{
	"id": "bb624d9a-5f36-4696-b4c4-b054e21c3091",
	"created_at": "2026-04-06T00:12:19.519117Z",
	"updated_at": "2026-04-10T13:12:21.138183Z",
	"deleted_at": null,
	"sha1_hash": "5b7e6bd1662fe4a84ee03cde9d7cc7df0284607d",
	"title": "Cobalt Strike, a penetration testing tool abused by criminals",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42224,
	"plain_text": "Cobalt Strike, a penetration testing tool abused by criminals\r\nBy Malwarebytes Labs\r\nPublished: 2021-05-31 · Archived: 2026-04-05 22:33:35 UTC\r\nIf you were to compose a list of tools and software developed by security and privacy defenders that ended up\r\nbeing abused by the bad guys, then Cobalt Strike would unfortunately be near the top of the list. Maybe only\r\nMetasploit could give it a run for the first place ranking.\r\nMetasploit—probably the best known project for penetration testing—is an exploit framework, designed to make\r\nit easy for someone to launch an exploit against a particular vulnerable target. Metasploit is notorious for being\r\nabused, yet modules are still being developed for it so that it continues to evolve. Cobalt Strike is in the same\r\nbasket. Cobalt Strike offers a post-exploitation agent and covert channels, intended to emulate a quiet long-term\r\nembedded actor in the target’s network.\r\nWhat is Cobalt Strike?\r\nCobalt Strike is a collection of threat emulation tools provided by HelpSystems to work in conjunction with the\r\nMetasploit Framework. Cobalt Strike, and other penetration testing tools, were originally created for network\r\ndefenders to train them to understand vulnerabilities and possible avenues of infection by cyber criminals. These\r\ntools are meant to simulate intrusions by motivated actors, and they have proven to be very good at this. So, while\r\n“white hat” hackers were developing tools to more easily emulate “black hat” activities, few considered how these\r\ntools might be turned against someone. (The terms “white hat” and “black hat” are also falling out of favor, as\r\ncybersecurity professionals adopt “red team” and “blue team” descriptors to describe offensive and defensive\r\nsecurity teams.)\r\nEstablishing a foothold\r\nLately, we have seen targeted attacks by both state-sponsored threat actors and ransomware peddlers. What we\r\nmainly see in the ransomware field is an increasing amount of manual infections. For example, by using brute\r\nforce methods and exploiting vulnerabilities to break into networks. We have seen a significant uptick in these\r\nmethods in 2020 and beyond. As a follow-up to these more manual types of attacks, as opposed to spray-and-pray\r\nphishing attacks, we are seeing threat actors who have compromised a server, loading tools like Cobalt Strike\r\nBeacon onto the system. Cobalt Strike Beacon provides encrypted communication with the C\u0026C server to send\r\ninformation and receive commands. Those commands can include instructions to download malware. After doing\r\nthis, they can use Cobalt Strike to map out the network and identify any vulnerabilities as well as deploy implants,\r\nbackdoors, and other tools to accomplish lateral movement eventually leading to complete network infection.\r\nBuilding out grip on the compromised network\r\nSo how this usually goes, is an infection occurs, be it phishing, manual breaches by brute forcing a port, or even\r\nan exploit. Once an endpoint has been compromised, the actor looks to compromise a server on the\r\nhttps://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-penetration-testing-tool-popular-among-criminals/\r\nPage 1 of 3\n\nnetwork. There are numerous ways to accomplish this, in fact last year we saw the ZeroLogon vulnerability used\r\nagainst domain admin servers, which essentially gave full admin rights to a criminal within seconds! Once the\r\nserver is infected, Cobalt Strike is installed and it’s at this point, that more advanced network monitoring,\r\nvulnerability identification and a bunch of other advanced features, become available to the criminal. Now armed\r\nwith more capabilities, the attacker can more quickly and completely compromise endpoints across the network,\r\neventually launching ransomware, sometimes after all the juicy data saved on the network has been collected and\r\nexfiltrated.\r\nCobalt Strike is pricey\r\nNew Cobalt Strike licenses cost $3,500 per user for a one year license. License renewals cost $2,585 per user, per\r\nyear. But why would a cybercriminal worry about such costs? Criminals who are using these tools do not just buy\r\nthem from the vendors anyway. In many cases, leaked and older versions of Cobalt Strike are being used and in\r\nsome cases, sophisticated threat actors, e.g. the group behind Trickbot, are building their own versions of Cobalt\r\nStrike, modified for their special needs and purposes.\r\nThe dilemma\r\nThis whole situation creates a strange moral grey area when you consider that tools developed by the good guys as\r\na method of defense against the bad guys, are now being used by the bad guys to infect the customers of the good\r\nguys. There is a fair amount of discussion among security professionals whether or not it is a good idea to\r\ncontinue the free and unregulated development and release of these penetration testing tools. Especially when\r\nsome of them are almost indistinguishable from actual black hat tools. As well as a lot of finger pointing about\r\nwhose responsibility it is to make sure these tools aren’t used for crime. But also how could we do that, or is it\r\nalready too late?\r\nThe need for pen-testing\r\nWhile we can see why major corporations deploy red teams to perform penetration testing, we also wonder\r\nwhether it is right to develop the malware for the threat actors. One could argue that using the latest and newest\r\nactual forms of malware should be adequate to test whether your defenses are up to par.\r\nAs it stands now, we have ended up with a situation where there are paid, dedicated researchers who spend all day\r\nworking on new tools for penetration testing and intrusion. Which may very well end up being used by the\r\ncriminals themselves. There are likely far less, if any, full time malware tool developers who have the resources,\r\ntime, and experience to create something of the same magnitude. So at the end of the day, the weapons created by\r\nthe white and grey hats, may be causing more harm than good in the long run because of a lack of control.\r\nThe problem it causes\r\nPen-testing is limited to the companies that can afford it and feel the need to do it. By using it they are not only\r\nadding to their own protection, which is their prerogative, but as a side-effect they are enabling the development\r\nof more advanced penetration software.\r\nhttps://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-penetration-testing-tool-popular-among-criminals/\r\nPage 2 of 3\n\nCombine that with an industry where some penetration testers prefer the situation where organizations are unable\r\nto defend themselves against these tools because it creates more business for penetration testing companies if they\r\ncan’t defend themselves effectively. If you pass the test every time with flying colors, you will start to doubt the\r\neffectiveness of said test.\r\nThis is the problem we currently have with penetration tools being hijacked by criminals. The organizations that\r\nemploy penetration testers are involuntary enablers, who are protected from this threat while also being the main\r\ndrivers of development and providers of resources. On the other side of the spectrum there are those who aren’t\r\naware of the threat, and will be the biggest victims once these tools fall into the hands of criminals.\r\nAs long as the consultants build new, more powerful tools, and don’t pay attention where the outdated and\r\ndiscarded tools end up, your neighbor can end up under attack by the tools you paid to develop. You are probably\r\nsafe from the attack, but dozens of others, many in industries who can’t afford a consultant to test their security,\r\nare not safe, and in fact, are at a greater risk than before you brought in your consultant.\r\nSource: https://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-penetration-testing-tool-popular-among-criminals/\r\nhttps://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-penetration-testing-tool-popular-among-criminals/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-penetration-testing-tool-popular-among-criminals/"
	],
	"report_names": [
		"cobalt-strike-a-penetration-testing-tool-popular-among-criminals"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434339,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b7e6bd1662fe4a84ee03cde9d7cc7df0284607d.pdf",
		"text": "https://archive.orkl.eu/5b7e6bd1662fe4a84ee03cde9d7cc7df0284607d.txt",
		"img": "https://archive.orkl.eu/5b7e6bd1662fe4a84ee03cde9d7cc7df0284607d.jpg"
	}
}