{ "id": "ece00e73-0f03-4a19-ac4a-2f6e6b13d386", "created_at": "2026-04-06T00:18:41.323854Z", "updated_at": "2026-04-10T03:30:33.076869Z", "deleted_at": null, "sha1_hash": "b0c74180631c1b8b45455aac0d2172f259841761", "title": "Cobalt Strike Becomes a Preferred Hacking Tool by Cybercrime, APT Groups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 124990, "plain_text": "Cobalt Strike Becomes a Preferred Hacking Tool by Cybercrime,\r\nAPT Groups\r\nBy Kelly Jackson Higgins\r\nPublished: 2021-05-19 · Archived: 2026-04-05 17:58:45 UTC\r\nRSA CONFERENCE 2021 - For nearly two decades, the open source Metasploit hacking platform has garnered a\r\nmix of enthusiasm and frustration by security teams that both need the tools to test their own networks but also\r\nfear cybercriminals or other bad actors could use it against them in attacks.\r\nMetasploit remains popular today among good and bad hackers, but another red-team tool, Cobalt Strike, is\r\nincreasingly playing a major role in attacks. Attackers are weaponizing the tool for the second stage of attacks to\r\ncarry payloads (including Metasploit exploits) once they have penetrated the victim's network using customized,\r\ncloned, or even purchased versions of Cobalt Strike.\r\nThe threat-emulation software suite for penetration testing was created by researcher Raphael Mudge in 2012 and\r\nwas acquired last year by HelpSystems. Its most popular component by nefarious hackers is Beacon, a payload\r\nthat operates like an attacker, running PowerShell scripts, logging keystrokes, snapping screenshots, stealing files,\r\nand dropping other payloads or malware.\r\nHelpSystems declined to comment for this article.\r\nNew data from Sophos that cataloged attacker behavior, tools, techniques, and procedures (TTPs) witnessed by its\r\nthreat hunters and incident responders last year and through the first part of 2021 shows that Cobalt Strike is one\r\nof the top five tools used by attackers. It's also a key element when attackers employ PowerShell commands to\r\ncamouflage their activity on a victim's network. Nearly 60% of PowerShell exploits employ Cobalt Strike, and\r\nsome 12% of attacks use a combination of Cobalt Strike and Microsoft Windows tools PowerShell and PsExec.\r\nIt's also paired with PsExec in nearly a third of attacks, according to Sophos's new \"Active Adversary Playbook\r\n2021\" report.\r\n\"Cobalt Strike lends itself to being deployed by PowerShell\" and PsExec, says John Shier, senior security advisor\r\nat Sophos. \"The code [Cobalt Strike] was leaked online a long time ago, [attackers] know how to use it, and it's an\r\nevasion technology\" to remain under the radar as an attack escalates and spreads.\r\nIn one of its more high-profile uses by attackers, the Russian GRU hacking team behind the SolarWinds supply-chain attack campaign built custom shellcode loaders that dropped Cobalt Strike payloads: the Teardrop and\r\nRaindrop malware components of the attack.\r\nResearchers and incident responders at Intel 471 say the malicious use of Cobalt Strike correlates with\r\nransomware's rise in recent years, but it's also used for dropping other types of malware and for stealing data.\r\nAmong the malware groups using Cobalt Strike: Trickbot, Hancitor, Qbot, SystemBC, Smokeloader, and Bazar.\r\nhttps://www.darkreading.com/attacks-breaches/cobalt-strike-becomes-a-preferred-hacking-tool-by-cybercrime-apt-groups/d/d-id/1341073\r\nPage 1 of 3\n\nThe researchers today published indicators of compromise that indicate Cobalt Strike is in play with these\r\nmalware families.\r\nBrandon Hoffman, CISO at Intel 471, says attackers appear to like the features of Cobalt Strike, specifically the\r\nBeacon component. \"It has so many features built into it from a post-exploit tool perspective; it's a perfect fit for\r\nsecond-stage attack and instead of picking and choosing different pieces of malware, you just trop this tool and all\r\nof its features in it,\" he says.\r\nThe tool also contains a \"malleable\" command and control (C2) function, which allows an attacker to fashion its\r\nC2 network to appear like a different threat actor group. \"Malleable C2 lets you mimic behavior or make C2\r\ntraffic look like almost any legitimate service,\" he says. So if an organization allows users to stream Pandora, for\r\nexample, a Malleable C2 could be disguised as Pandora traffic in the victim's network, he says.\r\n\"That makes it extremely difficult\" to spot an attack, Hoffman says. \"Beacon is so customizable.\"\r\nEven so, there are ways to spot malicious abuse of Cobalt Strike, experts say. Aside from bad guys making\r\nmistakes and leaving behind clues or breadcrumbs, you can spot a Cobalt Strike-borne attack unfold if you're\r\nmonitoring activity: \"Because Cobalt Strike is not generally used at the first attack vector, in the middle of an\r\nincident response [case] if you see something come in from one of the command-and-control servers it could\r\npotentially be Beacon,\" Hoffman explains. And if you create Yara rules for certain malicious scripts, that can\r\ndetect it as well.\r\n\"Where we saw Cobalt Strike in the wild, some folks had repurposed it for the same malware family,\" says\r\nHoffman, whose team today published its findings on cybercrime groups deploying Cobalt Strike (including\r\nindicators of compromise).\r\nRansomware Thread\r\n\"We've seen a correlation between the rise of Cobalt Strike use [by adversaries] and a rise in ransomware. We're\r\nnot saying Cobalt Strike is fueling\" ransomware, Hoffman says. It's more that ransomware is dropped at the later\r\nstages of an attack chain. \"Before they get to the ransomware, attackers first have to deploy something like this\r\n[Cobalt Strike].\" So, spotting that activity before ransomware is installed can save a lot of headache.\r\nSpeaking of ransomware, Sophos' IR and threat-hunting data found ransomware in more than 80% of the incidents\r\nthey investigated. \"Ransomware is noisy, it needs to grab attention,\" which is why those cases were flagged for an\r\ninvestigation, Sophos' Shier says. \"[In] a lot of the attacks we stopped, we noticed there had been Cobalt Strike\r\nactivity\" as well, he says.\r\nResearchers at Red Canary also have spotted attackers wielding Cobalt Strike in targeted attacks, including\r\npayment card theft and ransomware campaigns. They described incidents where attackers using Bazar malware\r\nused Cobalt Strike payloads in advance of their dropping Ryuk ransomware on the victim, all within a two-hour\r\nwindow.\r\n\"Cobalt Strike is so common and reliable that adversaries create their own custom tooling to simply deploy the\r\npayloads, knowing that they will likely succeed if they can just get the payload past security controls. This\r\nhttps://www.darkreading.com/attacks-breaches/cobalt-strike-becomes-a-preferred-hacking-tool-by-cybercrime-apt-groups/d/d-id/1341073\r\nPage 2 of 3\n\ncapability demonstrates how Cobalt Strike fits into the threat model for nearly any organization,\" according to Red\r\nCanary's report, which includes details on ways to detect malicious Cobalt Strike activity.\r\nAbout the Author\r\nEditor-in-Chief, Dark Reading\r\nKelly Jackson Higgins is the Editor-in-Chief of Dark Reading and VP, cybersecurity editorial at Informa\r\nTechTarget, where she leads editorial strategy for the company's three cybersecurity media brands: Dark Reading,\r\nSearchSecurity and Cybersecurity Dive. She is an award-winning veteran technology and business journalist with\r\nthree decades of experience in reporting and editing for various technology and business publications and major\r\nmedia properties. Jackson Higgins was selected three consecutive times as one of the Top 10 Cybersecurity\r\nJournalists in the U.S., and was named as one of Folio's 2019 Top Women in Media. She has been with Dark\r\nReading since its launch in 2006.\r\nSource: https://www.darkreading.com/attacks-breaches/cobalt-strike-becomes-a-preferred-hacking-tool-by-cybercrime-apt-groups/d/d-id/1341\r\n073\r\nhttps://www.darkreading.com/attacks-breaches/cobalt-strike-becomes-a-preferred-hacking-tool-by-cybercrime-apt-groups/d/d-id/1341073\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.darkreading.com/attacks-breaches/cobalt-strike-becomes-a-preferred-hacking-tool-by-cybercrime-apt-groups/d/d-id/1341073" ], "report_names": [ "1341073" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434721, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b0c74180631c1b8b45455aac0d2172f259841761.pdf", "text": "https://archive.orkl.eu/b0c74180631c1b8b45455aac0d2172f259841761.txt", "img": "https://archive.orkl.eu/b0c74180631c1b8b45455aac0d2172f259841761.jpg" } }