{
	"id": "edcb680f-e326-470e-a019-8d9d87d19cc9",
	"created_at": "2026-04-06T01:30:54.535941Z",
	"updated_at": "2026-04-10T13:12:32.165751Z",
	"deleted_at": null,
	"sha1_hash": "5db18b94a6e016493e08356ce09dd6d6ee7dbdd1",
	"title": "Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 313377,
	"plain_text": "Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing\r\nSuspicious Activity\r\nPublished: 2024-12-03 · Archived: 2026-04-06 00:11:33 UTC\r\nTABLE OF CONTENTS\r\nA New Version \u0026 Watermark 688983459Infrastructure AnalysisDownloading BeaconsOne More Thing: A Curious Cluster\r\nwith Watermark 1ConclusionWatermark 1 Cluster\r\nHunt researchers recently uncovered a cluster of suspicious infrastructure using Cobalt Strike's latest version, 4.10, released\r\nin July 2024. Despite efforts to disrupt unauthorized use, malicious actors continue to exploit the tool's post-exploitation\r\nfeatures for nefarious purposes. According to our scan data, these servers are highlighted by a unique watermark shared by\r\nonly five other IPs across the internet.\r\nNotably, the domains associated with the team servers (which first showed in our scans on 19 November) impersonate well-known brands, suggesting a targeted approach to deceive users, possibly through phishing. This post presents our analysis,\r\nincluding detailed examinations of the IP addresses, domains, and beacon configurations involved.\r\nA New Version \u0026 Watermark 688983459\r\nCobalt Strike 4.10 introduced several enhancements to improve cybersecurity practitioners' efficiency. These updates offer\r\nimproved flexibility, greater control, and improved evasion techniques, which, while intended for legitimate security testing,\r\ncan also be leveraged by malicious actors.\r\nBelow are three of the most impactful (in our opinion) features introduced:\r\nBeaconGate: Enables operators to route Beacon's Windows API calls through a customizable interface, enhancing\r\nevasion strategies.\r\nPostex Kit: Provides a comprehensive set of post-exploitation tools designed to enhance system interaction after\r\ninitial access.\r\nSleepmask-VS: Introduces an updated sleep masking mechanism that hides Beacon's activity during idle periods,\r\nreducing detection risks.\r\nWatermarks Explained\r\nIn Cobalt Strike, a watermark is a unique identifier embedded within the software, and its payloads are linked to a specific\r\nlicense/customer. While watermarks assist in linking activity to specific operators when seen across different instances, their\r\neffectiveness is limited due to the ease of spoofing and the widespread availability of leaked or pirated versions.\r\nLow-prevalence watermarks may indicate activity not widely recognized by defenders, such as emerging malicious\r\ncampaigns. Conversely, red team exercises may be more apt to keep default values, which could also result in rarely seen\r\nwatermarks.\r\nWatermark 688983459 was identified during our research into Cobalt Strike team servers. This identifier, only seen by our\r\nscanners across 7 other IP addresses, seemed like a worthy candidate to dive into and analyze further. This discovery led us\r\nto infrastructure using the latest version of Cobalt Strike as well as domains and configuration patterns, which we will\r\ndiscuss below.\r\nInfrastructure Analysis\r\nBeyond the shared watermark, the servers exhibit additional commonalities. All team servers are hosted in the United States\r\nwithin Amazon's network infrastructure, except for one utilizing Microsoft's services.\r\nAdditionally, the cluster shares network port configurations, specifically using port 80 for the Cobalt Strike team server.\r\nWe'll quickly cover the beacon configuration, which can be viewed by clicking on the \"i\" button next to any detected team\r\nserver in Hunt.\r\nhttps://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity\r\nPage 1 of 6\n\nFigure 1:\r\nScreenshot showing the \"i\" button which allows users to quickly view beacon configurations without downloading them in\r\nHunt.\r\nSimilarities between IP addresses, such as shared SSH keys, IoCs from reports, certificates, config, and redirects, are all\r\navailable to quickly pivot on under the \"Associations\" tab in Hunt.\r\nWe found servers sharing the same config by drilling down into the aforementioned tab, uncovering six additional IPs, as\r\nseen in Figure 2 below.\r\nFigure 2:\r\nAssociations tab showing six additional IP addresses sharing the same watermark (Hunt).\r\nAnother data point that assists in clustering suspicious infrastructure is the public key, which is also embedded within the\r\nbeacon configuration. In our research, dd25ce57906d453385b35daaed5433a6901ca3cb071245c90b1d2781f6078769, was\r\nshared across all 7 servers. Below are some of the more interesting config fields starting with IP address 44.203.181[.]185.\r\nhttps://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity\r\nPage 2 of 6\n\nendpoint: http://downloads.yourcoupons[.]net/jquery-3.3.1.min.js\r\nSETTING_USERAGENT : Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nSETTING_SUBMITURI : /jquery-3.3.2.min.js\r\nFigure 3 below displays an example config from our first server.\r\nFigure 3:\r\nExample beacon configuration including endpoints, user-agent, and submituri fields in Hunt.\r\nSo as not to bore you with multiple repetitive screenshots, we'll list the remaining IP addresses in the table below.\r\nIP Address ASN Resolving Domain Domain in Config\r\nFirst\r\nSeen\r\n34.238.135[.]169\r\nAmazon\r\nTechnologies\r\nInc.\r\napi.toptechmanagementgroup[.]com\r\ndownloads.toptechmanagementgroup[.]com\r\ndownloads.toptechmanagementgroup[.]com\r\n2024-\r\n11-26\r\n52.91.17[.]36\r\nAmazon\r\nTechnologies\r\nInc.\r\nN/A downloads.abyanfinancial[.]com\r\n2024-\r\n11-25\r\n52.205.213[.]5\r\nAmazon\r\nTechnologies\r\nInc.\r\ndownloads.uscga[.]co Same\r\n2024-\r\n11-25\r\n74.235.246[.]236\r\nMicrosoft\r\nCorporation\r\npublic.open-dns[.]uk Same\r\n2024-\r\n11-19\r\nhttps://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity\r\nPage 3 of 6\n\nIP Address ASN Resolving Domain Domain in Config\r\nFirst\r\nSeen\r\n184.72.118[.]160\r\nAmazon\r\nData\r\nServices\r\nNoVa\r\nN/A downloads.my-icecream[.]com\r\n2024-\r\n11-25\r\n184.73.81[.]49\r\nAmazon\r\nData\r\nServices\r\nNoVa\r\ndev-monitor.upsideapp[.]com downloads.helpsdeskmicrosoft[.]com\r\n2024-\r\n11-25\r\nAfter reviewing the domains in the table above, it's pretty clear this cluster of infrastructure is geared towards brand\r\nimpersonation. Domain names like downloads.helpsdeskmicrosoft[.]com and public.open-dns[.]uk mimic legitimate\r\norganizations, likely aiming to blend in with network traffic.\r\nOthers, such as downloads.uscga[.]co and downloads.abyanfinancial[.]com , suggest possible targeting of specific\r\nsectors or entities.\r\nDuring our research into this group of IPs, we could not identify any recent TLS certificates associated with the servers,\r\nindicating the infrastructure may still be in the early stages of development, or the operators are purposefully not using\r\ncertificates to evade further scrutinization.\r\nDownloading Beacons\r\nWe were able to extract a handful of payloads from the above team servers, which offered a chance for further analysis.\r\nAnalyzing these beacons allows security professionals to develop detection signatures, understand operator TTPs, and\r\npossibly identify additional infrastructure previously unknown.\r\nWhile a detailed examination of the payloads is beyond the scope of this post, we are sharing the SHA-256 hashes below\r\nand encourage the community to dig into these samples and analyze any shellcode or malicious artifacts.\r\nReminder: It's not uncommon for red teamers or malicious network operators to serve benign files in an attempt to protect\r\nthe Team Server.\r\nTeam Server SHA-256 File Size\r\n52.205.213[.]5 ae352f86b470dfa999f3d50394876209d19bc06af2e246758f150f55eaa2a787 273.09 KB\r\n44.203.181[.]185 d884ccc9aa3b1d1a018d7cb4a1d80da7142e934178ef0fc6faff7b1f1f7fa6c1 273.09 kB\r\n34.238135[.]169 889e4f388ac6fd9d5f1025ed32276eb0fef2717c8d387fb82d5a8438bbe6025e 273.07 KB\r\n184.73.81[.]49 a2ed422d92f5963468c9e3c615754dc7e31acd51b7372386d7694747bc2d9897 273.08 KB\r\n184.72.118[.]160 e2a82f971d011675ad387beb2ef943824b2e62e3aab5f9ef79516c11693a6636 273.07 KB\r\nOne More Thing: A Curious Cluster with Watermark 1\r\nBefore wrapping up this post, we wanted to briefly highlight another small cluster of team servers we observed using a\r\nwatermark of 1. This value has typically been associated with cracked or leaked versions of Cobalt Strike.\r\nIn 2020, Amnesty International reported that the FinSpy spyware targeting macOS and Linux systems employed the same\r\nwatermark. We see no links between this case and FinSpy, however adding historical context can assist in highlighting the\r\n/potential significance of findings.\r\nGiven that this group of servers varies greatly by version and other factors, we'll quickly detail some of the more interesting\r\nservers, and provide the rest at the end of this post..\r\nIP Address: 113.250.188[.]15\r\nhttps://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity\r\nPage 4 of 6\n\nASN: Chongqing Telecom\r\nCobalt Strike Version: 4.3\r\nendpoints: 113.250.188[.]15/en_US/all.js\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.1)\r\nPUBKEY: 2be79284671f4a3d7aa1158731c3ac3e499bfb1ca637e237e04acdd91a3e67c4\r\nIP Address: 36.137.91[.]198\r\nASN: China Mobile Communications Group Co., Ltd.\r\nCobalt Strike Version: 4.2\r\nendpoints: http://36.137.91[.]198:18443/cx\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MATMJS)\r\nPUBKEY: 713cb0954ca69d973628c711744046d0b9dc7f6036175184389b31bd8ddbd7e3\r\nIP Address: 85.208.110[.]57\r\nASN: STARK INDUSTRIES SOLUTIONS LTD\r\nCobalt Strike Version: 4.2\r\nEndpoints: https://www.googleadservices[.]org:63221/pagead/conversion/16521530460\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7aa.\r\nPUBKEY: 02a621ddce14572cb2ded37edc76ce3d93cf78b46feec2d318bb1c4afaf609da\r\nTLS Certificate: CloudFlare SHA-256 Fingerprint:\r\n8860015325A7DFA7DE7BBC6CE0C4600B3109577836E3F0116F223AB5F7A85490\r\nConclusion\r\nOur threat hunting efforts led us to infrastructure leveraging the latest version of Cobalt Strike, all connected by the unique\r\nwatermark 688983459. Utilizing the associations tab in Hunt, we quickly identified similar IPs, and additional analysis of\r\nsimilar ports, and domains impersonating well-known brands, points to a coordinated operation defenders should be on the\r\nlookout for.\r\nWe also discovered a separate group of servers using the watermark 1, historically associated with known malicious activity.\r\nWhile the intent behind this cluster remains unclear-whether it represents legitimate red team exercises or actions by\r\nmalicious actors-it underscores the importance of vigilance. Monitoring both commonly used and rare watermarks is\r\nessential for detecting and mitigating threats in all their forms.\r\nWatermark 1 Cluster\r\nIP Address ASN Domain(s) Miscellaneous\r\n47.120.38[.]194\r\nHangzhou\r\nAlibaba\r\nAdvertising\r\nCo.,Ltd.\r\nmggbest[.]top Cobalt Strike 4.2\r\n91.196.70[.]155 EstNOC OY N/A\r\n\"Microsoft\" TLS\r\nCertificate\r\nSHA-256:\r\n8A172E2F0CA849799E0B25CD0EB89D32020EECF30599D951C4E8ECB82\r\nhttps://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity\r\nPage 5 of 6\n\nIP Address ASN Domain(s) Miscellaneous\r\n83.229.127[.]233\r\nLUCIDACLOUD\r\nLIMITED\r\nN/A Cobalt Strike 4.2\r\n124.222.201[.]108\r\nShenzhen\r\nTencent\r\nComputer\r\nSystems\r\nCompany\r\nLimited\r\nN/A Cobalt Strike 4.2\r\n139.196.126[.]3\r\nHangzhou\r\nAlibaba\r\nAdvertising\r\nCo.,Ltd.\r\nN/A Cobalt Strike 4.2\r\nSource: https://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity\r\nhttps://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity"
	],
	"report_names": [
		"rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439054,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5db18b94a6e016493e08356ce09dd6d6ee7dbdd1.pdf",
		"text": "https://archive.orkl.eu/5db18b94a6e016493e08356ce09dd6d6ee7dbdd1.txt",
		"img": "https://archive.orkl.eu/5db18b94a6e016493e08356ce09dd6d6ee7dbdd1.jpg"
	}
}