of 12\n\nWe observed that these operations resulted in a service creation. They both spawned rundll32.exe that initiated a\r\nnetwork connection, which is the event ID 3 of the Microsoft-Windows-Sysmon/Operational journal. What makes\r\nit different from the usual behavior of rundll32, is that the dll is run without any command line arguments.\r\nThis behavior is anchored in Cobalt Strike. Unless attackers wisely decide to change this configuration in the\r\nsource code, this surely will spot many other attacks.\r\nPipes to detect them all\r\nA pipe is a section of shared memory that processes use for communication. The process that creates a pipe is the\r\npipe server. The one that connects to a pipe, is the pipe client. A process writes information to the pipe, while the\r\nother process reads the information from the pipe.\r\nThere are two types of pipes: named and anonymous pipes.\r\nNamed pipes are one-way or duplex pipes that are used for network interprocess communication that can take\r\nplace between a pipe server and one or more pipe clients. Multiple pipe clients can use the same named pipe\r\nsimultaneously in the same instance. \r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 8 of 12\n\nAnonymous pipes are unnamed, one-way pipes that are used for interprocess communications between a parent\r\nand a child process, only on a local computer. \r\nCobalt Strike has the ability to pivot over named pipes. It uses pipes to allow a beacon to receive its commands\r\nand send its ones to another beacon. In this situation, both beacons will communicate over pipe channels as\r\nhighlighted by the orange arrow in the pivot graph shown below. Cobalt Strike also uses TCP sockets and SSH\r\nsessions to connect a beacon session to another.\r\nHence, when we connected a listener (e.g. DNS beacon) with another beacon (e.g. SMB beacon) to perform lateral\r\nmovement, we observed the creation of the sysmon event ID 17 “Pipe created”, in our logs. \r\nDuring our various tests, we observed that the created pipe displayed the same pattern that can be detected by this\r\nregex:\r\nMSSE-[0-9]{4}-server\r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 9 of 12\n\nCobalt Strike users cannot change the default value of these pipes without accessing and modifying the source\r\ncode configuration of Cobalt Strike.\r\nIt is important to distinguish the pipes that are created to allow beacons to communicate, from the named pipes\r\nthat are generated specifically for the SMB beacon, and which default value is in the form of: msagent_39 as\r\nshown below. Unlike the MSSE pipes, the default value of the pipe name of the SMB beacon can be easily\r\nmodified on the attack interface.\r\nDefault payload\r\nFor a lot of user interactions, Cobalt Strike displays a default value, and especially for the payload naming. Of\r\ncourse it is a very weak detection indicator, but a mistake is always possible and defenders only need one.\r\nDuring our lab tests with different use cases, we had theses default binaries names:\r\nbeacon.{bin|exe|dll|ps1}, artifact.{dll|exe}, payload.{java|ps1|py|rb|vba}\r\nAnti-virus logs at that point could also be an easy win: most AVs have specific signatures that could be used to\r\ntrigger an alert in your SIEM, and detect an attacker who forgot to use its custom payload.\r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 10 of 12\n\nMore globally, binaries’ other characteristics (on disk or in memory), could also be used as detection indicators.\r\nThat is why Cobalt Strike’s editor advises to customize it with a Malleable C2 profile or the Artifact Kit [10]. \r\nMany public yara rules exist in order to precisely do that, and try to follow existing payload available in the wild\r\n[11]. This is recommended if you have an EDR capability.\r\nMars, a red-hot information stealer\r\nHow to mitigate Cobalt Strike?\r\nAs said before, most of Cobalt Strike beacons characteristics can be customized. Either directly on the user\r\ninterface for some of them, through a malleable profile or by directly reversing the source code. Hence, it is\r\nessential to be as exhaustive as possible regarding the detection capacity.\r\nFurthermore, it seems that Cobalt Strike designer made it one of its priority to always ensure that its tool can not\r\nbe detected, releasing a new version each time the last version was well documented by defenders. Highlighting\r\nfor us the need to be up to date regarding the new versions characteristics. Since, attackers mostly used leaked\r\nversions, we are still a step ahead in detecting the latest threats.\r\nGiven the volumes of attacks performed with Cobalt Strike, combining both C2 server hunting and beacon\r\ndetection as shown in this article, is definitely a good way to ensure the best protection and tighten the net around\r\nthat threat.\r\n1. Use a real-time detection solution\r\nTo be protected against it, we highly recommend you to rely on a real-time detection solution fuelled by\r\ncyber threat intelligence.\r\n2. Carry out memory forensics\r\nIf you have been infected by Cobalt Strike, it is recommended to carry out memory forensics. The tool\r\nCobaltStrikeScan available on github scan for files and process memory for Cobalt Strike beacons and\r\nparse their configuration [12]. It scans Windows process memory for evidence of DLL injection.\r\n3. Besides having an up-to-date SIEM, there are also these evident course of actions that defenders\r\ncould leverage:\r\nCobalt Strike can be dropped in victims systems following phishing campaigns leveraging VBS scripts. It\r\nis recommended to disable document macro in MS office. Training users to notice malicious emails should\r\nalso be performed on a regular basis.\r\nCobalt Strike payload can be delivered as a powershell script. It is recommended to restrict powershell\r\nscript execution to allow signed scripts only.\r\nSome Cobalt Strike payload signatures can be identified by antivirus. It is recommended to have a good\r\nantivirus product.\r\nCobalt strike beacons generate abnormal behaviors that can be hunted using Sysmon, Security, PowerShell\r\nand WMI logs.\r\nIt is recommended to hunt for parent processes spawning unexpected child processes.\r\nMonitor suspicious modifications to registry keys, startup folders, task scheduler and service execution.\r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 11 of 12\n\nThank you for reading this article. You can also read our article on:\r\nTake a tour of our XDR platform\r\nCTI Detection\r\nShare this post:\r\nSource: https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\r\nPage 12 of 12\n\nultimately delivering In 2020, it was ransomware seen as one the payloads. most leveraged pentesting tools by attackers, alongside Mimikatz and PowerShell\nEmpire [5]. Overall, in Q4 of 2020, 66% of all ransomware attacks involved Cobalt Strike payloads [6].\n Page 2 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/" ], "report_names": [ "hunting-and-detecting-cobalt-strike" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434755, "ts_updated_at": 1775826753, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b22d34782cd0151a5d776f27352589c2df3ad7a.pdf", "text": "https://archive.orkl.eu/1b22d34782cd0151a5d776f27352589c2df3ad7a.txt", "img": "https://archive.orkl.eu/1b22d34782cd0151a5d776f27352589c2df3ad7a.jpg" } }