{ "id": "e77da3d6-ae15-48a8-821c-cef5d3d68675", "created_at": "2026-04-06T01:32:22.209644Z", "updated_at": "2026-04-10T03:37:17.323857Z", "deleted_at": null, "sha1_hash": "902a15e550ff733437a4aefef4b6781dffc82ac8", "title": "Identifying Cobalt Strike team servers in the wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 665891, "plain_text": "Identifying Cobalt Strike team servers in the wild\r\nBy maartenvandantzigfoxit\r\nPublished: 2019-02-26 · Archived: 2026-04-06 01:09:55 UTC\r\nHow an anomalous space led to fingerprinting\r\nSummary\r\nOn the 2nd of January 2019 Cobalt Strike version 3.13 was released, which contained a fix for an “extraneous\r\nspace”. This uncommon whitespace in its server responses represents one of the characteristics Fox-IT has been\r\nleveraging to identify Cobalt Strike Servers, with high confidence, for the past one and a half year. In this blog we\r\nwill publish a full list of servers for readers to check against the logging and security controls of their\r\ninfrastructure.\r\nCobalt Strike is a framework designed for adversary simulation. It is commonly used by penetration testers and\r\nred teamers to test an organization’s resilience against targeted attacks, but has been adopted by an ever increasing\r\nnumber of malicious threat actors.\r\nSubtle anomalies like these should not be underestimated by blue teams when it comes to combating malicious\r\nactivity.\r\nAbout Cobalt Strike\r\nCobalt Strike is a framework designed for adversary simulation. It is commonly used by penetration testers and\r\nred teamers to test an organization’s resilience against targeted attacks. It can be configured using Malleable C\u0026C\r\nprofiles which can be used to customize the behavior of its beacon, giving users the ability to emulate the TTP’s of\r\nin the wild threat actors. The framework is commercially and publicly available, which has also led to\r\npirated/cracked versions of the software.\r\nThough Cobalt Strike is designed for adversary simulation, somewhat ironically the framework has been adopted\r\nby an ever increasing number of malicious threat actors: from financially motivated criminals such as\r\nNavigator/FIN7, to state-affiliated groups motivated by political espionage such as APT29. In recent years, both\r\nred teams and threat actors have increasingly made use of publicly and commercially available hacking tools. A\r\nmajor reason for this is likely their ease of use and scalability. This two-sided element of pentesting suites makes it\r\na critical avenue for threat research.\r\nCobalt Strike Team Servers\r\nWhile the implant component of Cobalt Strike is called the “beacon”, the server component is referred to as the\r\n“team server”. The server is written in Java and operators can connect to it to manage and interact with the Cobalt\r\nStrike beacons using a GUI. On top of collaboration, the team server also acts as a webserver where the beacons\r\nhttps://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/\r\nPage 1 of 5\n\nconnect to for Command \u0026 Control, but it can also be configured to serve the beacon payload, landing pages and\r\narbitrary files.\r\nCommunication to these servers can be fingerprinted with the use of Intrusion Detection System (IDS) signatures\r\nsuch as Snort, but with enough customization of the beacon, and/or usage of a custom TLS certificate, this\r\nbecomes troublesome. However, by applying other fingerprinting techniques (as described in the next section) a\r\nmore accurate picture of the Cobalt Strike team servers that are publicly reachable can be painted.\r\nOne of Fox-IT’s InTELL analysts, with a trained eye for HTTP header anomalies, spotted an unusual space in the\r\nresponse of a Cobalt Strike team server in one of our global investigations into malicious activity. Though this\r\nmight seem irrelevant to a casual observer, details such as these can make a substantial difference in combating\r\nmalicious activity, and warranted additional research into the set-up of the team servers. This ultimately led to\r\nFox-IT being able to better protect our clients from actors using Cobalt Strike.\r\nThe webserver of the team server in Cobalt Strike is based on NanoHTTPD, an opensource webserver written in\r\nJava. However this webserver unintendedly returns a surplus whitespace in all its HTTP responses. It is difficult to\r\nsee at first glance, but the whitespace is there in all the HTTP responses from the Cobalt Strike webserver:\r\nUsing this knowledge it is possible to identify NanoHTTPD servers, including possible Cobalt Strike team\r\nservers. We found out that public NanoHTTPD servers are less common than team servers. Even when the team\r\nserver uses a Malleable C2 Profile, it is still possible to identify the server due to the “extraneous space”.\r\nThe “extraneous space” was fixed in Cobalt Strike 3.13, released on January 2nd of 2019. This means that this\r\ncharacteristic was in Cobalt Strike for almost 7 years, assuming it used NanoHTTPD since the first version,\r\nreleased in 2012. If you look carefully, you can also spot the space in some of the author’s original YouTube\r\nvideos, dating back to 2014.\r\nhttps://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/\r\nPage 2 of 5\n\nThe fact that the removal of this space is documented in the change log leads us to believe that the Cobalt Strike\r\ndevelopers have become aware of the implications of such a space in the server response, and its potential value to\r\nblue teams.\r\nThe change log entry highlighted above refers to the removed space being “extraneous”, in a literal sense meaning\r\nnot pertinent or irrelevant. Due to its demonstrated significance as fingerprinting mechanism, this description is\r\nhttps://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/\r\nPage 3 of 5\n\ncontested here.\r\nScanning and results\r\nBy utilizing public scan data, such as Rapid7 Labs Open Data, and the knowledge of how to fingerprint\r\nNanoHTTPD servers, we can historically identify the state of publicly reachable team servers on the Internet.\r\nThe graphs shows a steady growth of Cobalt Strike (NanoHTTPD) webservers on port 80 and 443 which is a good\r\nindication of the increasing popularity of this framework. The decline since the start of 2019 is most likely due to\r\nthe “extraneous space” fix, thus not showing up in the scan data when applying the fingerprint.\r\nIn total Fox-IT has observed 7718 unique Cobalt Strike team server or NanoHTTPD hosts between the period of\r\n2015-01 and 2019-02, when based on the current data (as of 26 Feb 2019) from Rapid7 Labs HTTP and HTTPS\r\nSonar datasets.\r\nThe table below contains several examples of Cobalt Strike team servers, used by malicious threat actors:\r\nIP Address First seen Last seen Actor\r\n95.128.168.227 2018/04/24 2018/05/22 APT10\r\n185.82.202.214 2018/04/24 2018/09/11 Bokbot\r\n206.189.144.129 2018/06/05 2018/07/03 Cobalt Group\r\nThe full list of Cobalt Strike team servers identified using this method can be found on the following Fox-IT\r\nGitHub Repository.\r\nDo note that possible legitimate NanoHTTPD servers are listed here and that some IP addresses may have been\r\nrotated and reused swiftly, for example due to being part of Amazon or Azure cloud infrastructure.\r\nTherefore we recommend to investigate connections to these IP addresses within the corresponding time ranges. A\r\nstarting point is to verify whether requested URI matches a Cobalt Strike beacon checksum, or by using historical\r\nDNS data using passive DNS. Going beyond this can be done in various ways and we challenge readers to use\r\ntheir investigative creativity.\r\nPlease also note that this list contains servers of both legitimate and illegitimate operations, since these cannot be\r\ndistinguished easily. Fox-IT recognizes the merit of building and distributing offensive tooling, particularly for\r\nhttps://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/\r\nPage 4 of 5\n\nsecurity testing purposes. In our opinion the benefits of publishing this list (allowing everyone to detect unwanted\r\nattacks retroactively) outweigh the downsides, which could include potentially affecting ongoing red team\r\noperations. We believe that we all have an interest in raising the bar of security operations, and therefore\r\nincreasing visibility across the board will inform a higher level of operational security and awareness on all sides.\r\nNetwork IDS Signatures\r\nFox-IT developed a Snort rule for network detection. The rule checks for the “extraneous space” in the HTTP\r\nheader. Please note that this detection rule only works to detect plaintext HTTP traffic to and from Cobalt Strike\r\nTeam servers with the Cobalt Strike version up until release 3.13. Nevertheless, this is still a valuable detection\r\nrule, considering threat actors tend to use pirated and cracked- and therefore inherently unsupported- versions.\r\nConclusion\r\nOrganizations are encouraged to use the published list with Cobalt Strike team servers IP addresses to\r\nretroactively verify whether they have been targeted with this tooling by either a red team or an adversary\r\nin the recent past. The IP addresses can be checked with e.g. firewall and proxy logs, or on aggregate\r\nagainst SIEM data. To minimize the amount of false positives, the reader is urged to take the corresponding\r\nfirst and last seen dates into consideration.\r\nFor the ‘red team readers’ of this blog looking for ways to avoid their Cobalt Strike team server being both\r\npublicly available and easy to fingerprint, see the Cobalt Strike Team Server Population Study blog for a\r\ndetailed set of mitigations. Furthermore, Red Teams are encouraged to critically examine their toolsets in\r\nuse or rely on their Blue Team, for potential tell-tales and determine the appropriate way to apply and\r\nmitigate such findings for both Red and Blue team purposes.\r\nWatch this space (pun intended) for further analysis on this subject.\r\nSource: https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/\r\nhttps://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/" ], "report_names": [ "identifying-cobalt-strike-team-servers-in-the-wild" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439142, "ts_updated_at": 1775792237, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/902a15e550ff733437a4aefef4b6781dffc82ac8.pdf", "text": "https://archive.orkl.eu/902a15e550ff733437a4aefef4b6781dffc82ac8.txt", "img": "https://archive.orkl.eu/902a15e550ff733437a4aefef4b6781dffc82ac8.jpg" } }