{ "id": "379ae769-dd7b-440e-a3ef-50fbc84dde1c", "created_at": "2026-04-06T00:07:37.201629Z", "updated_at": "2026-04-10T03:37:33.248018Z", "deleted_at": null, "sha1_hash": "54405331989e039f84527c7cd5d0f121ca54081a", "title": "Legitimate Sites used as Cobalt Strike C2s against Indian Government", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2763466, "plain_text": "Legitimate Sites used as Cobalt Strike C2s against Indian\r\nGovernment\r\nBy Claudio Di Giuseppe\r\nPublished: 2022-03-04 · Archived: 2026-04-05 23:37:36 UTC\r\n04 Mar 2022\r\nShare\r\nIntroduction\r\nTelsy Threat Intelligence team observed an attack against members of the Indian government or local institutions,\r\nwhich uses social engineering themes as an investigation for a cyber attack or the classic COVID-19 theme.\r\nThe campaign, probably carried out via a spear phishing e-mail, starts with the opening of a legitimate PDF\r\nattachment containing a malicious URL from which to download an ISO file. The ISO file contains LNK files and\r\na malicious DLL that executes a Cobalt Strike beacon in memory. \r\nUsing a legitimate portal as C2 and encrypted HTTPS communication makes the campaign very silent.\r\nCobalt Strike is a commercial penetration testing tool, which gives security testers access to a large variety of\r\nattack capabilities.\r\nThis powerful network attack platform combines social engineering, unauthorized access tools, network pattern\r\nobfuscation, and a sophisticated mechanism for deploying malicious executable code on compromised systems.\r\nTherefore Cobalt Strike although a legitimate tool used by ethical hackers is also widely used by threat actors to\r\nlaunch real attacks against organizations.\r\nMost threat actors either use stolen/cracked versions of Cobalt Strike, or simply patch out the watermark value to\r\ndisrupt attribution attempts.\r\nCobalt Strike’s watermark 1359593325 and the analyzed infection chain might lead one to think of the threat actor\r\nNobelium aka APT29 due the similarities, both in components and how the target is infected as previously\r\ndescribed by security companies Volexity and Microsoft.\r\nUnfortunately, there is no clear evidence to attribute these campaigns to this threat actor.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 1 of 15\n\nAnalysis\r\nFirst PDF Analysis\r\nThe 1st PDF found, with hash 0b1cc9a276712b1d6f379b43504bd1f1d8a49cfd, has been uploaded to VirusTotal\r\non: 2021-12-08.\r\nThe PDF is intended to trick the user by downloading an ISO\r\nfrom “hxxps://www.instade.co.in/assets/frontend/av_check.iso” which is still active at the time\r\nof writing. The domain “instade.co.in” appears to be legitimate, it uses a certificate issued by Sectigo and\r\naccording to information in the Whois registry was registered in 2015.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 2 of 15\n\nThe downloaded ISO, with hash d5edd698c944accea764ff74978ca3d86067afab, contains the following files:\r\n• 2dcbe02294e633f49806c2d5d0d1f1207a0b1959 – “malware check.lnk”\r\n• 9152e25c2574cccba6c7bfed2e598f9ce2afdcd0 – “Submit malware report.doc.lnk”\r\n• 44ee7f74ca1553af0e5484213dea676c66371e53 – “av_base/msvcwinrt.dll”\r\nOpening one of the LNK files causes the DLL to be executed and consequently, the Cobalt Strike beacon infects\r\nthe system. The DLL is executed via rundll32.exe by specifying the exported “InitShut()” function to be executed.\r\nThe DLL, as said it’s just a Cobalt Strike loader, the Cobalt Strike beacon configuration is the following.\r\nThe Cobalt Strike beacon uses the same compromised domain as C2, as seen above for the ISO download.\r\nSecond PDF Analysis\r\nThe 2nd PDF analysed, with hash e648483ce584211520a20a155ebcd3f70166fa93 and named “President-Kovind-special-visit-2022.02.24.pdf”, is more recent and was uploaded to VirusTotal on 2022-02-24. This PDF uses\r\nCOVID-19 prevention as a decoy before the meeting with the Indian president.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 3 of 15\n\nThe targets of this campaign are most likely the participants of the event advertised on the Indian government\r\nportal as members of one or more of these organizations:\r\n– Assam State\r\n– Guwahati Municipal\r\n– Tezpur University\r\n– Kaziranga National Park\r\n– Tiger Reserve\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 4 of 15\n\nThe PDF, as the previous tricks the user in downloading an ISO from the following\r\nURL hxxps://tiny.one/covid22. Also in this case the link is still up on the time being.\r\nThe downloaded ISO, with hash e2ff656f52dccc9fb70e90dc94c4fce8ab14e8ed, contains the following files:\r\n• b2a095b6e1dad70df03763a385ff04a1036065be – “Register.lnk”\r\n• bd165723292f62e4be7ae60d12c25461900519fb – “Submit registration.lnk”\r\n• f80ee71efcea4736b41d6ffed777ff1bb5621043 – “data/msvcwinrt.dll”\r\nOnce the LNK file is opened the malicious DLL is run through rundll32.exe specifying the exported function\r\nnamed “AwaitProperty()”.\r\nAlso in this case the DLL is a Cobalt Strike loader and the beacon has the following configuration.\r\nThe public key and the watermark is the same as the previous beacon but the C2 is the domain\r\n“covid.comesa.int”.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 5 of 15\n\nThe same domain hosts the ISO, with hash e2ff656f52dccc9fb70e90dc94c4fce8ab14e8ed, in the following path:\r\n“hxxps://covid.comesa.int/wp-content/uploads/covid.iso”.\r\nThe domain appears to be compromised, as “comesa.int” is the official website of the Common Market of Eastern\r\nand Southern Africa.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 6 of 15\n\nCobalt Strike dropper analysis\r\nBoth the infection chains ends in a Cobalt Strike loader and the DLLs are pretty the same so the analysis has been\r\nconducted on the following hash: f80ee71efcea4736b41d6ffed777ff1bb5621043.\r\nAs said, the purpose of this DLL is to load and execute a Cobalt Strike beacon, indeed the sample appears very\r\nsimple, even though the author has inserted some stub call between the significant code.\r\nThe sample imports a minimum set of functions, so it needs to load at runtime libraries and APIs.\r\nLibraries and APIs names are stored encrypted via XOR operation in the data section using a basic data structure.\r\nEvery encrypted string has its own xor key stored in the same data structure.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 7 of 15\n\nThe structure is a basic array of struct, every item is 16 bytes long and the array with the encrypted string contains\r\n24 items like the array with the xor key.\r\nBefore, entering in the specific function used to decrypt the strings, it takes a random string 8 bytes long.\r\nThen it decrypts the string “kernel32;ntdll” using again the xor operator and a dedicated key.\r\nFinally, it decrypts the library name and the API name, notice how the threat actor use allocation to store\r\nthe decrypted string instead of using existing space doing in-place decryption.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 8 of 15\n\nAfter that libraries and APIs are decrypted the strings are hashed with a custom algorithm and stored in\r\nthe structure named ‘data_structure’. Every hash will take 8 bytes.\r\nThe data structure will contain all the hashes and the initial condition obtained randomically.\r\nThe string is hashed 16 bytes per time, the string, of course, can be of arbitrary length.\r\nWhen the string is smaller than 16 bytes, it is aligned to 16 bytes adding 0x80 bytes and then setting the remainder\r\nto 0.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 9 of 15\n\nOn the other hand, if the string is larger than 16 bytes the hash is calculated in chunks of 16 bytes and the\r\nremainder will follow the logic shown before. Of course the calculated hash is incremental, i.e. the hash of the n-th chunk is xored to the hash of the (n-1) chunk and so on.\r\nThe hash is computed, starting from a generated random initial condition that according to the string value is\r\nupdated multiple times in a loop and finally returned.\r\nBasically, it treats the string/chunk, since it is 16 bytes long, in blocks 4 bytes long doing some shuffle and\r\nbinary operation between the blocks self and the initial condition that is updated from time to time.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 10 of 15\n\nIn particular, the final hash is due to 0x1b iteration of the hashing algorithm.\r\nIn the first for loop (line 30) the string API is copied as 4 block bytes long in an integer vector.\r\nThen, in the second while loop the initial condition are updated according (line 48) to the string blocks and they\r\nare updated too in the same while, the code seems contorted, below a basic re-implementation.\r\nAs said, the hash of every API to load are stored in the data structure then the API addresses are searched doing a\r\nbasic walk into the PEB and checking the hash.\r\nEvery module and API found is hashed and compared with the hash of the API string obtained initially.\r\nFinally, it loads all the APIs.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 11 of 15\n\nThe payload is embedded in the binary using the compression algorithm: LNZT1.\r\nIndeed, after allocing the required RW memory using VirtualAlloc() the payload is decompressed and the pointer\r\nis returned.\r\nNot knowing the actual size of the decompressed payload, the memory allocated to contain it is allocated using the\r\nsize of the compressed payload * 3 as its size.\r\nThen the author wanted, perhaps for greater security, to insert a further step, i.e. allocate a new memory area,\r\nequal exactly to the decompressed payload size, copy into it and execute it.\r\nThis way to write the code is not very logical nor correct.\r\nIndeed assuming that the decompressed payload will take less of the initial space allocated there will be\r\nno problem in running directly it.\r\nOn the other hand, assuming what scares the author, i.e. decompressed payload longer than the allocated memory,\r\nthe RtlDecompressBufferEX() will return an error, STATUS_BAD_COMPRESSION_BUFFER and will lead to a\r\nNULL pointer access of the code, very bad and basic error.\r\nAnother weird point is the use of the hash to resolve APIs. Usually, the hash is used to obfuscate strings and make\r\nharder analysis. Here the approach is hybrid, indeed doing a trace of the sample all the required API are uncovered\r\ndue to the initial decryption step.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 12 of 15\n\nThis behavior shows that the sample likely has been written by a not so skilled programmer or it is product of\r\nconfused cut and paste of multiple code’s pieces.\r\nAnyway, in the end the new memory is made executable and run.\r\nIndicators of Compromise\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 13 of 15\n\nATT\u0026CK Matrix\r\nFill out the form below to download the full report\r\n[email-download download_id=”6499” contact_form_id=”4482”]\r\nCheck other cyber reports on our blog.\r\nThis report was produced by Telsy’s “Cyber Threat Intelligence” team with the help of its CTI platform, which\r\nallows to analyze and stay updated on adversaries and threats that could impact customers’ business.\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 14 of 15\n\nPost navigation\r\nSource: https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nhttps://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/" ], "report_names": [ "legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434057, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/54405331989e039f84527c7cd5d0f121ca54081a.pdf", "text": "https://archive.orkl.eu/54405331989e039f84527c7cd5d0f121ca54081a.txt", "img": "https://archive.orkl.eu/54405331989e039f84527c7cd5d0f121ca54081a.jpg" } }