{
	"id": "81cbd080-f043-4f25-b8d2-4702ea9bc39f",
	"created_at": "2026-04-06T01:31:10.734842Z",
	"updated_at": "2026-04-10T03:32:45.866677Z",
	"deleted_at": null,
	"sha1_hash": "4e6ff2827eb768dfd76c0bb3480e31c5817b7949",
	"title": "Cobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 495214,
	"plain_text": "Cobalt Strike Operators Leverage PowerShell Loaders Across\r\nChinese, Russian, and Global Infrastructure\r\nPublished: 2025-06-19 · Archived: 2026-04-06 00:37:50 UTC\r\nWhile analyzing open directories during a routine threat hunting session, we discovered a suspicious PowerShell\r\nscript (y1.ps1) hosted in an open directory on a server in China (IP: 123.207.215.76).\r\nThe script functions as a shellcode loader utilizing in-memory execution techniques to evade disk-based detection.\r\nIt resolves Windows API functions dynamically and decrypts embedded shellcode, which acts as a downloader.\r\nFirst seen on June 1, 2025, the script triggered a deeper investigation into post-exploitation infrastructure.\r\nThis PowerShell loader reflects an active post-exploitation setup leveraging stealth techniques and Cobalt Strike\r\ninfrastructure.\r\nIn this article, we break down how the shellcode operates, its evasion methods, and how we traced its connection\r\nto known Cobalt Strike infrastructure.\r\nKey Takeaways\r\nThe PowerShell script (y1.ps1) executes shellcode directly in memory using reflective techniques.\r\nIt connects to a second-stage C2 server hosted on Baidu Cloud Function Compute.\r\nThe shellcode employs API hashing and sets forged User-Agent strings to evade detection.\r\nThe final payload communicates with a known Cobalt Strike IP address in Russia.\r\nSSL metadata and loader behavior confirm links to Cobalt Strike post-exploitation tools.\r\nIntroduction\r\nThe decrypted shellcode initiates a connection to a second-stage command-and-control server hosted on Baidu\r\nCloud Function Compute (y2n273y10j[.]cfc-execute[.]bj.baidubce[.]com). It uses API hashing to obfuscate\r\nfunction names, sets a forged User-Agent string, and employs reflective DLL injection to load the payload directly\r\ninto memory.\r\nAnalysis of the decoded payload configuration revealed a Cobalt Strike Beacon communicating with the IP\r\naddress 46.173.27.142, associated with Beget LLC (Russia).\r\nSSL metadata indicates a certificate subject of \"Major Cobalt Strike\" and issuer \"cobaltstrike.\" These findings are\r\nconsistent with known Cobalt Strike infrastructure and usage patterns in post-exploitation and threat actor activity.\r\nWhile most of the IOCs in this case are linked to Chinese and Russian servers, we also identified a few hosted in\r\nthe United States, Singapore, and Hong Kong. This suggests that although the core staging environment relies\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 1 of 15\n\nheavily on infrastructure in China and Russia, cloud platforms in other regions are occasionally used to support\r\ndistribution.\r\nScript Metadata\r\nThe y1.ps1 script was hosted in an open directory on a Chinese server with the following attributes:\r\nFile Name: y1.ps1\r\nFile Size: 4 KB\r\nHost IP: 123.207.215.76:80\r\nHost Attribution: Shenzhen Tencent Computer Systems Company Ltd. (China)\r\nCapture Time: 2025-06-01 12:06 UTC\r\nTechnical analysis\r\nTo further examine the file's behavior and context, we used our internal analysis tools.\r\nThe PowerShell script was discovered using the Attack Capture File Manager. The file was flagged as malicious\r\nand made publicly accessible via an open directory.\r\nFigure 1: Open directory hosting the PowerShell code\r\nThe PowerShell script is a shellcode loader designed to execute malicious code in memory, a technique often used\r\nby malware to evade detection. It begins by enabling strict mode to ensure clean execution, then defines two key\r\nfunctions: func_get_proc_address, which retrieves memory addresses of Windows API functions (like\r\nVirtualAlloc) from DLLs using reflection, and func_get_delegate_type, which dynamically creates a delegate to\r\ncall functions in memory.\r\nThe main execution block, triggered on 64-bit systems, decodes a Base64-encoded byte array, decrypts it with an\r\nXOR operation, and allocates executable memory using VirtualAlloc. The decrypted shellcode is copied into this\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 2 of 15\n\nmemory and executed via a delegate, bypassing disk-based detection.\r\nFigure 2: PowerShell shellcode loader\r\nHunting PowerShell Cobalt Strike shellcode\r\nWe used Code Search with the keyword \"func_get_delegate_type\", a function often associated with reflective\r\nexecution in PowerShell-based loaders, and filtered for files with the \".ps\" extension. This returned 129 results and\r\nhelped uncover a set of suspicious scripts, along with the hostnames serving them. Identifying this pattern was key\r\nin linking the loaders to active Cobalt Strike infrastructure.\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 3 of 15\n\nFigure 3: Results of searching the code query\r\nOne of the retrieved scripts stood out for deeper inspection, leading us to examine its embedded shellcode.\r\nDecrypting shellcode\r\nWe returned to the script and used CyberChef to decode the embedded shellcode. The payload was Base64-\r\nencoded and XOR-decrypted using a key of 35.\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 4 of 15\n\nFigure 4: Decrypting shellcode using CyberChef\r\nThis shellcode functions as a downloader designed to connect to a remote server hosted on Baidu's Cloud\r\nFunction Compute platform (y2n273y10j[.]cfc-execute[.]bj[.]baidubce[.]com). Its main job is to fetch and run a\r\nsecond-stage payload.\r\nEvasion Technique: API Hashing\r\nInstead of including API function names directly in the code (which would be easy to spot in a static analysis), the\r\nshellcode calculates a unique hash for each function it needs. It compares these calculated hashes to pre-computed\r\nvalues hardcoded into the shellcode. When it finds a match, it retrieves the corresponding function's address and\r\ncalls it.\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 5 of 15\n\nFigure 5: API hashing technique used by shellcode\r\nThe hashing algorithm processes each character of the function name by converting it to uppercase (making it\r\ncase-insensitive), rotating the accumulated hash value 13 bits to the right, and adding the character's value.\r\nThis continues until the end of the name, producing a unique hash that hides the original function name.\r\nThe shellcode starts by setting up its execution environment. It walks through the Process Environment Block\r\n(PEB) to locate loaded DLLs. Then, using its hashing routine, it identifies key functions like LoadLibraryA and\r\nothers that it needs for network communication.\r\nOnce it locates LoadLibraryA, it loads wininet.dll, a system library used for internet-related functions. From there,\r\nit resolves APIs like InternetOpenA, laying the groundwork for contacting its command and control (C2) server.\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 6 of 15\n\nFigure 6: Resolve InternetOpenA and LoadLibraryA APIs\r\nC2 Communication\r\nThe shellcode initiates an HTTPS connection (port 443) to its C2 server at y2n273y10j.cfc-execute.bj.baidubce.com using InternetConnectA. During this stage, it sets a custom User-Agent string that\r\nmimics legitimate browser traffic:\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)\r\n \r\nCopy\r\nBelow is an assembly snippet showing the actual call to InternetConnectA, used by the shellcode to initiate the\r\nHTTPS C2 connection.\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 7 of 15\n\nFigure 7: HTTP connection via C2\r\nReceiving And Executing Payload\r\nAfter the connection is established, the shellcode sends an HTTP request using HttpOpenRequestA and\r\nHttpSendRequestA, with options set via InternetSetOptionA. It includes a retry loop that tries up to 10 times if the\r\nconnection fails.\r\nOnce successful, it uses VirtualAlloc to create a memory region with read, write, and execute permissions. It then\r\ndownloads the payload directly into this memory space using InternetReadFile.\r\nFigure 8: Allocated memory region and payload execution\r\nFinally, the shellcode jumps to the start of the memory region and executes the downloaded payload.\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 8 of 15\n\nFollowing the execution analysis, we investigated whether the script or its payload was associated with known\r\nCobalt Strike infrastructure.\r\nPowerShell Cobalt Strike Beacon\r\nAfter analyzing the PowerShell scripts, we identified several encoded beacons associated with CobaltStrike\r\nloaders. An example of one such beacon is shown in the following figure.\r\nFigure 9: PowerShell script that decrypted the Cobalt Strike loader\r\nCobalt Strike Loader\r\nAfter decoding the Cobalt Strike loader, we observed that it implements a reflective DLL loading technique,\r\nwhich allows a DLL to be loaded directly from memory without relying on the standard Windows loader.\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 9 of 15\n\nFigure 10: Cobalt Strike loader\r\nCobalt Strike Beacon C2\r\nDuring analysis of the payload configuration, we extracted the command-and-control (C2) address 46.173.27.142.\r\nThis IP is associated with Beget LLC under ASN 198610, and geolocated to Russia (RU). Historical data from\r\nour platform indicates the IP was both first and last seen on May 28, 2025, suggesting short-lived or time-sensitive activity.\r\nThe C2 node operated over port 50050, and SSL certificate metadata reveals the Subject/Common Name as\r\n\"Major Cobalt Strike\", with the Issuer Organization listed as \"cobaltstrike\", strongly indicating usage of a\r\nCobalt Strike Beacon.\r\nThis infrastructure aligns with known Cobalt Strike deployment patterns used in post-exploitation and red team\r\noperations, as well as by threat actors leveraging cracked versions of the framework.\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 10 of 15\n\nFigure 11: SSL History related to 46.173.27.142\r\nTo understand the broader infrastructure footprint, we queried our certificate dataset for other Cobalt Strike\r\nindicators.\r\nHunting Cobalt Strike C2 via SSL\r\nThe query \"Certificates.IssuerOrganization:cobaltstrike\" returns 801 IP addresses. These are systems with SSL\r\ncerts showing \"cobaltstrike\" as the issuer. Since Cobalt Strike gets abused constantly by hackers, these IPs are\r\nlikely command-and-control servers actively used to manage attacker infrastructure.\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 11 of 15\n\nFigure 12: Hunting query related to the Cobalt Strike tool\r\nThese findings reinforce the presence of an actively maintained, evasive post-exploitation framework leveraging\r\nCobalt Strike infrastructure.\r\nSummary\r\nWe uncovered a simple but effective delivery method for Cobalt Strike using a PowerShell loader hosted in an\r\nopen directory. The loader executed entirely in memory, contacted a cloud-based C2 server, and relied on evasion\r\ntechniques like API hashing and reflective DLL loading.\r\nWhat made this stand out wasn't the techniques themselves, but how quietly they were combined. By tracing code\r\npatterns and SSL certificate metadata, we linked the activity to known Cobalt Strike infrastructure and exposed\r\npart of a broader setup likely used in post-compromise operations.\r\nWhile attribution remains unclear, the use of cracked Cobalt Strike beacons and ephemeral infrastructure is\r\nconsistent with techniques observed in financially motivated threat campaigns.\r\nRecommended Mitigation Strategies\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 12 of 15\n\nTo reduce the risk of similar attacks, start by tightening PowerShell usage. Set execution policies to restrict\r\nunsigned scripts and enable logging to capture suspicious activity. Look out for unusual commands, such as Add-Type or custom memory allocation.\r\nBlock known malicious IPs and domains, especially 46.173.27.142 and the Baidu Cloud endpoint used in\r\nthis case. Watch for strange outbound traffic, especially with fake User-Agent strings that mimic browsers.\r\nUse a good EDR solution that can catch in-memory attacks and reflective DLL loading. Turn on Windows\r\nDefender's Exploit Guard and ASR rules to stop common post-exploitation techniques.\r\nMonitor for SSL certificates with names like \"cobaltstrike\"-they're often a giveaway. Deploy all known\r\nIOCs (IPs, domains, certificates) across your security tools and hunt through historical logs.\r\nLimit internet access from sensitive machines, and train users not to run unknown scripts or access\r\nunsecured web directories. Disable scripting tools like PowerShell if they're not needed.\r\nCobalt Strike IOCs\r\nPowerShell Scripts\r\nSHA-256 Hash\r\ncdd757e92092b9a72dec0a7529219dd790226b82c69925c90e5d832955351b52\r\n23a04d2ae94998b26c42c327f9344b784eb00d0a42c0ade353275bdedff9824f\r\n27f88c7005f33bfc67731cb732c7c72e0cea7f97db1f15bcf5880d3e7f7f85eb\r\n6954005ab1b1d2deec940181674000e394f860fe4f626d6b0abf63453d5fff48\r\ned2b7d55781414cdb3e0f64de6d9fea9bf282ee49e12b112f9e0748d5266fd60\r\n1f0f4415b738198cc82359212f3ead281b7eb38070163a7782584f77346e619f\r\need87a02d126c3ac0ab90a66f4e4a58f24d6a0f4028a2643e83a3a8b075cb5ac\r\n69b1261eac205aefb6a5237ff3d87ef515e838184c1616ec935a4f7f4aa04ac1\r\n60652f62ec7772b611f3a62fd93d690e677b616e972a0444650f0a2ea597f77f\r\n1d4f814d06a3893545f51f1158d6677b1b083a90ab57ba03c58f8d26c29e5a10\r\nCobalt Strike C2\r\nC2 Server\r\ny2n273y10j[.]cfc-execute[.]bj.baidubce[.]com\r\n46.173.27.142\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 13 of 15\n\nCobalt Strike Open Directory Hosts\r\nIP Address Network CIDR ASN/Organization Country\r\n182.92.76.239 182.92.0.0/16 37963 (Hangzhou Alibaba Advertising Co.,Ltd.) CN\r\n35.240.168.8 35.240.0.0/13 396982 (GOOGLE-CLOUD-PLATFORM) SG\r\n167.71.215.63 167.71.0.0/16 14061 (DIGITALOCEAN-ASN) SG\r\n82.157.78.234 82.156.0.0/15\r\n45090 (Shenzhen Tencent Computer Systems Company\r\nLimited)\r\nCN\r\n116.114.20.180 116.114.0.0/16 4837 (CHINA UNICOM China169 Backbone) CN\r\n111.229.158.40 111.229.0.0/16\r\n45090 (Shenzhen Tencent Computer Systems Company\r\nLimited)\r\nCN\r\n123.207.215.76 123.206.0.0/15\r\n45090 (Shenzhen Tencent Computer Systems Company\r\nLimited)\r\nCN\r\n217.114.8.138 217.114.0.0/20 198610 (Beget LLC) RU\r\n8.210.77.1 8.210.0.0/16 45102 (Alibaba US Technology Co., Ltd.) HK\r\n124.71.137.28 124.71.128.0/18 55990 (Huawei Cloud Service data center) CN\r\n137.184.103.54 137.184.0.0/16 14061 (DIGITALOCEAN-ASN) US\r\n8.137.147.254 8.136.0.0/13 37963 (Hangzhou Alibaba Advertising Co.,Ltd.) CN\r\n45.147.201.165 45.147.200.0/23 51659 (LLC Baxet) RU\r\n43.202.62.102 43.200.0.0/13 16509 (AMAZON-02) KR\r\n8.134.148.103 8.132.0.0/14 37963 (Hangzhou Alibaba Advertising Co.,Ltd.) CN\r\n124.223.12.165 124.220.0.0/14\r\n45090 (Shenzhen Tencent Computer Systems Company\r\nLimited)\r\nCN\r\n146.190.72.88 146.190.0.0/17 14061 (DIGITALOCEAN-ASN) US\r\n150.158.214.98 150.158.0.0/16\r\n45090 (Shenzhen Tencent Computer Systems Company\r\nLimited)\r\nCN\r\n121.37.66.33 121.36.0.0/15 55990 (Huawei Cloud Service data center) CN\r\n114.116.50.214 114.116.0.0/17 4808 (China Unicom Beijing Province Network) CN\r\n175.178.33.154 175.178.0.0/16\r\n45090 (Shenzhen Tencent Computer Systems Company\r\nLimited)\r\nCN\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 14 of 15\n\nIP Address Network CIDR ASN/Organization Country\r\n8.135.237.16 8.132.0.0/14 37963 (Hangzhou Alibaba Advertising Co.,Ltd.) CN\r\nSource: https://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nhttps://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure"
	],
	"report_names": [
		"cobaltstrike-powershell-loader-chinese-russian-infrastructure"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439070,
	"ts_updated_at": 1775791965,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e6ff2827eb768dfd76c0bb3480e31c5817b7949.pdf",
		"text": "https://archive.orkl.eu/4e6ff2827eb768dfd76c0bb3480e31c5817b7949.txt",
		"img": "https://archive.orkl.eu/4e6ff2827eb768dfd76c0bb3480e31c5817b7949.jpg"
	}
}