{
	"id": "b327442d-ee86-4dad-8b52-bf2e4fa27698",
	"created_at": "2026-04-06T03:36:02.06435Z",
	"updated_at": "2026-04-10T03:24:23.97326Z",
	"deleted_at": null,
	"sha1_hash": "8e9edccfd6998a8051adff1c5a4bdd93d5f88d8a",
	"title": "Attackers Exploiting Public Cobalt Strike Profiles",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1306460,
	"plain_text": "Attackers Exploiting Public Cobalt Strike Profiles\r\nBy Durgesh Sangvikar, Yanhui Jia, Chris Navarrete, Matthew Tennis\r\nPublished: 2024-06-26 · Archived: 2026-04-06 02:59:04 UTC\r\nExecutive Summary\r\nIn this article, Unit 42 researchers detail recent findings of malicious Cobalt Strike infrastructure. We also share\r\nexamples of malicious Cobalt Strike samples that use Malleable C2 configuration profiles derived from the same\r\nprofile hosted on a public code repository.\r\nCobalt Strike is a commercial software framework that enables security professionals like red team members to\r\nsimulate attackers embedding themselves in a network environment. However, threat actors continue to use\r\ncracked versions of Cobalt Strike in real-world attacks. The post-exploitation payload called Beacon uses text-based profiles called Malleable C2 to change the characteristics of Beacon's web traffic in an attempt to avoid\r\ndetection.\r\nDespite its use in defensive cybersecurity assessments, threat actors continue to leverage Cobalt Strike for\r\nmalicious purposes. Due to its malleable and evasive nature, Cobalt Strike remains a significant security threat to\r\norganizations.\r\nPalo Alto Networks customers are better protected from Cobalt Strike Beacon and Team Server C2\r\ncommunication in the following ways:\r\nThe Next-Generation Firewall (NGFW) with an Advanced Threat Prevention subscription can help identify\r\nand block Cobalt Strike HTTP C2 requests generated by custom profiles and block Cobalt Strike HTTP C2\r\nrequests.\r\nWildFire, Cortex XDR and Prisma Cloud can help identify and block Cobalt Strike Beacon binaries, and\r\nXDR will report related exploitation attempts.\r\nCortex XSOAR response pack and playbook can help automate the mitigation process.\r\nMalicious URLs and IPs related to this research have been added to Advanced URL Filtering.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nRelated Unit 42 Topics Cobalt Strike, Malleable C2 Profile\r\nFrom Server to Beacon to Profile\r\nUnit 42 has multiple techniques to find Cobalt Strike servers hosted on the internet, some of which we have\r\ndocumented in a previous article about Cobalt Strike analysis. The traffic flow and detection in this article were\r\ntriggered by our Advanced Threat Prevention (ATP) solution.\r\nhttps://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/\r\nPage 1 of 8\n\nAfter finding these Cobalt Strike servers, we pivoted on this information to discover any associated Beacon files.\r\nOur investigation of these samples revealed Malleable C2 profiles, which are described in another previous article\r\nabout Malleable C2 profiles.\r\nOur research also revealed that these Malleable C2 profiles borrow heavily from a single example hosted on a\r\npublicly available software repository.\r\nFirst Sample\r\nThis first Beacon sample borrows from a Malleable C2 profile named ocsp.profile hosted on a publicly available\r\nsoftware repository. This profile itself is not malicious, and it is one of many hosted on publicly available\r\nrepositories that attackers can copy and alter for their own malicious purposes.\r\nFirst sample SHA256 hash:\r\n1980becd2152f4c29dffbb9dc113524a78f8246d3ba57384caf1738142bb3a07\r\nWe downloaded this Beacon sample from one of the Cobalt Strike servers discovered by our ATP solution.\r\nAttackers typically retrieve Beacon instances from Cobalt Strike servers and load Beacon into memory through\r\nsome other compromised process. Embedded in this Beacon binary are details from its Malleable C2 profile.\r\nWe used Didier Stevens’ Python script 1768.py to extract the Malleable C2 profile details. These details are listed\r\nbelow in Table 1.\r\nProfile Component Description Details\r\nGET Request to get the command to execute\r\nMethod: GET\r\nCobalt Strike C2 domains:\r\nmsupdate.azurefd[.]net\r\no365updater.azureedge[.]net\r\ngupdater.bbtecno[.]com\r\nteamsupd.azurewebsites[.]net\r\nmsdn1357.centralus.cloudapp.azure[.]com\r\ncupdater.bbtecno[.]com\r\nURI:  /ocsp/\r\nHeader: User-Agent: Microsoft-CryptoAPI/7.0\r\nPost Request to return the command execution result\r\nMethod: POST\r\nURI: /ocsp/a/\r\nTable 1. Extracted network information from the profile of our first Beacon sample.\r\nhttps://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/\r\nPage 2 of 8\n\nBelow, Figure 1 shows part of the results from Stevens' Python script analysis of our first Beacon sample. This\r\nsection contains information related to the sample's Malleable C2 profile configuration. As noted in the\r\nhttp_get_header section, metadata of the victim is encoded using lowercase NetBIOS encoding and appended to\r\nthe request URI. This configuration also adds Accept: */* to the HTTP GET request header.\r\nFigure 1. Output from running Stevens’ 1768.py script on our first Beacon sample.\r\nFigure 2 shows a TCP stream of the HTTP C2 traffic between this Beacon instance and the Cobalt Strike server. In\r\nit, we can see the lower-case NetBIOS encoding in the GET request as specified by the Malleable C2 profile.\r\nFigure 2. TCP stream of HTTP C2 traffic generated by our first Cobalt Strike Beacon sample.\r\nThis profile configuration appears to be based on the ocsp.profile from a publicly accessible software repository.\r\nThe attackers merely replaced /oscp/ with /ocsp/ for both HTTP request methods and changed the User-Agent\r\nstring from Microsoft-CryptoAPI/6.1 to Microsoft-CryptoAPI/7.0. Figure 3 indicates values from the original\r\nMalleable C2 profile that were altered for this Beacon sample. The rest of the profile used for this sample matches\r\nthe original ocsp.profile content.\r\nhttps://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/\r\nPage 3 of 8\n\nFigure 3. The original ocsp.profile, indicating the values updated in our first Beacon sample.\r\nSecond Sample\r\nThe Malleable C2 profile of our second Beacon sample borrows from the same ocsp.profile as our first sample.\r\nSecond sample SHA256 hash:\r\nb587e215ce8c0b3a1525f136fe38bfdc0232300e1a4f7e651e5dc6e86313e941\r\nLike our first example, this Beacon sample is a staged binary hosted by a Cobalt Strike server that our ATP\r\nplatform detected and downloaded. Following the same analysis procedure, we extracted the Malleable C2 profile\r\ninformation using 1768.py and compared the results with our repository of known profiles. Table 2 shows the\r\nnetwork information we extracted from this profile.\r\nProfile Component Description Details\r\nC2:\r\nGET Request to get the command to execute\r\nMethod: GET\r\nCobalt Strike C2 domains:  \r\nmsupdate.brazilsouth.cloudapp.azure[.]com\r\nmsdn1357.centralus.cloudapp.azure[.]com\r\nhttps://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/\r\nPage 4 of 8\n\nupdate37.eastus.cloudapp.azure[.]com\r\nupdate.westus.cloudapp.azure[.]com\r\n146.235.52[.]69\r\n159.112.177[.]137\r\nURI: /download/\r\nHeader: User-Agent: Microsoft-CryptoAPI/8.1\r\nC2: \r\nPost Request to return the command execution result\r\nMethod: POST\r\nURI: /pkg/a/\r\nTable 2. Extracted network information from the profile of our second Beacon sample.\r\nIn this Beacon sample, the attackers updated the URI path replacing the original ocsp.profile value of the HTTP\r\nGET request from /oscp/ to /download/. Attackers also replaced the original value of the HTTP POST request\r\nfrom /oscp/a/ to /pkg/a/. Finally they updated the User-Agent value from Microsoft-CryptoAPI/6.1 to Microsoft-CryptoAPI/8.1.\r\nFigure 4 shows a TCP stream of the HTTP C2 traffic between this second Beacon instance and its Cobalt Strike\r\nserver.\r\nFigure 4. TCP stream of HTTP C2 traffic generated by our second Cobalt Strike Beacon sample.\r\nThird Sample\r\nThe Malleable C2 profile of our third sample borrows from the same ocsp.profile as our first and second samples.\r\nThird sample SHA256 hash:\r\n38eeb82dbb5285ff6a2122a065cd1f820438b88a02057f4e31a1e1e5339feb2b\r\nhttps://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/\r\nPage 5 of 8\n\nThis third Cobalt Strike sample is a stageless 64-bit Windows executable file that uses the same ocsp.profile for its\r\nMalleable C2 profile, but with a twist. The domain for its C2 server contains a string in the leading subdomain that\r\nmatches the FQDN of a well-known multinational technology company.\r\nThis FQDN for the Cobalt Strike C2 server is www.consumershop.lenovo.com.cn.d4e97cc6.cdnhwcggk22[.]com,\r\nhowever the parent domain is actually cdnhwcggk22[.]com.\r\nFigure 5 shows an example of HTTP C2 traffic generated by this third sample, starting after a DNS query of the\r\nC2 domain resolves to the server's IP address.\r\nFigure 5. Filtered in Wireshark, C2 traffic generated by our third Cobalt Strike sample.\r\nBorrowing From Public Malleable C2 Profiles\r\nDetections for Cobalt Strike activity that depend on patterns in network traffic from the HTTP request headers\r\npatterns are of limited value, since any variation of these patterns can cause the detection to fail. Some\r\nworkarounds such as regular expression patterns can temporarily alleviate this evasion. However, attackers can\r\ntrivially modify the Malleable C2 profile, creating a detection arms race where attackers remain one step ahead of\r\nconventional network security solutions. In these cases, the cost is imposed more heavily on the defender than the\r\nattacker.\r\nFurthermore, attackers do not need to create a Malleable C2 profile from scratch. They can easily copy publicly\r\navailable examples and modify various values to fit their needs. Our research indicates that attackers use slight\r\nmodifications of these publicly available profiles for their Cobalt Strike activity in an effort to evade detection.\r\nConclusion\r\nIn the ever-evolving landscape of cybersecurity, attackers persist in finding new methods, like leveraging publicly\r\navailable Malleable C2 profiles. This strategy enables attackers to initiate Cobalt Strike C2 communications with\r\nflexibility, frequently altering profiles to evade detection and sustain malicious activity. Such tactics underscore\r\nthe dynamic nature of cyberthreats and the continuous need for adaptive and forward-thinking defense\r\nmechanisms.\r\nMachine-learning based solutions like ATP are the best type of defensive countermeasures available for preventing\r\nhighly evasive attacks and C2 like Cobalt Strike. Heuristic detections cannot cover the huge amount of\r\npermutations that the Malleable C2 framework can so readily provide.\r\nhttps://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/\r\nPage 6 of 8\n\nThe cost for network security false positives is skewed heavily against the defender, which is a vulnerability in\r\nsecurity operations that attackers exploit to their benefit.\r\nAdopting a machine-learning network security platform like ATP provides detection capabilities to counter these\r\ntypes of threats.\r\nThis commitment to advancing our technologies in response to these threats reaffirms our dedication to\r\ncybersecurity excellence and the safety of the digital community.\r\nPalo Alto Networks Protection and Mitigation\r\nPalo Alto Networks customers are better protected from Cobalt Strike through the following products:\r\nThe Next-Generation Firewall (NGFW) with an Advanced Threat Prevention subscription can identify and\r\nblock Cobalt Strike HTTP C2 requests generated by custom profiles and block Cobalt Strike HTTP C2\r\nrequests.\r\nAdvanced WildFire, Cortex XDR and Prisma Cloud can identify and block Cobalt Strike Beacon binaries,\r\nand XDR will report related exploitation attempts.\r\nCortex XSOAR response pack and playbook can automate the mitigation process.\r\nMalicious URLs and IPs have been added to Advanced URL Filtering.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 Hashes for Cobalt Strike Samples:\r\n1980becd2152f4c29dffbb9dc113524a78f8246d3ba57384caf1738142bb3a07\r\nB587e215ce8c0b3a1525f136fe38bfdc0232300e1a4f7e651e5dc6e86313e941\r\n38eeb82dbb5285ff6a2122a065cd1f820438b88a02057f4e31a1e1e5339feb2b\r\nDomains and IP Addresses Used for Cobalt Strike C2:\r\nmsupdate.azurefd[.]net\r\no365updater.azureedge[.]net\r\ngupdater.bbtecno[.]com\r\nhttps://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/\r\nPage 7 of 8\n\nteamsupd.azurewebsites[.]net\r\nmsdn1357.centralus.cloudapp.azure[.]com\r\ncupdater.bbtecno[.]com\r\nmsupdate.brazilsouth.cloudapp.azure[.]com\r\nmsdn1357.centralus.cloudapp.azure[.]com\r\nupdate37.eastus.cloudapp.azure[.]com\r\nupdate.westus.cloudapp.azure[.]com\r\nwww.consumershop.lenovo.com.cn.d4e97cc6.cdnhwcggk22[.]com\r\n146.235.52[.]69\r\n159.112.177[.]137\r\nAdditional Resources\r\nCobalt Strike Training Resources – Fortra\r\nCobalt Strike User Guide: Malleable Command and Control – Fortra\r\nCobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect –\r\nPalo Alto Networks, Unit 42\r\nCobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding – Palo Alto Networks, Unit 42\r\nCobalt Strike Attack Detection \u0026 Defense Technology Overview – Palo Alto Networks, LIVEcommunity\r\nDetecting Popular Cobalt Strike Malleable C2 Profile Techniques – Palo Alto Networks, Unit 42\r\nCobalt Strike: Using Known Private Keys To Decrypt Traffic, Part 1 – NVISO Labs\r\nSource: https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/\r\nhttps://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/"
	],
	"report_names": [
		"attackers-exploit-public-cobalt-strike-profiles"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775446562,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e9edccfd6998a8051adff1c5a4bdd93d5f88d8a.pdf",
		"text": "https://archive.orkl.eu/8e9edccfd6998a8051adff1c5a4bdd93d5f88d8a.txt",
		"img": "https://archive.orkl.eu/8e9edccfd6998a8051adff1c5a4bdd93d5f88d8a.jpg"
	}
}