{
	"id": "bde18a2d-d7d4-45ec-9a56-8eec7076131d",
	"created_at": "2026-04-06T00:18:47.245438Z",
	"updated_at": "2026-04-10T03:24:24.427224Z",
	"deleted_at": null,
	"sha1_hash": "3c5e0a1ead11efb9fcd4f34b79a4be4b8f5e6c87",
	"title": "Detecting Popular Cobalt Strike Malleable C2 Profile Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 832993,
	"plain_text": "Detecting Popular Cobalt Strike Malleable C2 Profile Techniques\r\nBy Durgesh Sangvikar, Matthew Tennis, Chris Navarrete, Yanhui Jia, Yu Fu, Nina Smith\r\nPublished: 2023-06-27 · Archived: 2026-04-05 23:09:34 UTC\r\nExecutive Summary\r\nUnit 42 researchers identified two Cobalt Strike Team Server instances hosted on the internet and uncovered new\r\nprofiles that are not available on public repositories. We will highlight the distinct techniques attackers use to\r\nexploit the Cobalt Strike platform and circumvent signature-based detections.\r\nWe identified Team Server instances connected to the internet that host Beacon implants and provide command-and-control (C2) functionality. We have also extracted the Malleable C2 profile configuration from the Beacon\r\nbinary to help us understand the various methods used to evade conventional detections.\r\nThe operators of the Cobalt Strike Team Servers attempted to conceal their C2 infrastructure behind benign and\r\nwell-known services to evade detection. We have also found Team Server C2 infrastructure hosted on well-known\r\npublic cloud infrastructure providers. The operators also deployed new Malleable C2 profiles. Threat and red team\r\nactors create new profiles to deceive security controls, bypass security measures and avoid detection. These tactics\r\ninvolve modifying HTTP URLs, header parameters and host headers with harmless and widely recognized\r\ndomains.\r\nPalo Alto Networks customers receive protections and mitigations for Cobalt Strike Beacon and Team Server C2\r\ncommunication in the following ways:\r\nThe Next-Generation Firewall (NGFW) with an Advanced Threat Prevention subscription can identify and\r\nblock Cobalt Strike HTTP C2 requests generated by custom profiles and block Cobalt Strike HTTP C2\r\nrequests and responses that are masked with the Base64-encoding settings of the default profile (signatures\r\n86445 and 86446).\r\nWildFire and Cortex XDR can identify and block Cobalt Strike Beacon binaries, and XDR will report\r\nrelated exploitation attempts.\r\nCortex XSOAR response pack and playbook can automate the mitigation process.\r\nMalicious URLs and IPs have been added to Advanced URL Filtering.\r\nRelated Unit 42 Topics Cobalt Strike, Cloud\r\nCase Analysis\r\nCobalt Strike is a highly effective platform used by professionals to simulate threats in enterprise network\r\nenvironments. Its primary objective is to establish a secure and undetectable communication channel between\r\nBeacon implants and the Team Server. With the use of Malleable C2, Cobalt Strike operators can easily create\r\nhighly flexible and evasive network profiles, generating different C2 traffic with ease.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/\r\nPage 1 of 6\n\nUnit 42 researchers have discovered two distinct tactics used by threat or red team actors to evade detections from\r\ncurrent security controls. By examining these cases, we can better understand the techniques these people use to\r\ncarry out harmful actions without raising any security alerts.\r\nThe case studies below are derived from true positive detection analysis. In the following scenarios, we identified\r\nCobalt Strike Team Server infrastructure, extracted Malleable C2 profile configuration information and\r\nreconstructed the configuration and implant data for use in detection improvements.\r\nCase 1: Brand New Profile\r\nCobalt Strike has a well-documented custom profile language. Attackers and red teamers tend to craft well-designed and unique Malleable C2 profiles to conduct their operations, aiming to bypass security filters that look\r\nfor known public Malleable C2 profiles.\r\nWe found a Team Server running on 23.95.44[.]80:80 that hosted a Beacon file with the SHA-256 hash\r\n22631d171fd7d531c0bc083a5335a910a95257e3194b50d8b471740d3a91fe34. We used internal tools to derive\r\nand reconstruct the Malleable C2 profile from the configuration extracted from the Beacon binary.\r\nFigure 1 shows an extracted and recreated custom profile. The left half of the image shows the GET transaction\r\nand the right side shows the POST transaction of the Beacon communication.\r\nThe encrypted and encoded data in the GET transaction is placed in a Cookie Parameter SESSIONID. The ID in\r\nthe POST transaction is added to the custom header User. The ID is double encoded using Mask and NetBIOSU.\r\nThe output from the task execution is also double encoded and appended to the data parameter in the POST body.\r\nBeacon Information\r\nTeam Server IP/Port: 23.95.44[.]80:80\r\nAutonomous System Number (ASN): AS-36352\r\nUsed profile: New Profile\r\nBeacon payload SHA-256 hash:\r\n22631d171fd7d531c0bc083a5335a910a95257e3194b50d8b471740d3a91fe34\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/\r\nPage 2 of 6\n\nFigure 1. A brand new Malleable C2 Profile.\r\nCase 2: Hiding Behind Known Good Services\r\nSecurity vendors use elements of HTTP traffic to determine if a given flow is suspicious or malicious. If the\r\ndomain in the Host header of an HTTP request is on a ranked list of popular domains, some malicious criteria\r\ncould be discarded as the request might be identified as benign. Similarly, if the destination server belongs to a\r\nwell-known cloud provider, that IP address could be on the allow list and considered benign.\r\nAttackers use these detection criteria to their advantage by generating HTTP request traffic to mimic known good\r\nservices in order to evade identification. We routinely catch Malleable C2 profiles that mimic well-known benign\r\nwebsites such as e-commerce sites, search engines and email providers.\r\nCase 2.1: Host with Benign/Famous Domain to Evade Security Detection\r\nAttackers often use forged host headers to generate traffic that appears to be benign, thus evading network security\r\ninspection. However, this traffic can still be identified as malicious when inspected by an expert.\r\nFigure 2 shows a Beacon sample using a modified Malleable C2 profile hosted on GitHub. The person intended to\r\ndisguise the malicious traffic as benign traffic from a highly reputable website. However, the ASN record for the\r\ndestination IP address shows a different owner, confirming the deception.\r\nBeacon Information\r\nTeam Server IP/Port: 159.65.219[.]189:443\r\nASN: AS-14061\r\nUsed profile: Modified profile hosted on GitHub\r\nBeacon payload SHA-256 hash:\r\n3528313aeff15375a2bce7b7587b188dcf1befb1e50c9db65d46e81a77a4a096\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/\r\nPage 3 of 6\n\nFigure 2. Malleable C2 Profile with forged HTTP Host header.\r\nCase 2.2: Destination IP Used from Public Cloud to Evade Security Detection\r\nThis example shows how threat or red team actors can use public cloud platforms as a C2 server. Generally, these\r\ncases are hard to detect by IP reputation services such as VirusTotal or URL filtering products due to the benign\r\nnature of the service provider.\r\nPenetration testers are well aware of the popularity of online services and use them to their advantage. They can\r\nhide payloads in seemingly harmless services, making it harder to detect malicious activity.\r\nUnit 42 researchers identified a Team Server on the IP 35.224.140[.]15:443 that hosted the Cobalt Strike Beacon\r\nwith the SHA-256 hash 3ac4be4291bddaaa39a815cc05ece6d611cd69a1604fec8dec0f7e5451659cfa. The Team\r\nServer IP belongs to a prominent cloud provider.\r\nFigure 3 shows the Malleable C2 profiles recreated from the Beacon binary hosted on the Team Server instance.\r\nThe Team Server was running on a well-known cloud provider.\r\nBeacon Information\r\nTeam Server IP/Port: 35.224.140[.]15:443\r\nASN: AS-396982\r\nUsed profile: Default profile\r\nBeacon payload SHA-256 hash:\r\n3ac4be4291bddaaa39a815cc05ece6d611cd69a1604fec8dec0f7e5451659cfa\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/\r\nPage 4 of 6\n\nFigure 3. Malleable C2 Profile using a known public cloud service.\r\nConclusion\r\nCobalt Strike is a highly versatile tool, and most security vendors struggle to detect its C2 traffic accurately. This\r\nmakes Cobalt Strike an ideal choice for attackers looking to increase their malware's chances of success.\r\nWe are continuously discovering new Team Servers that host active Beacon binaries. This threat hunting has\r\nproven fruitful against the misuse of Cobalt Strike in cyberattacks. The continuous cycle of scanning and learning\r\nhelps us remain vigilant and provide active defenses against cybercrime.\r\nPalo Alto Networks customers receive protection from the attack above with the following products:\r\n1. The Next-Generation Firewall with an Advanced Threat Prevention subscription can identify and block the\r\nCobalt Strike HTTP C2 request in nondefault profiles. ATP signatures 86445 and 86446 can identify HTTP\r\nC2 requests with the Base64 metadata encoding in default profiles.\r\n2. WildFire, an NGFW security subscription and Cortex XDR identify and block CobaltStrike Beacon.\r\n3. Cortex XSOAR response pack and playbook can automate the mitigation process.\r\n4. Cortex XDR will report related exploitation attempts.\r\n5. Malicious URLs and IPs have been added to Advanced URL Filtering.\r\nIndicators of Compromise\r\nCS Beacon Samples\r\n22631d171fd7d531c0bc083a5335a910a95257e3194b50d8b471740d3a91fe34\r\n3528313aeff15375a2bce7b7587b188dcf1befb1e50c9db65d46e81a77a4a096\r\n3ac4be4291bddaaa39a815cc05ece6d611cd69a1604fec8dec0f7e5451659cfa\r\nCS Team Server IP Addresses\r\n23.95.44[.]80:80\r\n159.65.219[.]189:443\r\n35.224.140[.]15:443\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/\r\nPage 5 of 6\n\nSource: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/"
	],
	"report_names": [
		"cobalt-strike-malleable-c2"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434727,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c5e0a1ead11efb9fcd4f34b79a4be4b8f5e6c87.pdf",
		"text": "https://archive.orkl.eu/3c5e0a1ead11efb9fcd4f34b79a4be4b8f5e6c87.txt",
		"img": "https://archive.orkl.eu/3c5e0a1ead11efb9fcd4f34b79a4be4b8f5e6c87.jpg"
	}
}