{ "id": "4a747daa-d136-4b71-8015-1f03f6db0231", "created_at": "2026-04-06T00:19:41.109097Z", "updated_at": "2026-04-10T03:38:01.800568Z", "deleted_at": null, "sha1_hash": "1bd10be091553aba8a0bf787d8a205b1a6795fca", "title": "A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1669011, "plain_text": "A Multi-Method Approach to Identifying Rogue Cobalt Strike\r\nServers\r\nBy INSIKT GROUP®\r\nArchived: 2026-04-05 22:57:13 UTC\r\nRecorded Future assessed changes to Cobalt Strike servers in the wild in the aftermath of the public identification\r\nof several Cobalt Strike server detection methods. In our analysis, we conducted an evaluation of different\r\nmethodologies and did a combined analysis based on them to determine if users changed their configurations to\r\navoid detection. Sources include the Recorded Future® Platform, BinaryEdge, Censys, Rapid7 Lab’s OpenData,\r\nShodan, GreyNoise, ReversingLabs, VirusTotal, Farsight DNS, and other open sources. This report will be of\r\ngreatest interest to organizations seeking to improve the speed of their response times, as well as analysts who\r\ndeal with Cobalt Strike incidents on a regular basis.\r\nExecutive Summary\r\nCobalt Strike is an exploitation platform developed for the use of security professionals in emulating targeted\r\nattacks and post-exploitation actions by advanced adversaries. The tool, developed and licensed by Strategic\r\nCyber LLC, a company based in Washington, D.C., is monitored for illicit usage by the firm and is subject to\r\nexport controls. Despite this, the Cobalt Strike framework has become a popular option among the various\r\nsoftware of this type, which includes other paid suites like Metasploit Pro, Core Impact, and others. Although not\r\nalone among such platforms in being used by unlicensed users and criminal actors, Cobalt Strike has been used by\r\na variety of threat groups, including APT32, who have used the tool for initial exploitation, and the namesake\r\nCobalt Group, which has heavily relied on the framework.\r\nConsidering the significant use of the Cobalt Strike platform by security testers — and, more importantly,\r\nmalicious attackers — the necessity of recognizing Cobalt Strike server connections to corporate network assets is\r\nevident.\r\nDespite the detection methodology being public, Recorded Future has observed that Cobalt Strike servers have\r\nbeen left largely unpatched, allowing fingerprinting and subsequent detection. This methodology, coupled with\r\nother detections, allowed Recorded Future to sample Cobalt Strike servers found in the wild, and compare\r\nfingerprinting methods to help defenders best track and monitor this framework. The tracking of Cobalt Strike\r\nservers can aid blue teams in detecting red team activity and containing activity from adversaries who have not\r\nmodified their Cobalt Strike Team Server.\r\nKey Judgments\r\nCobalt Strike servers remain fairly exposed and relatively easy to detect, despite patching to make specific\r\nfingerprinting methods more difficult. Many Cobalt Strike servers operating before the patch was released\r\nhave not updated their systems, while newer deployments have used the upgraded software.\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 1 of 13\n\nRecently deployed Cobalt Strike servers are more likely to deploy an updated Cobalt Strike version\r\n(beyond 3.12) while continuing to use the default TLS certificate, which remains a reliable detection\r\nmechanism.\r\nRecorded Future’s sampling of current Cobalt Strike servers, contrasted with historic threat activity, found\r\nthat criminal and state-aligned actors alike have used default, unpatched Cobalt Strike configurations,\r\nperhaps in an effort to blend in with other Cobalt Strike servers, or possibly simply because the default\r\nsettings work well without alteration and the operator does not feel the need to alter anything.\r\nThe detection of Cobalt Strike servers can aid defenders in creating alerts in their enterprise networks,\r\nproviding a proactive measure to get ahead of their red team, criminal operations, or state-sponsored\r\nadversaries.\r\nBackground\r\nA primary issue for incident response and security operations analysts today is determining which security events\r\nor alerts are a priority to review. Fortunately, applying accurate threat intelligence to a SIEM workflow, such as\r\nSplunk, can be valuable for identifying credible threats, and can even reveal crucial additional context to enable\r\nsecurity teams to take more proactive measures. For example, an alert comes across your SIEM — it’s an IP\r\naddress, 89.105.198[.]28, that has been contacted by one of your endpoints. Now what?\r\nRecorded Future browser extension.\r\nUpon opening the Recorded Future browser extension on the Splunk alerts page, the IP 89.105.198[.]28 jumps to\r\nthe top with a risk score of 93 (this finding was made on May 6, 2019, and the risk score will decay on May 17,\r\n2019 if no further malicious activity is observed). This investigation reveals that the IP address was previously\r\nreported by Sophos as part of the MegaCortex ransomware campaign, using a Cobalt Strike reverse shell.\r\nCobalt Strike is an adversary simulation platform developed for penetration testers by Raphael Mudge, founder of\r\nStrategic Cyber LLC. Designed for interoperability with other platforms such as Metasploit, NMAP, and\r\nPowershell Empire, it can be run using Armitage, a graphic user interface (GUI) developed by Mudge, initially for\r\nMetasploit. Armitage and Cobalt Strike are designed around a team server that allows for the sharing of\r\ninformation and the ability to direct and execute well-coordinated actions.\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 2 of 13\n\nKnown for its advanced functionality, Cobalt Strike has been adopted by numerous security professionals and also\r\nused illicitly by criminal and nation-state entities. As MITRE has stated, “Cobalt Strike’s interactive post-exploit\r\ncapabilities cover the full range of ATT\u0026CK tactics, all executed within a single, integrated system.” The\r\nframework has been a mainstay in the threat landscape in the last three years, frequently used by criminal groups,\r\nstate-sponsored actors, and, of course, penetration testing teams.\r\n(Cobalt Strike use over time. (Source: Recorded Future))\r\nCobalt Strike is professionally maintained and available under license currently for a $3,500 USD fee with annual\r\nrenewals. In addition to export controls set by the United States, Strategic Cyber LLC attempts to strictly control\r\nits licensing and use to legitimate security professionals and keep the software out of the hands of malicious\r\nactors, making it difficult for both criminals and entities outside the United States to acquire it.\r\nStrategic Cyber LLC regularly updates and patches licensed versions of the software. Recent changes to Cobalt\r\nStrike’s server configurations attempt to help the framework evade detection. Pirated versions of the software,\r\nhowever, will not receive official updates and patches.\r\nAlthough the software licensing has been strictly controlled, there are confirmed instances of pirated versions of\r\nCobalt Strike in the wild, often cracked trial versions, and a variety of actors in the criminal underground have\r\nbeen observed attempting to acquire or trade them. The cracked versions, however, may come with their own\r\nadded “features” such as backdoors, or be lacking in some way. One member on Raid Forums posted a link to a\r\ncracked copy of Cobalt Strike 3.13 (the latest version) on April 5, 2019, but other members pointed out that it was\r\nmissing some features, and parts of the software which should have been removed, such as EICAR, remained.\r\nLegitimate versions of Cobalt Strike are therefore valuable; for example, one Maza forum member was observed\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 3 of 13\n\nlast year offering $25,000 USD for a purchaser within the U.S. to obtain a licensed copy of Cobalt Strike and\r\nillegally transfer it to this forum member.\r\nReturning to our investigation of 89.105.198[.]28, this IP address was used as a command-and-control server for a\r\nCobalt Strike reverse shell on a victim domain controller during a MegaCortex incident. The ransomware was\r\nthen distributed across the environment via PSExec. The MegaCortex ransomware campaign was active at the\r\ntime of this analysis. Further investigation of the IP address reveals that it makes use of the Cobalt Strike server\r\ndefault security certificate to encrypt traffic.\r\nThis case involving 89.105.198[.]28 prompted Recorded Future to investigate this specific Cobalt Strike activity.\r\nThis further encouraged larger-scale Cobalt Strike research, in the wake of security firm Fox-IT’s findings around\r\nthe anomalous space included in Cobalt Strike HTTP responses and other public detections, including common\r\nuse of the standard, pre-configured, self-signed SSL/TLS certificate on Cobalt Strike servers. Servers that deploy\r\nthis certificate can be detected via Shodan or Censys by the SHA256 hash or the serial number of the certificate.\r\nDefault Cobalt Strike SSL/TLS certificate.\r\nPublic Methodologies for Identifying Cobalt Strike Team Servers\r\nOn February 19, 2019, Strategic Cyber LLC (the producer of Cobalt Strike) released the results of a “Cobalt\r\nStrike Team Server Population Study.” The study was undertaken in part to discover the license status of\r\ndiscovered Cobalt Strike software, as well as identify and analyze any significant alterations made to versions of\r\nthe software currently in use.\r\nThis study identified multiple methods that could be used to identify Cobalt Strike servers in the wild:\r\nCobalt Strike servers are shipped with a default security certificate which can be used to fingerprint them\r\nunless the administrator changes it.\r\nSHA256: 87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c\r\nSerial Number: 146473198\r\nWhen enabled, the Cobalt Strike DNS server responds to any DNS request received with a bogon (fake) IP:\r\n0.0.0.0 (this is not unique to Cobalt Strike servers).\r\nThe default controller port for Cobalt Strike Team Server is 50050/TCP, a port unlikely to be found open\r\non other servers.\r\nThe “404 Not Found” HTTP response for Cobalt Strike is unique to NanoHTTPD web servers and can be\r\ndetected.\r\nTaken as a whole, the surest method in the list above is fingerprinting Cobalt Strike servers using the default\r\nsecurity certificate. The remaining detection methods are less certain and all will be of higher confidence when\r\ncorroborated with other methodologies. For example, any server using port 50050 that also provides an HTTP\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 4 of 13\n\nresponse unique to NanoHTTPD web servers is more likely a Cobalt Strike server than one found to only exhibit\r\nan HTTP response signature.\r\nNanoHTTPD is an open source web server framework. NanoHTTPD servers and Cobalt Strike servers running\r\nversion 3.12 and earlier could be identified via a null space in the HTTP response where “HTTP/1.1” is followed\r\nby a blank space (0x20) not found in other web server responses. Any HTTP response from a pre-3.13 Cobalt\r\nStrike server will contain this null space, and a scanner that can retrieve HTTP server responses may be used to\r\nsearch for them. A simple manual method of identifying the aforementioned null space may be done with a packet\r\ncapture of a browser HTTP connection to a Cobalt Strike server, in which the extra space can be easily seen.\r\nAs Cobalt Strike instances running cracked versions are not updated or patched, this method provides the added\r\npotential of discovering Cobalt Strike servers operated by criminals.\r\nNot specifically mentioned in the Strategic Cyber LLC blog post is another method of identifying Cobalt Strike\r\nservers. On January 2, 2019, Cobalt Strike version 3.13 was released. The Cobalt Strike release notes state that\r\none of the changes from previous versions was the removal of an “extraneous space from HTTP status responses.”\r\nAn extra null byte in the HTTP server response of NanoHTTPD servers (an open source, Java-based web server)\r\naffected the Cobalt Strike Team Server, which was first released in 2012 and is based upon NanoHTTPD.\r\nThe research on Cobalt Strike servers published by security firm Fox-IT on February 26, 2019, provided not only\r\ndetails on how to identify the servers prior to version 3.13 (which respond with the additional null space in the\r\nHTTP response), but also a list of over seven thousand IPs hosting Cobalt Strike servers observed from 2015 to\r\n2019 using this detection method found in publicly available data from Rapid7.\r\nPacket capture showing extra null space in the HTTP header from a Cobalt Strike server.\r\nSimilarly, on February 27, 2019, the Chinese Knownsec security research team published a blog detailing their use\r\nof the NanoHTTPD 404 Not Found response anomaly reported by Strategic Cyber LLC, as well as the null space\r\nanomaly, to identify Cobalt Strike servers. They found fewer numbers of servers in the data within their associated\r\nZoomEye search engine platform, but still found over three thousand. Knownsec reported that the open source\r\nNanoHPPTD code that Cobalt Strike is built on responds in the following manner, precisely:\r\nHTTP/1.1 404 Not Found\r\nContent-Type: text/plain\r\nDate: Day, DD Mmm YYYY HH:MM:SS GMT\r\nContent-Length: 0\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 5 of 13\n\nKnownsec based their detection logic on this finding. However, Knownsec also subsequently observed that the\r\norder within the HTTP response may in fact differ, after finding “content-type” presented after “date” in the\r\nresponse from some Cobalt Strike systems.\r\nA reliable method for discovering Cobalt Servers is available to those with access to detailed network traffic data.\r\nThe open source JA3 project, developed by three Salesforce researchers, allows for the detection of suspicious\r\nHTTPS traffic by fingerprinting the TLS negotiation between servers and clients. The TLS/SSL version, accepted\r\ncipher suites, and elliptic curve details (such as elliptic curve point formats) can be fingerprinted much like a\r\nbrowser can be fingerprinted by its version, add-ons, and other features specific to that one browser.\r\nJA3 signatures are for the client side and JA3S signatures are for servers. In the case of Cobalt Strike, fingerprints\r\nhave been created for TLS negotiation by the client beacon (which uses the Windows socket to initiate\r\ncommunication) and Cobalt Strike servers running on the Kali Linux operating system. These fingerprints would\r\nneed to be used together to reliably discover a Cobalt Strike server. Although this detection method can be partly\r\nmitigated by the Cobalt Strike operator by using a “redirector,” many Cobalt Strike servers do not use such a\r\nproxy.\r\nJA3 and JA3S signatures can be used with tools such as Zeek/Bro and Suricata. Data from these network detection\r\ntools can subsequently be fed into a SIEM such as Splunk. JA3 and JA3S signatures are available at Salesforce’s\r\nGithub account and from other sources.\r\nAs with detections of other tools such as Metasploit, Powershell, or PsExec that may be used by a security team or\r\nadministrators, network defenders should exercise due diligence if they find evidence indicating connections from\r\nwithin their network to a Cobalt Strike server, as the detection itself will not identify the intentions of the user.\r\nIdentifying a Cobalt Strike server as that of an authorized red team or a true adversary may be impossible based on\r\ndetected traffic alone.\r\nChanges Since Fox-IT and Knownsec Reports Publicizing Anomalous HTTP Responses\r\nWe expected the number of Cobalt Strike servers identified by these methods to decrease after the publication of\r\ninformation by Strategic Cyber LLC, Fox-IT, and Knownsec in late February 2019 concerning the detection of\r\nCobalt Strike servers. Additionally, Cobalt Strike operators were encouraged by Strategic Cyber LLC in their\r\nFebruary study to make use of an Apache or Nginx web server as a “redirector” to proxy their traffic; this\r\nprecludes simple detections of Cobalt Strike servers by removing the anomalous HTTP responses, default security\r\ncertificates, and other such identifiers from the equation. Updating legitimate, licensed servers to version 3.13\r\nwould decrease the number found using the extraneous null space method, but Cobalt Strike operators being\r\naware of the well-publicized detection methods would also be expected to decrease the number of detectable\r\nservers.\r\nBy duplicating Fox-IT’s methodology of detecting the anomalous null space in HTTP responses, Insikt Group\r\nconfirmed a noticeable decrease in identified servers. 388 Cobalt Strike servers were observed for the first time in\r\nFebruary 2019 using Rapid7’s data. The number of first-seen Cobalt Strike servers using this method was only 90\r\nin April 2019. However, this is only part of the story; older Cobalt Strike servers visible using this method have\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 6 of 13\n\ndecreased in number but far less significantly. 441 of the servers observed in Rapid7’s data were still observed to\r\nbe up in April 2019, which is more than the 387 last observed in January 2019.\r\nBy analyzing the Knownsec research to identify Cobalt Strike with a different HTTP detection methodology,\r\nInsikt Group replicated their research in the same ZoomEye search engine data. Insikt Group identified 1,580\r\nservers that were up in 2018, and only 1,053 through May 2019.\r\nRecent metrics of individual Cobalt Strike detection parameters. (January 2019 to May 2019)\r\nAs previously noted, both of these HTTP detection methods are based upon anomalies within NanoHTTPD, not\r\nCobalt Strike systems in particular. Not all of those detected using these methods had corroborative data, such as\r\nopen port 50050. Other variables are also involved in the change to the number of servers. Cobalt Strike servers\r\nmay change IPs and do not always remain up for long periods of time. Although there has been a reduction in\r\nnewly sighted Cobalt Strike servers since January 2019, the data indicates that there are still a large number of\r\nservers in operation that are detected by the HTTP null-space anomaly method.\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 7 of 13\n\nCobalt Strike identification using combined detection methods. (January 2019 to May 2019)\r\nThe combination of the three detections made for high confidence assessments for the servers to be hosting Cobalt\r\nStrike — in fact, all six of the servers identified in this manner were previously reported to host Cobalt Strike and\r\ncommunicate with various Cobalt Strike beacons. The use of the default Cobalt Strike proves to be the best\r\ndetection methodology; however, monitoring the combined usage of NanoHTTPD and open port 50050 can\r\nnarrow the field of IPs to monitor greatly.\r\nThreat Analysis\r\nBy using Fox-IT’s methodology and looking for use of the standard-issue Cobalt Strike TLS certificate on\r\naccessible IPs, Recorded Future attempted to profile Cobalt Strike usage in the wake of Strategic Cyber LLC\r\npatching a major detection mechanism. It should be noted that the forthcoming methodology and study tracks\r\nvisible Cobalt Strike servers, and cannot account for Cobalt Strike servers that evade detection even by simple\r\nchanges.\r\nIn this research, Recorded Future anticipated Fox-IT’s findings to shift the adoption of Cobalt Strike to more\r\nrecent versions, which has occurred, to some extent. Despite Strategic Cyber LLC providing a patch to address\r\nthis detection, and the publication of IP addresses with the additional space in the HTTP response, Cobalt Strike\r\ndeployments from before the update do not appear to have been updated. The month following the update to the\r\nframework saw the largest increase in newly observed Cobalt Strike servers based on Fox-IT’s detection\r\nmethodology, as it was applied to Rapid7’s data sets. These servers spent an average of 70 days online.\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 8 of 13\n\nHowever, this detection proved unreliable, as the method found 248 devices on consecutive CIDR ranges on AS\r\n132839, using NanoHTTPD on port 1443, solely active on February 1, 2019. After removing this anomaly, the\r\ndata indicates a stark drop in the detection of new Cobalt Strike hosts using NanoHTTPD. This may be due to\r\nfewer Cobalt Strike new deployments overall, but may also reflect the updated software being used.\r\nThe last-seen data from April 2019 largely indicate that previously deployed Cobalt Strike instances have not been\r\nremoved or updated. Additionally, the amount of time the servers have stayed online, based on that same data set,\r\nshows no noticeable shift in servers that have continued to be detected, hovering around the data set’s average of\r\n70 days. However, there was a decline in new Cobalt Strike servers found with the null space in the HTTP header.\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 9 of 13\n\nThe continued identification of Cobalt Strike servers using an outdated version of the framework (via the null\r\nspace in the HTTP header) and the default configurations may indicate that a large population of Cobalt Strike\r\nservers are cracked or stolen versions. It may also be an instance of operators not reading security publications,\r\nbut the answer may be more simple than that — most targets are not likely searching for Cobalt Strike servers, and\r\nthe payloads remain effective, so why change their behavior?\r\nSampling of Cobalt Strike Servers\r\nRecorded Future took a sampling of the IP addresses from which we had seen activity in April 2019 to look at\r\nboth noted activity and detection overlaps. These servers fit into a number of categories: confirmed Cobalt Strike\r\nactivity, Cobalt Strike servers associated with other malware, Cobalt Strike servers with links to known threat\r\ngroups, and unreported Cobalt Strike servers that have yet to be named in threat lists or reporting.\r\nThe research methods used were unable to help determine if the systems analyzed were licensed or not, and\r\nsimilarly, could not identify if the servers were conducting authorized security testing or illicit attacks.\r\nA number of IP addresses found overlap in signals related to Cobalt Strike. All three made use of the default\r\ncertificate, had the Cobalt Strike controller port 50050 open, and were previously identified for hosting Cobalt\r\nStrike beacons or Meterpreter reverse proxies. It should again be stressed that higher-fidelity detections are made\r\nwhen using corroborating detection methods.\r\nThe IP address 89.105.202.58 made use of the standard Cobalt Strike certificate. Previous URLscan.io\r\nresults show an HTTP 404 Not Found response, with no content and plain text Content-Type, and Shodan\r\nscanning indicates that port 50050 was open, which can host the Cobalt Strike controller. Twitter user\r\n@Scumbots has previously identified the server as hosting a Meterpreter reverse proxy, which was\r\ncontacted via Powershell script that has been hosted on PasteBin since February 2019.\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 10 of 13\n\n199.189.108.71 also made use of the default Cobalt Strike certificate, had port 50050 open, and had\r\npreviously been identified by Twitter user @Scumbots for hosting a Meterpreter reverse proxy, which also\r\nmade use of base64-encoded Powershell to obfuscate execution.\r\nThe IP 31.220.43.11 was identified using the baseline Cobalt Strike certificate, corroborated by port 50050 being\r\nopen on the server. A Meterepreter sample has been observed sending HTTP traffic to the IP in a command-and-control capacity. According to Shodan data, The IP has a number of ports open and is vulnerable to a number of\r\nexploits, which may indicate that the host is compromised to serve other malware. The IP hosts a single domain at\r\nthe time of analysis: cob.ozersk[.]today.\r\nA number of IPs used the standard Cobalt Strike certificate, and had been previously associated with FIN6\r\nactivity, for both the delivery of ransomware and the initial attack vector to distribute point-of-sale malware. At\r\nthe time of this analysis, both of these Cobalt Strike Team Servers were active, despite the campaign being\r\npublicly burned. This speaks to FIN6’s lack of need for clean up after its operations, as well as the speed with\r\nwhich the operation was abandoned.\r\nInterestingly, while one of the servers was detectable by all three methods, one of the servers had been patched for\r\nthe NanoHTTPD extra space, implying that either the standard web server was reconfigured, or the actors had an\r\nupdated version of Cobalt Strike. The diversity of the Cobalt Strike servers deployed in the same incident show\r\nthat FIN6 uses the standard Cobalt Strike framework with little modification.\r\nThe server at 185.80.233.166 uses the default Cobalt Strike security certificate. This system also has the\r\ndefault Cobalt Strike Team Server port 50050/TCP open. The system had an MX record of\r\nmail.sexlove24[.]com, and Talos telemetry data indicates that no mail has been observed to or from this\r\nsystem in the month of April 2019. This IP was identified by Morphisec in February 2019 as part of a\r\ncoordinated attack on point-of-sale systems using FrameworkPOS. The activity made use of TTPs used by\r\nthe FIN6 group, specifically the use of WMI/PowerShell for lateral movement and privilege escalation.\r\nThe IP 176.126.85.207 was detected both by Fox-IT’s anomalous space and the use of the default Cobalt\r\nStrike certificate, with data corroborated by having port 50050 open. The IP has been observed delivering a\r\nMetasploit Meterpreter reverse HTTP payload in conjunction with LockerGoga and Ryuk delivery from\r\nFIN6.\r\nTwo IPs used the standard Cobalt Strike certificate, and made use of Cobalt Strike reflective loaders. Reflective\r\nDLL (dynamic load library) loading is a method of injecting a DLL into the memory of a process while bypassing\r\nthe Windows DLL loader and avoiding storing the DLL on a disk. A DLL injected in this manner may be difficult\r\nto detect, as it is only resident in memory. Reflective DLL loading, famously used by APT40 (also known as\r\nTEMP.Periscope) and in the Wilted Tulip campaign, is not exclusive to Cobalt Strike and is conducted through\r\nvarious means by a number of actors. The use of a reflective loader is not evidence that these groups were active\r\non these servers. Neither IP address hosted domains at the time of this analysis.\r\nThe IP 89.105.198.18 made use of the default Cobalt Strike certificate as well. The IP previously was\r\nidentified as a command-and-control server, receiving Meterpreter data over HTTP, according to\r\n@Scumbots. Previous scan data from Shodan corroborated the Cobalt Strike server existing on the IP\r\naddress by having the Cobalt Strike controller port 50050 open. Recorded Future’s collections identified\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 11 of 13\n\ntwo files which contacted the IP address 89.105.198.18, first observed in March 2019. The payloads had\r\ninconsistent detections on VirusTotal, likely due to at least the first file being UPX-packed. An inspection\r\nof the memory dumps from executing the files found that both were Cobalt Strike reflective loaders.\r\n3a143d038aae9e4253ed6656beaaae298795a3df20e874544c0122435ef79bc0\r\n9668c17504a0d9471668dac64b3c5c2abfb3b186c25dc28d91afbe95ed341002\r\nAnother IP address on the same CIDR range also made use of the default Cobalt Strike\r\ncertificate:89.105.198.21. The IP address did not host domains at the time of this analysis, but previous\r\nscan data corroborated the presence of a Cobalt Strike server.\r\nThe IP 106.12.204.25 was detected both by Fox-IT’s anomalous space and the use of the default Cobalt\r\nStrike certificate. The IP also had port 50050 open, and had a plaintext 404 Not Found response, as\r\nmentioned above. The IP has been reported as delivering with a Cobalt Strike beacon, which was also\r\ndetected by a VirusTotal user as a Cobalt Strike reflective loader related to APT40. Recorded Future has\r\nnot observed the IP operating in connection with APT40.\r\nAnother general category of IPs that was identified as hosting Cobalt Strike had uncorrelated threat activity\r\ninvolving other malware or suspicious activity, but largely produced inconclusive results.\r\nThe IP address 91.152.8.14 made use of the standard Cobalt Strike certificate in mid-April 2019. A generic\r\ntrojan was found to communicate with the IP address via HTTP methods over port 433. The IP hosted no\r\ndomains at the time of analysis, but shared a certificate with forum.happyhippos[.]org. The certificate\r\nissuer claimed to be from Espoo, Uusimaa, Finland, the same relative geolocation of the IP address.\r\nAnother IP address on the same CIDR range was detected via the anomalous HTTP header space, on\r\n91.152.8.173. While this IP made use of a different certificate, previous Shodan scans over port 443 show a\r\n404 Not Found response with no content and plain text Content-Type, which is a low-confidence signal of\r\na Cobalt Strike server. Without further data, Recorded Future could not come to a conclusion about these\r\nIPs.\r\nThe IP 99.81.122.12 was identified in late April 2019, from the anomalous spacing, use of the Cobalt Strike\r\ncertificate, and having the controller port 50050 open. The server is now inactive, but previously served as\r\na Cobalt Strike beacon, accessed via HTTP. The server did not host domains at the time of analysis.\r\nThe IP 72.14.184.90 also made use of the generic Cobalt Strike certificate. The IP address is contacted by a\r\nmalicious file, reaching out over HTTP to the URL hxxps://72.14.184[.]90/search/news/. The file is\r\ndetected as a Cobalt Strike beacon. The IP address was also implicated for being involved in a\r\nspearphishing campaign in late January 2019. Shodan scan data indicates the server has a number of\r\nvulnerabilities, which points to the server potentially being compromised to host the Cobalt Strike server,\r\nrather than the server being rented for a pen-testing engagement.\r\n06f8004835c5851529403f73ad23168b1127315d02c68e0153e362a73f915c72\r\nFinally, a number of IPs had limited reports of threat activity, but bore indications of potential malicious activity\r\ncoming in the near term:\r\nThe IP 172.96.250.199 used the baseline Cobalt Strike certificate, but has not had any threat activity\r\nassociated with it, according to Recorded Future telemetry. The IP address has since swapped certificates to\r\nuse a pair of LetsEncrypt certificates, including one linked to the domain haqiu[.]cf. The domain was\r\nneither active nor hosted on this IP at the time of this analysis. The IP has been associated with hosting a\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 12 of 13\n\nsuspicious domain, ssss.ppwu[.]xyz, which has made use of dual LetsEncrypt certificates. These\r\ncertificates are good for only 90 days and have since been rotated onto Cloudflare servers. This may\r\nindicate a forthcoming red-team engagement, or future threat activity using Cobalt Strike.\r\nThe IP 139.162.18.83 was identified from the use of the default Cobalt Strike SSL certificate, but no threat\r\nactivity or other oddities, have been observed on the IP address. However, on the same CIDR range,\r\n139.162.18.179 was identified from the anomalous space included in the HTTP response, and it was found\r\nto be using the default Cobalt Strike SSL certificate. There is no threat activity currently associated with\r\nthe server, but a number of suspicious domains are hosted on the IP.\r\nThe IP 124.156.106.98 also made use of the default Cobalt Strike certificate, and had port 50050 open\r\nwhich can be used for the Cobalt Strike controller panel. The IP has been observed as the command and\r\ncontrol for a Cobalt Strike beacon, observed in March 2019. However, an odd domain was registered and\r\nhosted on the IP as of May 2, 2019, kongbu.koubaogangjiao[.]xyz, while the Cobalt Strike signals were\r\nstill live. The domain may be used going forward for penetration testing or malicious infections.\r\nOutlook\r\nRecorded Future finds it important to cluster together signals from known threats to help baseline threat activity\r\nand to make it easier to identify more unique threats. The continued sightings of standard Cobalt Strike\r\ncertificates, along with the anomalous space in HTTP responses from versions earlier than 3.13, indicates that the\r\ncollaborative use of multiple signatures will prove to be the best method for identifying active Cobalt Strike\r\nservers.\r\nWhile espionage-oriented actors often have large amounts of development time and resources at their disposal,\r\nthey also have a vested interest to blend in with the crowd. Obstacles other than intentional tradecraft may prevent\r\nthe patching of Cobalt Strike servers, including lack of knowledge of the update due to a language barrier,\r\noperational comfort with currently installed versions, or other modifications that prevent the installation of the\r\nupdate. The use of cracked versions of Cobalt Strike or deployment of standard Cobalt Strike instances causes a\r\nblending together of threats, making attribution difficult. Additionally, by running cracked versions of the\r\nframework, actors can blend in with older versions of Cobalt Strike.\r\nDetection of these servers on a rolling basis can provide rules for SOC and IR teams to develop alerting or\r\nblocking capabilities, and can prompt investigations into hosts communicating with these servers.\r\nSource: https://www.recordedfuture.com/research/cobalt-strike-servers\r\nhttps://www.recordedfuture.com/research/cobalt-strike-servers\r\nPage 13 of 13\n\nBy duplicating confirmed a Fox-IT’s methodology noticeable decrease of detecting in identified the anomalous servers. 388 Cobalt null space Strike servers in HTTP responses, were observed Insikt for the first Group time in\nFebruary 2019 using Rapid7’s data. The number of first-seen Cobalt Strike servers using this method was only 90\nin April 2019. However, this is only part of the story; older Cobalt Strike servers visible using this method have\n Page 6 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.recordedfuture.com/research/cobalt-strike-servers" ], "report_names": [ "cobalt-strike-servers" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434781, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1bd10be091553aba8a0bf787d8a205b1a6795fca.pdf", "text": "https://archive.orkl.eu/1bd10be091553aba8a0bf787d8a205b1a6795fca.txt", "img": "https://archive.orkl.eu/1bd10be091553aba8a0bf787d8a205b1a6795fca.jpg" } }