{
	"id": "780105c9-4a56-4086-b15a-071dbd413cd8",
	"created_at": "2026-04-06T00:21:23.896842Z",
	"updated_at": "2026-04-10T03:24:24.367312Z",
	"deleted_at": null,
	"sha1_hash": "d01cda8bfafd5c6958720476e6dfdc698a0b3097",
	"title": "Improving network-based detection of in-the-wild Cobalt Strike C2 servers while reducing the risk…",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1119608,
	"plain_text": "Improving network-based detection of in-the-wild Cobalt Strike\r\nC2 servers while reducing the risk…\r\nBy Sergiu Sechel, PhD\r\nPublished: 2024-10-02 · Archived: 2026-04-05 14:05:39 UTC\r\nPress enter or click to view image in full size\r\nPhoto by Robynne Hu on Unsplash\r\nContext\r\nCobalt Strike is a commercial post-exploitation platform designed for Windows-based environments. Its beacon\r\n(implant) can be delivered to a target in various ways, even without exploiting technical vulnerabilities (e.g.,\r\nthrough malicious email attachments). The platform’s functionality can be extended through plug-ins, and over the\r\nyears, it has gained notoriety among both offensive security teams (red teamers) and cybercriminals. Since 2019,\r\nCobalt Strike has been used in multiple high-profile ransomware attacks, advanced persistent threat (APT)\r\ncampaigns, and espionage activities.\r\nIn my own experience investigating large-scale incidents, I encountered Cobalt Strike in 20 of 25 big-game\r\nransomware cases over the past 12 months, as well as in one APT campaign. This echoes findings from other\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 1 of 14\n\nresearchers, such as Cisco Talos, which noted:\r\n“Interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework\r\nCobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon\r\ncommodity trojans.”\r\nLike many powerful tools, Cobalt Strike is frequently cracked and offered on underground forums shortly after\r\nnew versions are released. This accessibility has contributed to its growing use in cyberattacks.\r\nCracked Cobalt Strike 4.2 offered on an underground forum\r\nCobalt Strike detection methods\r\nThe industry is full of good tools, so what’s the fuss about Cobalt Strike?\r\nCobalt Strike’s appeal lies in its balance between advanced functionality and ease of use, making it attractive to\r\nboth seasoned professionals and novice attackers. Its official video course is even available for free, further\r\nbroadening its reach.\r\nGiven the widespread adoption of Cobalt Strike in cyberattacks, incident responders have developed specific\r\nworkflows to analyze its beacons — whether on disk, in memory, or via network traffic. However, recent updates\r\nto the platform have introduced features that enable fileless execution, making detection more difficult. This poses\r\na significant challenge to digital forensics and incident response (DFIR) teams, especially when dealing with\r\nincomplete data, missing event logs, or inconsistent network records.\r\nIn some investigations, I’ve had to parse millions of network events and thousands of IP addresses in search of\r\nCobalt Strike C2 servers because all other endpoint artifacts were unavailable. In this article, I’ll outline some\r\nnetwork-based techniques for detecting Cobalt Strike C2 servers that blue teams, incident responders, and threat\r\nintelligence analysts can use for both active defense and proactive threat hunting.\r\nCobalt Strike threat surface detection using JARM fingerprints\r\nJARM fingerprints, developed by Salesforce Engineering, are an effective way to detect malicious C2 servers.\r\nThey can help reduce the threat surface from billions of IP addresses to a more manageable subset before\r\nanalyzing each C2 server individually.\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 2 of 14\n\nIn April 2021, I identified three distinct Cobalt Strike JARM fingerprints in C2 servers deployed globally. While\r\nmuch of the current research focuses on the widespread 07…b1 JARM fingerprint, other fingerprints should not\r\nbe disregarded:\r\n07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175\r\n2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53\r\n07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\r\nUsing Shodan, I reduced the potential threat surface to several tens of thousands of IP addresses for each\r\nfingerprint. Despite this, the actual number of active C2 servers I identified on May 3, 2021, was much smaller —\r\nonly 474 servers.\r\n07d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a9175 (32,764 IPs)\r\n2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b53 (6,919 IPs)\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 3 of 14\n\n07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 (7,092 IPs)\r\nThe threat surface, based solely on the JARM fingerprints is large compared to the actual number of C2s I found\r\nactive on 03 May 3, 2021. (474 active C2 servers)\r\nCobalt Strike Detection Using Certificate Serial Numbers\r\nAnother method I’ve found effective involves identifying C2 servers by their certificate serial numbers. Many\r\nCobalt Strike C2 servers in the wild use a generic certificate with the serial number 146473198. While JARM\r\nfingerprints rely on TLS certificates, different implementations using the same certificate can yield different\r\nJARM results. Thus, searching for C2 servers based on serial numbers can complement JARM fingerprinting.\r\nOn May 3, 2021, I found 914 potential C2 servers using Shodan, based on this certificate serial number.\r\nInterestingly, there was less than 50% overlap between the JARM-identified servers and those identified through\r\ncertificate serial numbers, demonstrating the value of combining detection methods.\r\nVersion: 3 (0x2)Serial Number: 146473198 (0x8bb00ee)Fingerprint Algorithm: sha256WithRSAEncryptionIss\r\nOn 3rd May 2021 I found 914 potential C2 servers, based on Shodan results.\r\nCobalt Strike C2 servers threat surface based on certificate serial number\r\nAgain, the threat surface is large compared to the actual number of C2s I found active 03 May 3, 2021 but to point\r\nout on interesting fact, there was less than 50% overlap between the JARM fingerprints population and the\r\ncertificate-based detection.\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 4 of 14\n\nThreat Surface Reduction by Payload Retrieval\r\nWhile JARM and certificate-based detection methods provide a strong starting point, retrieving payloads from\r\npotential C2 servers further refines the threat surface. By actively interacting with Cobalt Strike C2 servers, it’s\r\npossible to extract beacon configurations and confirm C2 activity.\r\nI used the Nmap implementation of the payload retrieval technique (grab_beacon_config script) created by\r\nGitHub user “whickey-r7” to automate this process. This method efficiently retrieves beacon configurations from\r\nCobalt Strike C2 servers, providing critical information such as the beacon type, polling intervals, and C2 server\r\naddresses.\r\nHere’s an example of a successful Nmap scan result:\r\nNmap scan report for 193.29.13.201Host is up (0.014s latency).PORT STATE SERVICE80/tcp open http\r\nThis script allows organizations to scale their Cobalt Strike detection across thousands of IP addresses. While\r\nscanning the entire internet for Cobalt Strike C2 servers would be excessive for most organizations, focusing on a\r\nwell-defined threat surface is far more manageable.\r\nGet Sergiu Sechel, PhD’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nOn May 3, 2021, by scanning the servers identified using JARM fingerprints and certificate serial numbers, I\r\nconfirmed the presence of 474 active C2 servers.\r\nConclusions\r\nThe network-based detection techniques discussed here provide a cost-effective method for defending networks\r\nagainst threat actors leveraging Cobalt Strike, particularly in big-game ransomware campaigns. While no single\r\ndetection method is foolproof, combining JARM fingerprinting, certificate serial number analysis, and payload\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 5 of 14\n\nretrieval significantly enhances detection accuracy. As threat actors continue to modify their use of Cobalt Strike,\r\ndefenders must also evolve their detection and mitigation strategies to stay ahead of these evolving threats.\r\nAppendix A — Cobalt Strike C2 Servers List (3rd May 2021)\r\n1.14.132.218,/kj.js\r\n1.14.132.218,/ur.js\r\n1.15.139.40,/activity\r\n1.15.139.40,/push\r\n1.15.139.40,/visit.js\r\n1.15.175.22,/j.ad\r\n1.15.230.57,/load\r\n1.15.230.57,/match\r\n10.10.16.2,/ga.js\r\n10.248.1.135,/ga.js\r\n100.24.56.227,/bing\r\n101.132.149.198,/match\r\n101.132.251.212,/en_US/all.js101.28.128.125,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=bo\r\n103.234.54.146,/ptj\r\n103.234.54.146,/push\r\n103.234.72.248,/pixel\r\n103.234.72.248,/ptj\r\n103.234.72.64,/updates\r\n103.242.133.19,/dpixel\r\n103.73.97.119,/updates\r\n103.79.79.16,/jquery-3.3.1.min.js\r\n104.243.46.74,/__utm.gif\r\n104.243.46.74,/ca\r\n104.243.46.74,/push\r\n104.248.148.74,/cx\r\n104.248.148.74,/en_US/all.js\r\n104.36.231.42,/cx\r\n104.36.231.42,/j.ad\r\n106.15.197.67,/jquery-3.3.1.min.js\r\n106.52.152.85,/IE9CompatViewList.xml\r\n106.52.152.85,/push\r\n106.52.181.247,/match\r\n106.55.153.204,/en_US/all.js\r\n108.166.207.133,/cm\r\n108.166.207.133,/pixel\r\n109.201.142.17,/IE9CompatViewList.xml\r\n109.201.142.17,/updates.rss\r\n109.236.84.121,/IE9CompatViewList.xml\r\n109.236.84.121,/load\r\n109.236.84.121,/updates.rss\r\n113.31.118.7,/g.pixel\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 6 of 14\n\n113.31.118.7,/match\r\n113.31.118.7,/pixel\r\n113.31.118.7,/push\r\n114.117.208.80,/geo/collect/v1\r\n114.55.173.68,/g.pixel\r\n114.55.173.68,/IE9CompatViewList.xml\r\n115.159.143.241,/en_US/all.js\r\n115.159.143.241,/ga.js\r\n116.62.115.46,/dot.gif\r\n116.62.115.46,/ptj\r\n117.78.1.204,/jquery-3.3.1.min.js\r\n119.29.189.237,/cx\r\n119.29.189.237,/load\r\n119.3.141.162,/jquery-3.3.1.min.js\r\n120.48.22.178,/j.ad\r\n120.79.29.153,/cm\r\n120.92.139.155,/en_US/all.js\r\n120.92.139.155,/j.ad\r\n120.92.139.155,/match\r\n120.92.139.155,/ptj\r\n121.196.153.136,/ca\r\n121.196.63.110,/cx\r\n121.5.103.116,/visit.js\r\n121.5.162.169,/ga.js\r\n123.57.73.247,/updates\r\n124.156.148.167,/pixel.gif\r\n13.51.149.17,/cm\r\n13.51.149.17,/cx\r\n13.51.149.17,/match\r\n134.122.134.87,/activity\r\n134.209.5.246,/j.ad\r\n134.209.5.246,/visit.js134.209.92.85,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books139\r\n139.155.27.71,/dpixel\r\n139.155.27.71,/en_US/all.js\r\n139.155.42.254,/ga.js\r\n139.155.42.254,/ptj139.162.221.161,/jquery-3.3.1.min.js,192.46.221.58,/jquery-3.3.1.min.js139.196.153\r\n139.196.153.6,/updates.rss\r\n139.60.161.99,/activity\r\n139.60.161.99,/cx\r\n139.60.161.99,/en_US/all.js\r\n14.192.48.91,/dpixel\r\n14.192.48.91,/ptj\r\n144.34.187.147,/wp08/wp-includes/dtcla.php\r\n145.249.106.104,/cm\r\n145.249.106.104,/dpixel\r\n145.249.106.104,/visit.js\r\n145.249.107.35,/__utm.gif\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 7 of 14\n\n145.249.107.35,/en_US/all.js\r\n145.249.107.35,/IE9CompatViewList.xml\r\n149.248.1.200,/updates.rss\r\n149.28.20.245,/search/\r\n149.28.233.123,/__utm.gif\r\n149.28.233.123,/ca\r\n149.28.233.123,/visit.js\r\n151.236.14.53,/en_US/all.js\r\n151.236.14.53,/load\r\n154.220.3.226,/preload\r\n154.91.164.69,/cm\r\n154.91.164.69,/dpixel\r\n155.138.215.103,/ca\r\n156.236.114.72,/dpixel\r\n156.236.114.72,/ptj\r\n156.255.2.36,/pixel.gif\r\n156.255.3.224,/visit.js\r\n159.75.136.108,/g.pixel\r\n160.124.103.152,/updates.rss\r\n163.172.39.102,/index.jsp\r\n164.138.25.191,/resolve/alter/,46.19.37.133,/resolve/alter/\r\n167.179.79.212,/jquery-3.3.1.min.js\r\n172.241.27.70,/bg.css\r\n172.67.129.206,/bfs/static/jinkela/long/sentry/sentry-5.7.1.vue.min.js\r\n172.81.205.217,/IE9CompatViewList.xml\r\n172.82.148.202,/us/ky/louisville/312-s-fourth-st.html172.98.192.91,/s/ref=nb_sb_noss_1/167–3294888–02\r\n172.98.192.94,/g.pixel\r\n173.82.197.229,/fwlink\r\n175.24.138.70,/dot.gif\r\n176.105.252.144,/fwlink\r\n176.111.174.66,/dot.gif\r\n176.111.174.66,/updates.rss\r\n176.121.14.113,/activity\r\n176.121.14.113,/ca\r\n176.121.14.113,/j.ad\r\n18.163.120.26,/__utm.gif\r\n18.163.120.26,/match\r\n185.106.123.101,/fwlink\r\n185.14.29.42,/jquery-3.3.1.min.js\r\n185.153.199.164,/pixel\r\n185.153.199.164,/visit.js\r\n185.158.248.106,/activity\r\n185.158.248.106,/en_US/all.js\r\n185.158.248.106,/ga.js\r\n185.158.249.38,/dpixel\r\n185.158.249.38,/ga.js\r\n185.158.249.38,/pixel\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 8 of 14\n\n185.158.249.38,/pixel.gif\r\n185.162.235.35,/fwlink\r\n185.162.235.35,/pixel.gif\r\n185.162.235.35,/push185.20.186.108,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books185.21\r\n185.232.52.137,/dpixel\r\n185.232.52.137,/IE9CompatViewList.xml\r\n185.232.52.137,/load\r\n185.25.51.172,/mobile-android\r\n185.25.51.55,/copyright.js\r\n185.82.202.123,/j.ad\r\n188.119.113.24,/__utm.gif\r\n192.168.100.103,/fam_newspaper.html\r\n193.112.10.125,/en_US/all.js\r\n193.29.13.201,/__utm.gif\r\n193.29.13.201,/g.pixel\r\n193.29.13.201,/j.ad\r\n193.29.13.209,/pixel\r\n193.29.13.209,/updates.rss\r\n194.15.216.20,/dot.gif\r\n194.165.16.60,/cx\r\n194.165.16.60,/fwlink\r\n194.165.16.60,/push\r\n195.123.217.45,/jquery-3.3.1.min.js\r\n195.123.222.12,/jquery-3.3.1.min.js\r\n195.123.222.5,/jquery-3.3.1.min.js\r\n202.182.101.162,/match\r\n207.148.107.212,/load\r\n207.148.65.247,/ptj\r\n209.141.37.21,/ca\r\n209.141.37.21,/dot.gif\r\n209.141.37.21,/updates.rss\r\n212.95.157.61,/push\r\n212.95.157.61,/updates.rss\r\n213.135.78.244,/hr.css\r\n213.202.211.246,/metro91/admin/1/ppptp.jpg\r\n213.217.0.216,/pixel\r\n213.217.0.216,/push\r\n213.217.0.216,/updates.rss\r\n213.217.0.217,/__utm.gif\r\n213.217.0.217,/cx\r\n213.217.0.217,/match\r\n213.217.0.217,/pixel.gif\r\n213.217.0.218,/ca\r\n213.217.0.218,/IE9CompatViewList.xml\r\n213.252.244.213,/fam_cart\r\n213.252.245.19,/ab\r\n217.12.201.100,/jquery-3.3.1.min.js\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 9 of 14\n\n217.12.218.46,/jquery-3.3.1.min.js\r\n218.253.251.115,/ga.js\r\n218.253.251.115,/IE9CompatViewList.xml\r\n23.106.223.79,/activity23.163.0.12,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books3.137\r\n31.44.184.232,/__utm.gif\r\n31.44.184.232,/pixel\r\n31.44.184.73,/dot.gif\r\n31.44.184.73,/en_US/all.js\r\n31.44.184.73,/IE9CompatViewList.xml\r\n31.44.184.73,/updates.rss\r\n31.44.3.198,/ptj\r\n34.92.237.17,/dot.gif\r\n34.96.156.66,/pixel.gif\r\n35.200.6.25,/ur.js\r\n35.221.239.215,/jquery-3.3.1.min.js\r\n35.224.197.52,/__utm.gif\r\n35.224.197.52,/ga.js\r\n35.224.197.52,/pixel.gif\r\n35.236.132.18,/load\r\n35.236.132.18,/updates.rss\r\n37.252.120.101,/resolve/alter/\r\n37.61.205.212,/updates\r\n39.97.216.224,/IE9CompatViewList.xml\r\n42.192.119.64,/load\r\n42.193.127.38,/owa/\r\n42.193.220.214,/updates.rss\r\n42.194.133.101,/en_US/all.js\r\n42.194.133.101,/visit.js\r\n45.137.10.148,/dpixel\r\n45.138.209.73,/fwlink\r\n45.144.3.120,/ca\r\n45.145.36.210,/ga.js\r\n45.146.164.199,/__utm.gif\r\n45.146.164.199,/dpixel\r\n45.146.165.143,/complete/search\r\n45.199.160.117,/ca45.32.136.204,/jquery-3.3.1.min.js,axiommortgagebankers.com,/jquery-3.3.1.min.js45\r\n45.32.92.183,/j.ad\r\n45.33.27.73,/cx\r\n45.33.27.73,/dpixel\r\n45.33.27.73,/en_US/all.js\r\n45.33.27.73,/push\r\n45.76.202.78,/IE9CompatViewList.xml\r\n45.76.202.78,/j.ad\r\n45.77.249.181,/updates.rss\r\n45.92.156.97,/__utm.gif\r\n45.92.156.97,/updates.rss\r\n45.93.201.114,/en_US/all.js\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 10 of 14\n\n45.93.201.114,/pixel.gif\r\n46.101.98.38,/sxn/start\r\n47.103.102.194,/pixel\r\n47.103.158.65,/cm\r\n47.104.143.234,/__utm.gif\r\n47.104.156.242,/v1/act\r\n47.104.253.89,/cx\r\n47.104.253.89,/push\r\n47.108.16.11,/2016–08–15/proxy/Test/main/index\r\n47.108.246.116,/pixel\r\n47.110.147.243,/ca47.111.163.10,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books47.114.36\r\n47.57.125.197,/__utm.gif\r\n47.57.125.197,/activity\r\n47.57.125.197,/pixel\r\n47.57.125.197,/ptj\r\n47.90.202.152,/updates.rss\r\n47.94.20.209,/admin\r\n47.98.99.15,/visit.js\r\n47.99.178.84,/cx\r\n47.99.178.84,/ga.js\r\n49.234.184.176,/en_US/all.js\r\n49.234.184.176,/fwlink\r\n49.234.93.169,/cx\r\n49.234.93.169,/dpixel49.235.217.243,/pixel,https://m1xg.tk,/pixel,https://m1xg.cf,/activity49.235.92\r\n49.235.92.191,/cm\r\n5.181.156.46,/j.ad\r\n5.189.184.60,/RELEASE.html\r\n5.2.70.173,/__utm.gif\r\n5.2.70.173,/fwlink\r\n5.2.70.173,/visit.js\r\n5.252.179.195,/match\r\n5.34.178.43,/posting.js\r\n5.34.182.210,/updates.rss5.39.221.60,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books51.8\r\n51.83.79.151,/load52.211.36.208,/s/ref=nb_sb_noss_1/089–89185991–7448134/field-keywords=eye52.229.22\r\n61.168.100.179,/api/getit\r\n62.171.142.145,/api/getit\r\n66.42.56.42,/jquery-3.3.1.min.js\r\n69.49.229.88,/ca\r\n69.49.229.88,/dot.gif\r\n69.49.229.88,/dpixel\r\n69.49.229.88,/ga.js\r\n74.121.148.47,/image/\r\n78.128.112.134,/match\r\n78.128.112.215,/g.pixel\r\n79.110.52.172,/activity\r\n8.136.228.12,/groupcp\r\n8.140.105.214,/ca\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 11 of 14\n\n8.140.105.214,/cx\r\n8.210.161.205,/ca\r\n8.210.161.205,/IE9CompatViewList.xml\r\n81.69.10.55,/g.pixel\r\n81.70.155.208,/fwlink\r\n85.208.110.108,/cm\r\n88.198.165.127,/nd\r\n94.103.94.203,/match\r\n94.103.94.203,/visit.js\r\n95.179.239.225,/dot.gif\r\n95.179.239.225,/IE9CompatViewList.xml\r\n98.142.143.100,/access/\r\na.officecalendar.biz,/owa/\r\naccounts.bankpaygateway.com,/jquery-1.12.1.min.js\r\naphina-sec.com,/j.ad\r\naphina-sec.com,/push\r\napi.onedriev.tk,/jquery-3.3.1.min.jsasismdnu.asisdns.space,/s/ref=nb_sb_noss_1/167–3294888–0262949/fi\r\navetool.com,/us/ky/louisville/312-s-fourth-st.html\r\nazama12.com,/jquery-3.3.1.min.jsbanweb.cityu.dev,/core/wp-includes/pol.php,cc12234.cityu.dev,/center/\r\nbanweb.cityu.dev,/include/template/ClassSvc.php,cc12234.cityu.dev,/include/template/ClassSvc.php,lb23\r\nbest73.com,/SocContent/webfont.css,www.shopex.cn,/SocContent/webfont.cssbigbrotheriswatchingyou.herok\r\nbigbrotheriswatchingyou.herokuapp.com,/pixel\r\nbookcasegreeting632.roman-indigo.com,/viewerng/meta\r\nbraunballon.com,/jquery-3.3.1.min.js\r\nbuy9182.com,/RELEASES.jscdn.lbwd.net,/s/ref=nb_sb_noss_1/596–20814129–5816322/field-keywords=timecdn\r\ncdn.sogou-update.com,/template.css\r\ncdn.usbankcreditcards.com,/oscp/\r\ncharityhouseofbrooklin.com,/mobile-androidchmowd.xyz,/MicrosoftUpdate/ShellEx/KB242742/default.aspx,p\r\ncloudflare.com,/r_config\r\nclubuz.com,/us/ky/louisville/312-s-fourth-st.html\r\ncontrol.commanderinthe.cloud,/search/\r\ncuphq.com,/pixel.gif,104.243.41.123,/cm\r\ncuphq.com,/visit.js,104.243.41.123,/fwlink\r\ncymkpuadkduz.xyz,/latest/pip-check\r\nd3kgm44zuz83i3.cloudfront.net,/access/\r\nDailyHealthGuide.org,/jquery-3.3.1.min.js\r\ndain22.net,/userid=\r\ndataoss.microsoft.com.w.kunluncan.com,/jquery-3.3.1.min.js\r\ndataprotocol.site,/config\r\ndataprotocol.site,/login\r\ndocrule.com,/en.css,prepcar.com,/sq.css\r\ndocrule.com,/link.css,prepcar.com,/sq.css\r\ndomways.com,/us/ky/louisville/312-s-fourth-st.html\r\ndrellio.com,/userid=ec2–54–82–176–65.compute-1.amazonaws.com,/s/ref=nb_sb_noss_1/167–3294888–0262949/\r\nexrap.com,/us/ky/louisville/312-s-fourth-st.html\r\nfastpic-domain.com,/logo.js,185.25.51.67,/na.js\r\nfastpic-domain.com,/na.js,185.25.51.67,/logo.js\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 12 of 14\n\nfastpighostmerch.com,/html\r\nfedex-global.com,/MicrosoftUpdate/ShellEx/KB242742/default.aspx\r\nfeusa.net,/userid=findcola.com,/us/ky/louisville/312-s-fourth-st.html,64.187.239.74,/us/ky/louisville\r\nforteupdate.com,/activity\r\nforteupdate.com,/IE9CompatViewList.xml\r\nforteupdate.com,/match\r\nfubukipr.xyz,/rs\r\nfut1.net,/userid=\r\ngonzofabriq.com,/jquery-3.3.1.min.js\r\ngrayballon.com,/jquery-3.3.1.min.js\r\ngreattxmsng-imgx.com,/ak.js\r\nhars2t.com,/userid=\r\nhelle1.net,/userid=help01.softether.net,/users/sign_in,work.cloud01.tk,/users/sign_in,work.cloud20.tk\r\nidxup.com,/us/ky/louisville/312-s-fourth-st.html,dbhigh.com,/us/ky/louisville/312-s-fourth-st.htmlimg\r\nisaacrevia.com,/bg\r\njquery.thinkphp.me,/jquery-3.3.1.min.js\r\njs.news1010.net,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords=books\r\nkasaa.net,/userid=\r\nkeit1on.net,/userid=\r\nlagrom.com,/send.html\r\nlhweb.xyz,/Sample/DownloadFile\r\nliojikd.com,/posting.js\r\nliojikd.com,/RELEASE.js\r\nluoli233.top,/dot.gif\r\nluoli233.top,/IE9CompatViewList.xml\r\nluoli233.top,/ptj\r\nmaren2.com,/userid=\r\nmassflip.com,/us/ky/louisville/312-s-fourth-st.html,mixalt.com,/us/ky/louisville/312-s-fourth-st.html\r\nmgfee.com,/fo.html\r\nmicrosoftchina.org,/dot.gif\r\nmingrand.com,/jquery-3.3.1.min.js\r\noaelf.com,/us/ky/louisville/312-s-fourth-st.html,sslfeed.com,/us/ky/louisville/312-s-fourth-st.htmlpe\r\npnwcontent-delivery.com,/updates.rss\r\npresidentofschool14.com,/ab\r\nprivate.medicaloptionsfinance.com,/real-world-investing/qw.hashsystem.xyz,/RELEASE,as.hashsystem.xyz\r\nregister.hr-tencent.com,/view/\r\nrepdot.com,/us/ky/louisville/312-s-fourth-st.html\r\nresnote.com,/us/ky/louisville/312-s-fourth-st.html,172.82.148.202,/us/ky/louisville/312-s-fourth-st.h\r\nsafeconnections.xyz,/__utm.gif\r\nsafeconnections.xyz,/__utm.gif,176.123.8.228,/__utm.gif\r\nsbgprodib.oberto.za.net,/__utm.gif\r\nscalewa.com,/sm.html\r\nservice.office247.tech,/match\r\nservice-0dibtqsv-1255352921.cd.apigw.tencentcs.com,/api/getit\r\nservice-4f1dmvy9–1252742900.sh.apigw.tencentcs.com,/api/getit\r\nservice-6eqxujkd-1255352921.cd.apigw.tencentcs.com,/api/getit\r\nservice-dr6r4kg0–1304343953.gz.apigw.tencentcs.com,/api/getid\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 13 of 14\n\nservice-j024ikqq-1259268926.gz.apigw.tencentcs.com,/api/getit\r\nservice-muqfpxbh-1304245224.cd.apigw.tencentcs.com,/api/getit\r\nservice-p44yb571–1300400844.cd.apigw.tencentcs.com,/script/VUE/src/main.js\r\nservice-pfzr9eww-1304703456.hk.apigw.tencentcs.com,/api/getit\r\nservices.rogerscorp.cloud,/jquery-3.3.1.min.js\r\nshimatos.com,/jquery-3.3.1.min.jsshop.redlist.cyou,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keyw\r\nsitehealthcheck.org,/oscp/\r\nssl363648.cloudflaressl.com,/cmstatic.azureimgages.com,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-syscx.com,/dpixel\r\ntailgatethenation.com,/find.htmltelemetry.wessonlabpartners.com,/jquery-3.3.1.min.js,admitting.health\r\ntest.axibala.club,/cm\r\ntest.axibala.club,/g.pixel\r\ntest.axibala.club,/ga.js\r\ntest2.floridasattorneys.com,/blog\r\ntmestoragetest.azureedge.net,/obj_\r\ntouchroof.com,/modcp,focuslex.com,/modcp\r\nts.wii.qq.com,/ping\r\ntulls.net,/userid=\r\nudpdeliveryddp.com,/fam_cart\r\nupdate.software-update.tk,/upload/google-3\r\nus.netsuite-labs.com,/ocsp/a/us-systemtest.com,/s/ref=nb_sb_noss_1/167–3294888–0262949/field-keywords\r\nvianodata.com,/match\r\nvianodata.com,/push\r\nw.668526.com,/default\r\nwellser.org,/userid=\r\nwenku.qq.com.0a492012.c.cdnhwc1.com,/Activate/v1.87/3O3SB5SNQ5\r\nworkfromhomeblueprints.azureedge.net,/update/\r\nwww.bankrate.com,/index.html,cnn.com,/index.html\r\nwww.bloomberg.com,/table/\r\nwww.csmu.website,/cx\r\nwww.csmu.website,/ga.js\r\nwww.cumberlandplasticsurgery.com,/user/profile\r\nwww.google-dev.tk,/jquery-3.3.1.min.js\r\nwww.hellomrsone.com,/jquery-3.3.1.min.js\r\nwww.nfsq.ml,/__utm.gif\r\nwww.qiniu.com,/pixel\r\nwww.qiniu.com,/s\r\nwww.qs-hosting.com,/ocsp/a/www.unwomen.org,/jquery-3.3.1.min.js,www.prodibi.com,/jquery-3.3.1.min.js\r\nx-w-x.herokuapp.com,/jquery-3.3.1.min.js\r\nzipflag.com,/us/ky/louisville/312-s-fourth-st.html\r\nSource: https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6\r\n964205f6468\r\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468"
	],
	"report_names": [
		"improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434883,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d01cda8bfafd5c6958720476e6dfdc698a0b3097.pdf",
		"text": "https://archive.orkl.eu/d01cda8bfafd5c6958720476e6dfdc698a0b3097.txt",
		"img": "https://archive.orkl.eu/d01cda8bfafd5c6958720476e6dfdc698a0b3097.jpg"
	}
}