{
	"id": "ae330e27-5ee0-4fd9-9368-4ede39759a45",
	"created_at": "2026-04-06T00:10:14.469653Z",
	"updated_at": "2026-04-10T13:12:02.324035Z",
	"deleted_at": null,
	"sha1_hash": "5267eb883cf0bf3ef632b204c5280b561d155294",
	"title": "Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 245444,
	"plain_text": "Cobalt Strike: Using Known Private Keys To Decrypt Traffic –\r\nPart 1\r\nBy Didier Stevens\r\nPublished: 2021-10-21 · Archived: 2026-04-05 15:04:07 UTC\r\nWe found 6 private keys for rogue Cobalt Strike software, enabling C2 network traffic decryption.\r\nThe communication between a Cobalt Strike beacon (client) and a Cobalt Strike team server (C2) is encrypted\r\nwith AES (even when it takes place over HTTPS). The AES key is generated by the beacon, and communicated to\r\nthe C2 using an encrypted metadata blob (a cookie, by default).\r\nRSA encryption is used to encrypt this metadata: the beacon has the public key of the C2, and the C2 has the\r\nprivate key.\r\nFigure 1: C2 traffic\r\nPublic and private keys are stored in file .cobaltstrike.beacon_keys. These keys are generated when the Cobalt\r\nStrike team server software is used for the first time.\r\nDuring our fingerprinting of Internet facing Cobalt Strike servers, we found public keys that are used by many\r\ndifferent servers. This implies that they use the same private key, thus that their .cobaltstrike.beacon_keys file is\r\nshared.\r\nOne possible explanation we verified: are there cracked versions of Cobalt Strike, used by malicious actors, that\r\ninclude a .cobaltstrike.beacon_keys? This file is not part of a legitimate Cobalt Strike package, as it is generated at\r\nhttps://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/\r\nPage 1 of 4\n\nfirst time use.\r\nSearching through VirusTotal, we found 10 cracked Cobalt Strike packages: ZIP files containing a file named\r\n.cobaltstrike.beacon_keys. Out of these 10 packages, we extracted 6 unique RSA key pairs.\r\n2 of these pairs are prevalent on the Internet: 25% of the Cobalt Strike servers we fingerprinted (1500+) use one of\r\nthese 2 key pairs.\r\nThis key information is now included in tool 1768.py, a tool developed by Didier Stevens to extract configurations\r\nof Cobalt Strike beacons.\r\nWhenever a public key is extracted with known private key, the tool highlights this:\r\nFigure 2: 1768.py extracting configuration from beacon\r\nAt minimum, this information is further confirmation that the sample came from a rogue Cobalt Strike server (and\r\nnot a red team server).\r\nUsing option verbose, the private key is also displayed.\r\nhttps://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/\r\nPage 2 of 4\n\nFigure 3: using option verbose to display the private key\r\nThis can then be used to decrypt the metadata, and the C2 traffic (more on this later).\r\nFigure 4: decrypting metadata\r\nIn upcoming blog posts, we will show in detail how to use these private keys to decrypt metadata and decrypt C2\r\ntraffic.\r\nAbout the authors\r\nDidier Stevens is a malware expert working for NVISO. Didier is a SANS Internet Storm Center senior handler\r\nhttps://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/\r\nPage 3 of 4\n\nand Microsoft MVP, and has developed numerous popular tools to assist with malware analysis. You can find\r\nDidier on Twitter and LinkedIn.\r\nYou can follow NVISO Labs on Twitter to stay up to date on all our future research and publications.\r\nPublished October 21, 2021March 10, 2022\r\nPost navigation\r\nSource: https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/\r\nhttps://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/"
	],
	"report_names": [
		"cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434214,
	"ts_updated_at": 1775826722,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5267eb883cf0bf3ef632b204c5280b561d155294.pdf",
		"text": "https://archive.orkl.eu/5267eb883cf0bf3ef632b204c5280b561d155294.txt",
		"img": "https://archive.orkl.eu/5267eb883cf0bf3ef632b204c5280b561d155294.jpg"
	}
}