{
	"id": "03b1aff0-6421-408a-88ae-082d3c578f26",
	"created_at": "2026-04-06T00:17:29.600901Z",
	"updated_at": "2026-04-10T03:24:24.433074Z",
	"deleted_at": null,
	"sha1_hash": "509ccf7fa846d16798268d2645550182cba1fc1c",
	"title": "Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3873144,
	"plain_text": "Vermilion Strike: Linux and Windows Re-implementation of\r\nCobalt Strike\r\nBy Avigayil Mechtinger\r\nPublished: 2021-09-13 · Archived: 2026-04-05 15:57:41 UTC\r\nKey Findings\r\nDiscovered Linux \u0026 Windows re-implementation of Cobalt Strike Beacon written from scratch\r\nLinux malware is fully undetected by vendors\r\nHas IoC and technical overlaps with previously discovered Windows DLL files\r\nHighly targeted with victims including telecommunications, government and finance\r\nCobalt Strike is a popular red team tool for Windows which is also heavily used by threat actors. At the time of\r\nthis writing, there is no official Cobalt Strike version for Linux.\r\nIn August 2021, we at Intezer discovered a fully undetected ELF implementation of Cobalt Strike’s beacon, which\r\nwe named Vermilion Strike. The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when\r\ncommunicating to the C2 server and has Remote Access capabilities such as uploading files, running shell\r\ncommands and writing to files. The malware is fully undetected in VirusTotal at the time of this writing and was\r\nuploaded from Malaysia.\r\nBased on telemetry with collaboration from our partners at McAfee Enterprise ATR, this Linux threat has been\r\nactive in the wild since August targeting telecom companies, government agencies, IT companies, financial\r\ninstitutions and advisory companies around the world. Targeting has been limited in scope, suggesting that this\r\nmalware is used in specific attacks rather than mass spreading.\r\nAfter further analysis, we found Windows samples that use the same C2. The samples are re-implementations of\r\nCobalt Strike Beacon. The Windows and ELF samples share the same functionalities.\r\nThe sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been\r\nseen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to\r\nbelieve that this threat was developed by a skilled threat actor.\r\nIn this post we will provide a technical analysis of the samples and explain how you can detect and respond to this\r\nthreat.\r\nTechnical Analysis\r\nLinux File\r\nThe file was uploaded to VirusTotal from Malaysia and has no detections in VirusTotal at the time of this writing.\r\nhttps://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/\r\nPage 1 of 9\n\n294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc in VirusTotal\r\nVermilion Strike analysis in Intezer.\r\nThe file shares strings with previously seen Cobalt Strike samples and triggers a number of YARA rules that detect\r\nencoded Cobalt Strike configurations. The ELF file is built on a Red Hat Linux distribution. It uses OpenSSL via\r\ndynamic linking. The shared object names for OpenSSL on Red Hat-based distributions are different from other\r\nLinux distributions. Because of this, it can only run on machines with Linux distribution based on Red Hat’s code\r\nbase.\r\nInitialization\r\nThe sample starts by forcing itself to run in the background using daemon. It will decrypt the configuration, using\r\nthe XOR key 0x69, shown in the screenshot below. The key 0x69 is a common value used by Cobalt Strike’s\r\nencrypted configuration too. Vermilion Strike’s configuration format is the same as Cobalt Strike. Tools used for\r\nhttps://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/\r\nPage 2 of 9\n\nextracting Cobalt Strike configurations can also be used to extract Vermilion Strike configuration. The Windows\r\ncomponents of the configuration are ignored for this Linux version.\r\nDecoded configuration of the beacon.\r\nFurther decryption is performed in a heap with decoded strings, keys, and values required by the beacon for its\r\noperation. The beacon will then generate a SHA256 hash sourced from a random number seeded from the thread\r\nID. This value will be used later in DNS beaconing. Next, a public RSA key will be imported for later use.\r\nhttps://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/\r\nPage 3 of 9\n\nImporting of public RSA key to encrypt machine fingerprint.\r\nThe beacon will begin fingerprinting the machine. A random number will be generated and the process ID will be\r\nfetched. It will grab the kernel version of the machine using uname. Next, the beacon will fingerprint network\r\ninformation through the getifaddrs function. It will loop through the interfaces looking for IPv4 addresses. It will\r\ngather the interface with an address not equal to “127.0.0.1” and stage the IPv4 address.\r\nNetwork interface fingerprinting.\r\nNext, the beacon will fingerprint the entry in the local password database for information about the current\r\neffective user ID of the process.\r\nhttps://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/\r\nPage 4 of 9\n\nFingerprinting of local password database.\r\nThe beacon will then fingerprint the hostname of the machine. The collected information will be formatted into a\r\nstring, encrypted with the public RSA key, and base64 encoded, as is standard for communication with a Cobalt\r\nStrike server. The stages are shown below.\r\nStages of formatting the machine fingerprint.\r\nPrepended to the fingerprint string is the value “1.0.1.LR”. This appears to be an internal version string. A similar\r\nstring, “W1.0.1,” was found in a newly discovered Windows sample of Vermilion Strike that shares the same C2\r\nand malware functionality.\r\nThe encrypted data is sent to the C2 server in a similar way that the metadata is sent from a Cobalt Strike beacon\r\nto the C2 server. The payload that is encrypted starts with the marker 0xbeef. The same marker is used by the\r\nlegitimate Cobalt Strike beacon.\r\nCommand and Control\r\nCommand and Control is primarily performed over DNS but also available over HTTP. This DNS-based approach\r\nfor communications can help avoid traditional defenses that monitor HTTP traffic. Commands are received via\r\nDNS Address (A) and Text (TXT) records. The beacon first makes DNS requests out to hardcoded subdomains\r\nand gets an IP address returned. Normally, DNS requests on hostnames are intended to be translated into an IP\r\naddress for which to visit. In this case, the IP address returned is not used as an IP address but for triggers to\r\nchange the beacon behavior.\r\nOnce the beacon gets the signal to download a task, it will perform a DNS TXT query to the domain’s\r\nnameservers, as shown below.\r\nPacket capture of C2 communication.\r\nThe result of the TXT query is a base64 encoded and AES encrypted struct containing task information. An\r\nexample of a returned task is shown below.\r\nA DNS TXT query result for a task.\r\nA decrypted task is shown below.\r\nhttps://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/\r\nPage 5 of 9\n\nDecrypted command.\r\nTasks that the beacon can perform are:\r\nChange working directory\r\nGet current working directory\r\nAppend/write to file\r\nUpload file to C2\r\nExecute command via popen\r\nGet disk partitions\r\nList files\r\nThe malware uses a separate thread to execute the tasks. The tasks are scheduled as jobs via a semaphore to ensure\r\nnot too many jobs are executed at once. Vermilion Strike has a third way of communicating with the C2 server via\r\nICMP ping messages. The malware adds the current pid to the offset 0x4 in the header and the encrypted payload\r\nis sent as data in the ICMP packet. The data size for an ICMP packet is limited to 65,507 bytes but the malware\r\nuses a size limit of 64,000 bytes for the payload. The code for sending and processing ICMP messages exists in\r\nthe malware but the code for enabling it via the configuration is not present. This means it has the capability but\r\ncan’t be configured to use it. This suggests it may be a new feature that hasn’t been fully developed yet.\r\nLinks to Windows Files\r\nWhen investigating this Linux file, we discovered related Windows samples. The first sample we noticed was:\r\n3ad119d4f2f1d8ce3851181120a292f41189e4417ad20a6c86b6f45f6a9fbcfc. This is a 32-bit EXE sample that\r\nshares a C2 IP address (160.202.163[.]100). This is a stager that will fetch a DLL from the C2 over HTTP and\r\nexecute it in-memory. \r\nAn example of the next stage DLL is\r\n7129434afc1fec276525acfeee5bb08923ccd9b32269638a54c7b452f5493492. This sample, first noticed in 2019\r\nby Silas Cutler, is the Windows DLL equivalent of the ELF file. The functionality is almost exactly the same,\r\nexcept for the Windows environment. A side-by-side comparison of the configuration decoding function for the\r\nELF and DLL beacons is shown below.\r\nhttps://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/\r\nPage 6 of 9\n\nConfiguration decryption function comparison.\r\nThe DLL has the same domains as the ELF for C2, as well as an additional configured domain\r\n“amazon.hksupd[.]com”.\r\nUsing the stager we managed to get a new payload from the server\r\n(e40370f463b4a4feb2d515a3fb64af1573523f03917b2fd9e7a9d0a741ef89a5). It has a lot of shared code with the\r\nsample from 2019. This sample and another Windows version of Vermilion Strike\r\n(c49631db0b2e41125ccade68a0fe7fb70939315f1c580510e40e5b30ead868f5) includes a similar version string as\r\nthe ELF version. The version string in these samples is “W1.0.1”.\r\nInternal version string in recent Windows versions.\r\nConclusion\r\nVermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud\r\nand its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux\r\nthreats often have low detection rates compared to their Windows counterparts due to reasons discussed in Why\r\nwe Should be Paying More Attention to Linux Threats. \r\nVermilion Strike is not the only Linux port of Cobalt Strike’s Beacon. Another example is the open-source project\r\ngeacon, a Go-based implementation. Vermilion Strike may not be the last Linux implementation of Beacon.\r\nDetection and Response\r\nIntezer can detect both Linux and Windows variants of Vermilion Strike, based on code reuse, TTPs, and strings.\r\nShown below are the verdicts for both versions.\r\nhttps://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/\r\nPage 7 of 9\n\nIntezer verdict of Windows version of Vermilion Strike.\r\nIntezer verdict of Linux version of Vermilion Strike.\r\nDetect if a Machine in Your Network Has Been Compromised\r\nWe recommend using the IoCs section below to ensure that the Vermilion Strike process does not exist anywhere\r\non your system.\r\nResponse\r\nIf you are a victim of this operation, take the following steps:\r\n1. Kill the process and delete all files related to the malware.\r\n2. Make sure that your machine is clean and running only trusted code.\r\nhttps://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/\r\nPage 8 of 9\n\n3. Make sure that your software is up-to-date with the latest versions and security patches and configured to\r\nsecurity best practices.  \r\nIoCs\r\nELF\r\n294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc\r\nPE\r\nStager\r\n3ad119d4f2f1d8ce3851181120a292f41189e4417ad20a6c86b6f45f6a9fbcfc\r\nBeacon\r\n7129434afc1fec276525acfeee5bb08923ccd9b32269638a54c7b452f5493492\r\nc49631db0b2e41125ccade68a0fe7fb70939315f1c580510e40e5b30ead868f5\r\n07b815cee2b85a41820cd8157a68f35aa1ed0aa5f4093b8cb79a1d645a16273f\r\ne40370f463b4a4feb2d515a3fb64af1573523f03917b2fd9e7a9d0a741ef89a5\r\nC2\r\n160.202.163.100\r\nupdate.microsofthk[.]com\r\nupdate.microsoftkernel[.]com\r\namazon.hksupd[.]com\r\nIntezer would like to thank McAfee ATR for their help during the research process.\r\nSource: https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/\r\nhttps://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/"
	],
	"report_names": [
		"vermilionstrike-reimplementation-cobaltstrike"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434649,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/509ccf7fa846d16798268d2645550182cba1fc1c.pdf",
		"text": "https://archive.orkl.eu/509ccf7fa846d16798268d2645550182cba1fc1c.txt",
		"img": "https://archive.orkl.eu/509ccf7fa846d16798268d2645550182cba1fc1c.jpg"
	}
}