{
	"id": "542df570-eb63-4924-94e3-c6360b7b3bcd",
	"created_at": "2026-04-06T00:19:16.672892Z",
	"updated_at": "2026-04-10T03:24:24.600089Z",
	"deleted_at": null,
	"sha1_hash": "5b812bbe21d1d6f44c18f2441611a12c3b1362a4",
	"title": "LevelBlue - Open Threat Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 260345,
	"plain_text": "LevelBlue - Open Threat Exchange\r\nBy PetrP.73\r\nArchived: 2026-04-05 19:46:04 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike\r\nPage 1 of 8\n\n161 Subscribers\r\nAuthor Url\r\nOz Batch: 50 IOCs (avg BDE: 85)\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike\r\nPage 2 of 8\n\nFileHash-MD5: 1 | FileHash-SHA256: 1 | Domain: 1 | Hostname: 10\r\n**OTX Pulse Description: Cobalt Infrastructure Detection** Our latest findings indicate a notable collection of\r\nindicators associated with the Cobalt threat actor, encompassing 50 IOCs including IPs, domains, SHA256, and\r\nMD5 hashes. This infrastructure is linked to various C2 frameworks such as ValleyRAT, Mirai, ClearFake, and\r\nCobalt Strike, with an average BDE (Big Data analytics Energy) Score of 85, highlighting its malicious potency.\r\nSecurity teams should prioritize monitoring for these indicators and implement defenses against techniques\r\noutlined in the MITRE ATT\u0026CK framework, including T1071 (Application Layer Protocol) and T1203\r\n(Exploitation for Client Execution). Detection timestamp: [insert timestamp here].\r\n152 Subscribers\r\nAuthor Url\r\nThreatFox Hunt: Cobalt Strike IOCs - 2026-02-16\r\nFileHash-MD5: 2 | FileHash-SHA256: 2\r\nAutomated ThreatFox hunt for Cobalt Strike indicators. 114 IOCs collected via Pattern 49 intelligence streaming.\r\nMITRE ATT\u0026CK: T1071.001, T1059.001, T1055, T1105, T1027. Reference: https://analytics.dugganusa.com\r\n152 Subscribers\r\nAuthor Url\r\nThreatFox Hunt: Cobalt Strike IOCs - 2026-02-16\r\nFileHash-MD5: 2 | FileHash-SHA256: 2\r\nAutomated ThreatFox hunt for Cobalt Strike indicators. 116 IOCs collected via Pattern 49 intelligence streaming.\r\nMITRE ATT\u0026CK: T1071.001, T1059.001, T1055, T1105, T1027. Reference: https://analytics.dugganusa.com\r\n152 Subscribers\r\nAuthor Url\r\nOz Batch: 50 IOCs (avg BDE: 85)\r\nHostname: 10\r\n**Pulse Description:** This pulse identifies 50 indicators consisting of IPs and domains associated with known\r\nCobalt infrastructure, leveraging multiple command-and-control (C2) frameworks such as ValleyRAT, ClearFake,\r\nMirai, Sliver, DeimosC2, and Cobalt Strike. The average Behavioral Detection Energy (BDE) Score is 85,\r\nindicating a significant threat level. Given the attribution to the Cobalt adversary, security teams should prioritize\r\nmonitoring for these indicators and consider implementing defensive measures aligned with MITRE ATT\u0026CK\r\ntechniques like T1071 (Application Layer Protocol) and T1203 (Exploitation for Client Execution). BDE (Big\r\nData analytics Energy) Score: 85. Detection Timestamp: [Insert Timestamp Here].\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike\r\nPage 3 of 8\n\n152 Subscribers\r\n35 Subscribers\r\nAuthor Url\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike\r\nPage 4 of 8\n\nOz Batch: 36 IOCs (avg BDE: 85)\r\nHostname: 5\r\n**Pulse Description:** This finding highlights 36 indicators, including domains, IPs, and URLs associated with\r\nCobalt infrastructure, leveraging sophisticated C2 frameworks such as ClearFake, Sliver, and Cobalt Strike. The\r\naverage BDE score of 85 indicates high-risk activity. Given the attribution to the Cobalt adversary, organizations\r\nshould monitor for these signatures and consider implementing defensive measures against MITRE ATT\u0026CK\r\ntechniques like Credential Dumping (T1003) and Remote Access Tools (T1219). BDE (Big Data analytics\r\nEnergy) Score: 85, detected on [current timestamp].\r\n152 Subscribers\r\nAuthor Url\r\nOz Batch: 50 IOCs (avg BDE: 85)\r\nFileHash-MD5: 1 | FileHash-SHA256: 1 | Hostname: 9\r\n**Pulse Description: Cobalt Infrastructure Detection** This pulse identifies 50 indicators associated with Cobalt\r\ninfrastructure, including domains, IPs, and hashes linked to various C2 frameworks such as ClearFake,\r\nValleyRAT, and Cobalt Strike. The average BDE (Big Data analytics Energy) Score is 85, indicating a high threat\r\nlevel. Notable MITRE ATT\u0026CK techniques include Tactics related to Remote Access Tools (RATs) and C2\r\ncommunications. Given the adversarial attribution to Cobalt, security teams should prioritize monitoring and\r\nblocking these indicators to mitigate potential threats. Detection timestamp: [insert timestamp]. BDE Score: 85.\r\n152 Subscribers\r\nAuthor Url\r\nThreatFox Hunt: Cobalt Strike IOCs - 2026-02-16\r\nFileHash-MD5: 2 | FileHash-SHA256: 2 | Hostname: 2\r\nAutomated ThreatFox hunt for Cobalt Strike indicators. 120 IOCs collected via Pattern 49 intelligence streaming.\r\nMITRE ATT\u0026CK: T1071.001, T1059.001, T1055, T1105, T1027. Reference: https://analytics.dugganusa.com\r\n152 Subscribers\r\nAuthor Url\r\nThreatFox Hunt: Cobalt Strike IOCs - 2026-02-16\r\nFileHash-MD5: 2 | FileHash-SHA256: 2 | Hostname: 2\r\nAutomated ThreatFox hunt for Cobalt Strike indicators. 120 IOCs collected via Pattern 49 intelligence streaming.\r\nMITRE ATT\u0026CK: T1071.001, T1059.001, T1055, T1105, T1027. Reference: https://analytics.dugganusa.com\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike\r\nPage 5 of 8\n\n152 Subscribers\r\nAuthor Url\r\nThreatFox Hunt: Cobalt Strike IOCs - 2026-02-16\r\nFileHash-MD5: 2 | FileHash-SHA256: 2 | Hostname: 2\r\nAutomated ThreatFox hunt for Cobalt Strike indicators. 120 IOCs collected via Pattern 49 intelligence streaming.\r\nMITRE ATT\u0026CK: T1071.001, T1059.001, T1055, T1105, T1027. Reference: https://analytics.dugganusa.com\r\n152 Subscribers\r\nAuthor Url\r\nThreatFox Hunt: Cobalt Strike IOCs - 2026-02-16\r\nFileHash-MD5: 2 | FileHash-SHA256: 2 | Hostname: 2\r\nAutomated ThreatFox hunt for Cobalt Strike indicators. 120 IOCs collected via Pattern 49 intelligence streaming.\r\nMITRE ATT\u0026CK: T1071.001, T1059.001, T1055, T1105, T1027. Reference: https://analytics.dugganusa.com\r\n152 Subscribers\r\nAuthor Url\r\nThreatFox Hunt: Cobalt Strike IOCs - 2026-02-16\r\nFileHash-MD5: 2 | FileHash-SHA256: 2 | Hostname: 2\r\nAutomated ThreatFox hunt for Cobalt Strike indicators. 120 IOCs collected via Pattern 49 intelligence streaming.\r\nMITRE ATT\u0026CK: T1071.001, T1059.001, T1055, T1105, T1027. Reference: https://analytics.dugganusa.com\r\n152 Subscribers\r\nAuthor Url\r\nOz Batch: 50 IOCs (avg BDE: 85)\r\nFileHash-MD5: 1 | FileHash-SHA256: 1 | Hostname: 9\r\n**OTX Pulse Description: Cobalt Infrastructure Detection** We have identified a significant collection of\r\nindicators associated with Cobalt infrastructure, including 50 distinct IOCs such as domains and IPs utilized by\r\nvarious C2 frameworks including ClearFake, ValleyRAT, and Cobalt Strike. The average BDE (Big Data analytics\r\nEnergy) Score for these indicators is 85, indicating a high level of threat potency. This attribution to the Cobalt\r\nadversary aligns with known tactics, techniques, and procedures (TTPs) documented under MITRE ATT\u0026CK,\r\nparticularly T1071.001 (Application Layer Protocol: Web Protocols). Detection Timestamp: [Insert timestamp\r\nhere].\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike\r\nPage 6 of 8\n\n152 Subscribers\r\nAuthor Url\r\nOz Batch: 50 IOCs (avg BDE: 85)\r\nFileHash-MD5: 1 | FileHash-SHA256: 1 | Hostname: 9\r\n**OTX Pulse Description: Cobalt Infrastructure Detection** This pulse identifies a significant Cobalt\r\ninfrastructure with 50 associated indicators, encompassing domains, IPs, SHA256, and MD5 hashes. The detected\r\ncommand and control (C2) frameworks include notable variants such as ClearFake, ValleyRAT, and Cobalt Strike,\r\nsuggesting coordinated malicious activities. The adversary linked to these indicators is attributed to Cobalt, a\r\nknown threat actor with a record of sophisticated cyber operations. BDE (Big Data analytics Energy) Score: 85,\r\nDetection Timestamp: [Insert Timestamp Here].\r\n152 Subscribers\r\nAuthor Url\r\nOz Batch: 50 IOCs (avg BDE: 85)\r\nFileHash-MD5: 1 | FileHash-SHA256: 1 | Hostname: 9\r\n**Pulse Description:** This finding reveals a total of 50 indicators associated with Cobalt infrastructure,\r\nincluding domains, IPs, and hashes (MD5, SHA256). The indicators are linked to various C2 frameworks such as\r\nClearFake, ValleyRAT, and Cobalt Strike, indicating a sophisticated adversary actively deploying malware.\r\nNotably, the average BDE (Big Data analytics Energy) Score is 85, highlighting the potential threat level of this\r\ninfrastructure. Detection Timestamp: [Insert Timestamp Here]\r\n152 Subscribers\r\nAuthor Url\r\nOz Batch: 50 IOCs (avg BDE: 85)\r\nFileHash-MD5: 3 | FileHash-SHA256: 3 | Domain: 8 | Hostname: 11\r\n**Pulse Description: Cobalt Infrastructure Detection** This pulse identifies 50 indicators linked to the Cobalt\r\nadversary, including SHA256 and MD5 hashes, IP addresses, and domains associated with various C2 frameworks\r\nsuch as SystemBC, XWorm, Remcos, and Cobalt Strike. The high average BDE Score of 85 indicates significant\r\nthreat potential. Security teams should investigate these indicators to mitigate risks associated with known\r\ntechniques from the MITRE ATT\u0026CK framework, particularly T1071.001 (Application Layer Protocol). **BDE\r\n(Big Data analytics Energy) Score: 85** **Detection Timestamp: [insert timestamp]**\r\n152 Subscribers\r\nAuthor Url\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike\r\nPage 7 of 8\n\nOSINT Volley 2026-02-15 - Cobalt Strike/Vidar/ClearFake\r\nURL: 52 | Domain: 17 | Hostname: 49\r\nAutomated OSINT sweep from ThreatFox. Top malware: Cobalt Strike(107), Vidar(78), ClearFake(66),\r\nAsyncRAT(45), Unknown malware(42). Source: abuse.ch ThreatFox API. SSL enriched: 33 IPs with HTTPS, 28\r\nself-signed (C2 candidates). Pattern 54: sweep→volley automation.\r\n152 Subscribers\r\nAuthor Url\r\nThreatFox Hunt: Cobalt Strike IOCs - 2026-02-15\r\nFileHash-MD5: 2 | FileHash-SHA256: 2 | Hostname: 3\r\nAutomated ThreatFox hunt for Cobalt Strike indicators. 125 IOCs collected via Pattern 49 intelligence streaming.\r\nMITRE ATT\u0026CK: T1071.001, T1059.001, T1055, T1105, T1027. Reference: https://analytics.dugganusa.com\r\n152 Subscribers\r\nAuthor Url\r\nOSINT Volley 2026-02-15 - Cobalt Strike/Vidar/ClearFake\r\nURL: 51 | Domain: 17 | Hostname: 48\r\nAutomated OSINT sweep from ThreatFox. Top malware: Cobalt Strike(107), Vidar(78), ClearFake(66),\r\nAsyncRAT(45), Unknown malware(40). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 29\r\nself-signed (C2 candidates). Pattern 54: sweep→volley automation.\r\n152 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike"
	],
	"report_names": [
		"pulses?q=tag:Cobalt%20Strike"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434756,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b812bbe21d1d6f44c18f2441611a12c3b1362a4.pdf",
		"text": "https://archive.orkl.eu/5b812bbe21d1d6f44c18f2441611a12c3b1362a4.txt",
		"img": "https://archive.orkl.eu/5b812bbe21d1d6f44c18f2441611a12c3b1362a4.jpg"
	}
}