{ "id": "4e5b4725-fabe-416c-b56e-f39d1cae4384", "created_at": "2026-04-06T00:12:56.470663Z", "updated_at": "2026-04-10T03:24:23.824967Z", "deleted_at": null, "sha1_hash": "bc8d539d7b52d92fe78c446bb5983c1e88235f38", "title": "Update: Stopping Cybercriminals from Abusing Cobalt Strike | Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41779, "plain_text": "Update: Stopping Cybercriminals from Abusing Cobalt Strike |\r\nCobalt Strike\r\nBy Cobalt Strike Team\r\nPublished: 2025-03-07 · Archived: 2026-04-05 12:43:35 UTC\r\nSince 2023, Microsoft’s Digital Crimes Unit (DCU), Fortra, and the Health Information Sharing and Analysis\r\nCenter (Health-ISAC) have been working together to combat the use of unauthorized, legacy copies of Cobalt\r\nStrike and compromised Microsoft software, which have been weaponized by cybercriminals to deploy\r\nransomware  and other malware, causing significant harm to critical sectors like healthcare.\r\nMicrosoft, Fortra, and Health ISAC remain committed to this endeavor, leveraging legal, technical, and\r\ncollaborative efforts to dismantle cybercriminal operations. This initiative underscores the importance of\r\npersistence and partnership in securing the digital ecosystem.\r\nAs we near the second anniversary, we want to highlight updates on our progress and share our planned focus for\r\n2025.\r\nAccelerated Takedowns: Limiting Dwell Time and Damage\r\nOver the past two years, the number of unauthorized copies of Cobalt Strike observed in the wild has\r\ndecreased by 80%, drastically reducing availability to cybercriminals. This reduction has had a tangible impact,\r\nwith these tools now being abused far less often.\r\nWe have successfully seized and sinkholed over 200 malicious domains, effectively cutting off their ability to\r\naccept legitimate traffic and preventing further exploitation by threat actors.\r\nAdditionally, the average dwell time—the period between initial detection and takedown—has been\r\nreduced to less than one week in the United States and less than two weeks worldwide.\r\nA Global Success with Operation MORPHEUS\r\nIn July of 2024, Fortra was part of Operation MORPHEUS, a three-year investigation that culminated in a\r\ncoordinated global effort to takedown known IP addresses and domain names associated with criminal activity to\r\nfurther disable unauthorized versions of Cobalt Strike. A total of 690 IP addresses were flagged to online\r\nservice providers in 27 countries. In total, 593 of these addresses were taken down.\r\nThe UK’s National Crime Agency led this investigation, with support from law enforcement in Australia, Canada,\r\nGermany, the Netherlands, Poland, and the United States. Europol coordinated international operations and\r\ncollaborated with private partners, including Fortra.\r\nContinued Takedown Efforts and Next Steps\r\nhttps://www.cobaltstrike.com/blog/update-stopping-cybercriminals-from-abusing-cobalt-strike\r\nPage 1 of 2\n\nOur campaign to combat the malicious use of unauthorized Cobalt Strike copies are ongoing and evolving. We\r\nremain committed to providing any new and relevant information to law enforcement agencies worldwide to\r\nsupport their investigations. Fortra is also invested in other public-private partnerships, having signed onto the\r\nPall Mall Process, an international initiative is focused on developing regulations to combat the unauthorized\r\ndistribution and usage of commercial cyber intrusion tools.\r\nAdditionally, we are continuing to send takedown notices to hosting providers, raising awareness of the\r\nillicit use of unauthorized copies. We actively track these activities to the point of origin, identifying root causes\r\nto prevent reoccurrence. We concurrently issue notices on a persistent basis until these illegal versions are\r\nremoved from web properties. Compliant web properties are also passively monitored in case of reappearance.\r\nThese efforts are gaining momentum and have entered a new phase of heightened efficacy. Automation processes\r\nhave been put into place to further increase efficiency and simplify the takedown process. Additionally, just as\r\ncybercriminals adapt their techniques, Fortra continuously updates Cobalt Strike’s security controls to thwart\r\ncracking attempts and protect legitimate users.\r\nStrengthening Red Team Tool Security\r\nThe nature of the modern cybersecurity landscape makes the critical need for red team solutions undeniable.\r\nHowever, these tools inherently carry some risk of misuse..\r\nBy proactively sharing our disruption techniques through conference talks and webinars, we have provided the\r\nbroader security community with a proven roadmap that other solution providers can follow to engage in\r\npublic/private disruption partnerships when faced with similar challenges.\r\nCollaboration is essential in advancing cybersecurity overall. This not only strengthens the collective\r\ndefense against cybercriminals but also ensures that legitimate security tools can continue to be used\r\nresponsibly and effectively to protect organizations worldwide.\r\nWe want to thank Microsoft DCU, Health ISAC, and every other organization we’ve joined forces with in these\r\nefforts and look forward to continuing our work together to defend the integrity of critical commercial\r\ncybersecurity tools.\r\nSource: https://www.cobaltstrike.com/blog/update-stopping-cybercriminals-from-abusing-cobalt-strike\r\nhttps://www.cobaltstrike.com/blog/update-stopping-cybercriminals-from-abusing-cobalt-strike\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cobaltstrike.com/blog/update-stopping-cybercriminals-from-abusing-cobalt-strike" ], "report_names": [ "update-stopping-cybercriminals-from-abusing-cobalt-strike" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434376, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc8d539d7b52d92fe78c446bb5983c1e88235f38.pdf", "text": "https://archive.orkl.eu/bc8d539d7b52d92fe78c446bb5983c1e88235f38.txt", "img": "https://archive.orkl.eu/bc8d539d7b52d92fe78c446bb5983c1e88235f38.jpg" } }