{
	"id": "19d69f0c-09a4-4b4e-a966-b9a7294ff841",
	"created_at": "2026-04-06T01:32:20.546017Z",
	"updated_at": "2026-04-10T03:24:23.657383Z",
	"deleted_at": null,
	"sha1_hash": "885b165efa563a0914c4fe7ffb5219cbce231149",
	"title": "User-driven Web Drive-by Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31846,
	"plain_text": "User-driven Web Drive-by Attacks\r\nArchived: 2026-04-06 01:20:03 UTC\r\nCobalt Strike makes several tools to setup web drive-by attacks available to you. To quickly start an attack,\r\nnavigate to Attacks and choose one of the following option:\r\nJava Signed Applet Attack\r\nThis attack starts a web server hosting a self-signed Java applet. Visitors are asked to give the applet permission to\r\nrun. When a visitor grants this permission, you gain access to their system.\r\nThe Java Signed Applet Attack uses Cobalt Strike’s Java injector. On Windows, the Java injector will inject\r\nshellcode for a Windows listener directly into memory for you.\r\nNavigate to Attacks -\u003e Signed Applet Attack.\r\nfigure 45 - Signed Applet Attack\r\nPress Launch to start the attack.\r\nJava Smart Applet Attack\r\nCobalt Strike’s Smart Applet Attack combines several exploits to disable the Java security sandbox into one\r\npackage. This attack starts a web server hosting a Java applet. Initially, this applet runs in Java’s security sandbox\r\nand it does not require user approval to start.\r\nThe applet analyzes its environment and decides which Java exploit to use. If the Java version is vulnerable, the\r\napplet will disable the security sandbox, and execute a payload using Cobalt Strike’s Java injector.\r\nNavigate to Attacks -\u003e Smart Applet Attack.\r\nfigure 46 - Smart Applet Attack\r\nPress Launch to start the attack.\r\nScripted Web Delivery (S)\r\nThis feature generates a stageless Beacon payload artifact, hosts it on Cobalt Strike’s web server, and presents a\r\none-liner to download and run the artifact.\r\nNavigate to Attacks -\u003e Scripted Web Delivery (S) from the menu.\r\nhttps://www.cobaltstrike.com/help-scripted-web-delivery\r\nPage 1 of 2\n\nfigure 47 - Scrpted Web Delivery (S)\r\nPress Launch to start the attack.\r\nSource: https://www.cobaltstrike.com/help-scripted-web-delivery\r\nhttps://www.cobaltstrike.com/help-scripted-web-delivery\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cobaltstrike.com/help-scripted-web-delivery"
	],
	"report_names": [
		"help-scripted-web-delivery"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439140,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/885b165efa563a0914c4fe7ffb5219cbce231149.pdf",
		"text": "https://archive.orkl.eu/885b165efa563a0914c4fe7ffb5219cbce231149.txt",
		"img": "https://archive.orkl.eu/885b165efa563a0914c4fe7ffb5219cbce231149.jpg"
	}
}