Tricks, Treats, and Threats: Cobalt Strike & the Goblin Lurking in Plain
Sight
Published: 2024-10-31 · Archived: 2026-04-06 01:31:50 UTC
TABLE OF CONTENTS
A Curious Encounter: Analyzing the Open DirectoryGoblin's Tricks: Phishing with a PurposeBrowserGhost: A Phantom's
Approach to Credential AccessClosing the Door on a Haunted DirectoryOpen Directory ObservablesShared Certificate
(Major Cobalt Strike)Cobalt Strike Watermark (1359593325) Overlaps
In the spirit of Halloween, a recent open directory discovery offers a curious combination of tools-Cobalt Strike, Goblin, and
BrowserGhost. These names may evoke a playful twist, but each represents serious capabilities often leveraged by red teams
and adversaries. This collection of sinister tools sits waiting in the open, much like treats left out on Halloween night-but for
those who wander into this directory, the tricks are lurking, too.
Summary of Findings:
An open directory exposed Cobalt Strike 4.2, a widely used post-exploitation framework, exploit code targeting
vulnerabilities (CVEs) dating back to 2014.
BrowserGhost, is a red team tool for extracting saved passwords from web browsers, suggesting a focus on credential
theft.
The open-source Goblin phishing tool possibly used to target Chinese-speaking educational platforms and steal user
credentials.
A Curious Encounter: Analyzing the Open Directory
The open directory hosted at 199.187.25[.]57:8899 on Cloudie Limited's ASN in Hong Kong provided a unique glimpse
into a collection of tools likely used for malicious purposes. Among the contents was Cobalt Strike version 4.2, released in
November 2020, a folder named "goblin," which we'll cover later, and logs capturing command history and output.
Figure 1: Screenshot of the open directory page for the server at 199.187.25[.]57 in Hunt
The server, likely running a Linux-based operating system, hosted the directory using Python 3.8.10 SimpleHTTP version
0.6. Beyond the directory contents, Hunt scanners identified several Cobalt Strike team servers on ports 88, 4343, and 5555.
An Nginx web server on port 80 responded with a 404 error displaying a "Site Not Found" message in Simplified Chinese.
https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight
Page 1 of 6

Figure 2: Overview of the suspicious IP, including ports, domains, and associations in Hunt
Interestingly, the watermark extracted from the beacon configuration (click the "i" button next to the Cobalt Strike symbol),
1359593325 , was seen associated with just 15 other servers according to our visibility. Such a small number of servers
sharing this unique identifier suggests a distinct but possibly more extensive managed operation.
Nested within the cs4.2 folder were additional payloads targeting historical vulnerabilities like CVE-2014-4113 and CVE-2020-0796, Meterpreter, and web shell payloads-evidence of a comprehensive toolkit geared towards exploitation and
persistence.
Figure 3: Snippet of the IPs observed sharing the same Cobalt Strike Watermark (Source: Hunt)
*A complete list of all the IP addresses sharing the watermark can be found at the end of this post.
https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight
Page 2 of 6

On October 15, this server briefly hosted a well-known Cobalt Strike TLS certificate, SHA-256 hash:
DFA9B3E8B5E0F229ECB2FB479544650D0B87EB8494CE176714CF4E53DBAFD687 for just one day. The only other IP to share this
certificate was 47.108.74[.]30 , hosted on Aliyun Computing Co. LTD's ASN, indicating potential shared infrastructure or
coordination between two servers/actors.
Figure 4: Screenshot of IPs sharing the same certificate (Source: Hunt)
Goblin's Tricks: Phishing with a Purpose
The Goblin phishing tool, as described in its GitHub project overview, serves as a platform for red and blue team exercises.
Goblin operates by proxying traffic to mimic user interactions while remaining unobtrusive, allowing for an authentic
simulation of phishing attempts. Its customizable plug-ins and support for embedded JavaScript make it adaptable for
legitimate training scenarios and potential malicious use.
Figure 4: Screenshot of the English-language README version of the Goblin Project (Source: GitHub)
A review of Goblin's YAML configuration file in the directory reveals that the operator has configured traffic to proxy
through yunxiao[.]com , a domain associated with Alibaba Cloud's Yunxiao DevOps platform, and laoshanedu.cn . While
the purpose behind this setup remains unclear, our analysis failed to reveal any injected JavaScript or identifiable phishing
targets.
https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight
Page 3 of 6

Figure 5: Snippet of the Goblin YAML config file from the Hunt open directory page
Further analysis revealed that laoshanedu[.]cn was registered in November 2023 with Beijing Xinnet Digital Information
Technology Co., Ltd. and used nameservers from xincache[.]com . Using an education-based naming format and recent
setup suggests the domain may serve as a plausible cover for Goblin, potentially mimicking an educational institution.
Figure 6: DNS & WhoIs records in VirusTotal for laoshanedu[.]cn
BrowserGhost: A Phantom's Approach to Credential Access
The final tool we'll examine, BrowserGhost, is another open-source utility, this time found within the Cobalt Strike folder,
designed to extract stored passwords from popular web browsers, including Chrome, Firefox, 360 Extreme, and Edge.
https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight
Page 4 of 6

Figure 7: Screenshot of the BrowserGhost README in GitHub
Alongside BrowserGhost, the directory also contained HackBrowserData, a tool specifically built to extract and decrypt
sensitive browser information. This combination of tools hints at an operator with a strong interest in harvesting browser-stored credentials, signaling a well-equipped red team or an adversary with a clear focus on data exfiltration from
compromised systems.
Figure 8: Screenshot of multiple files within the cs4.2 folder, including BrowserGhost and HackBrowserData
Closing the Door on a Haunted Directory
In wrapping up our Halloween dive into this open directory, we've highlighted tools like Cobalt Strike, Goblin, and
BrowserGhost—each with capabilities that extend from red teaming to potentially darker uses. Our findings highlight how
such tools, although often seen in professional settings, can be used for more sinister purposes—a reminder of the treats and
tricks still hidden within the cybersecurity threat landscape.
If you want to learn more about these spooky threats and light your Jack-o-lantern against their tricks, get in touch with
Hunt.io!
https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight
Page 5 of 6

Open Directory Observables
IP Address Hosting Country ASN Cobalt Strike Watermark
1199.187.25[.]57:8899 HK Cloudie Limited 1359593325
IP Address
Hosting
Country
ASN Domain(s) Certificate
47.108.74[.]30 CN
Hangzhou
Alibaba
Advertising
Co.,Ltd.
tbc.cbshscs.comtom[.]cn
cbshscs.comtom[.]cn
file.cbshscs.comtom[.]cn
Common Name: Major Cobalt Strike
Country: Earth
Org: cobaltstrike
OrgUnit: AdvancedPenTesting
City: Somewhere
State: Cyberspace
SHA-256 Hash:
DFA9B3E8B5E0F229ECB2FB479544650D0B87EB8494CE176714CF
Cobalt Strike Watermark (1359593325) Overlaps
IP Address
Hosting
Country
ASN Domain(s)
43.134.183.43 HK Tencent Building, Kejizhongyi Avenue N/A
101.132.182.180 CN Hangzhou Alibaba Advertising Co.,Ltd. N/A
106.15.40[.]123 CN Hangzhou Alibaba Advertising Co.,Ltd. N/A
39.98.196[.]145 CN Zhejiang Taobao Network Co.,Ltd N/A
94.74.105[.]131 HK HUAWEI CLOUDS N/A
1.15.247[.]249 CN
Shenzhen Tencent Computer Systems Company
Limited
N/A
1.117.72[.]154 CN
Shenzhen Tencent Computer Systems Company
Limited
N/A
27.102.118[.]70 SK DAOU TECHNOLOGY
ns1.kjdfklha[.]top
ns2.kjdfklha[.]top
kjdfklha[.]top
blog.kjdfklha[.]top
210.1.226.[.]164 MA TechAvenue Malaysia N/A
101.43.157[.]20 CN
Shenzhen Tencent Computer Systems Company
Limited
N/A
106.52.236[.]88 CN
Shenzhen Tencent Computer Systems Company
Limited
src.idvfecx.qiniudns[.]com
111.231.140[.]197 CN
Shenzhen Tencent Computer Systems Company
Limited
N/A
124.221.167[.]192 CN
Shenzhen Tencent Computer Systems Company
Limited
N/A
117.72.10[.]22 CN
Beijing Jingdong 360 Degree E-commerce Co.,
Ltd.
dn2ufncur4f3f[.]shop
119.3.153[.]81 CN Huawei Cloud Service data center N/A
Source: https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight
https://hunt.io/blog/tricks-treats-threats-cobalt-strike-the-goblin-lurking-in-plain-sight
Page 6 of 6

Figure 1: Screenshot The server, likely running of the open directory a Linux-based operating page for the server at 199.187.25[.]57 system, hosted in Hunt the directory using Python 3.8.10 SimpleHTTP version
0.6. Beyond the directory contents, Hunt scanners identified several Cobalt Strike team servers on ports 88, 4343, and 5555.
An Nginx web server on port 80 responded with a 404 error displaying a "Site Not Found" message in Simplified Chinese.
  Page 1 of 6