{
	"id": "82d72532-3039-4f0d-ad2f-e4b6ae9e2063",
	"created_at": "2026-04-06T00:14:00.388493Z",
	"updated_at": "2026-04-10T13:11:46.011331Z",
	"deleted_at": null,
	"sha1_hash": "d70cbe6dff0af420c891ee0cb13937ee9ea3c61d",
	"title": "Europol coordinates global action against criminal abuse of Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40144,
	"plain_text": "Europol coordinates global action against criminal abuse of Cobalt\r\nStrike\r\nBy Europol\r\nPublished: 2024-07-03 · Archived: 2026-04-05 13:58:08 UTC\r\nLaw enforcement has teamed up with the private sector to fight against the abuse of a legitimate security tool by\r\ncriminals who were using it to infiltrate victims’ IT systems. Older, unlicensed versions of the Cobalt Strike red\r\nteaming tool were targeted during a week of action coordinated from Europol’s headquarters between 24 and 28\r\nJune. \r\nThroughout the week, law enforcement flagged known IP addresses associated with criminal activity, along with a\r\nrange of domain names used by criminal groups, for online service providers to disable unlicensed versions of the\r\ntool. A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week,\r\n593 of these addresses had been taken down.\r\nKnown as Operation MORPHEUS, this investigation was led by the UK National Crime Agency and involved law\r\nenforcement authorities from Australia, Canada, Germany, the Netherlands, Poland and the United States. Europol\r\ncoordinated the international activity, and liaised with the private partners. This disruptive action marks the\r\nculmination of a complex investigation initiated in 2021. \r\nAbuse by cybercriminals \r\nCobalt Strike is a popular commercial tool provided by the cybersecurity software company Fortra. It is designed\r\nto help legitimate IT security experts perform attack simulations that identify weaknesses in security operations\r\nand incident responses. In the wrong hands, however, unlicensed copies of Cobalt Strike can provide a malicious\r\nactor with a wide range of attack capabilities.\r\nFortra has taken significant steps to prevent the abuse of its software and has partnered with law enforcement\r\nthroughout this investigation to protect the legitimate use of its tools. However, in rare circumstances, criminals\r\nhave stolen older versions of Cobalt Strike, creating cracked copies to gain backdoor access to machines and\r\ndeploy malware. Such unlicensed versions of the tool have been connected to multiple malware and ransomware\r\ninvestigations, including those into RYUK, Trickbot and Conti.\r\nCooperation with the private sector \r\nCooperation with the private sector was instrumental in the success of this disruptive action. A number of private\r\nindustry partners supported the action, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch\r\nand The Shadowserver Foundation. These partners deployed enhanced scanning, telemetry and analytical\r\ncapabilities to help identify malicious activities and use by cybercriminals.  \r\nhttps://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike\r\nPage 1 of 2\n\nThis novel approach is possible thanks to Europol’s amended Regulation which has strengthened the Agency’s\r\ncapacity to better support EU Member States, including by collaborating with the private sector. Through this\r\nnovel approach, Europol can gain access to real-time threat intelligence and a broader perspective on\r\ncybercriminal tactics. This partnership enables a more coordinated and comprehensive response, ultimately\r\nenhancing the overall resilience of the digital ecosystem across Europe.\r\nEuropol support\r\nEuropol’s European Cybercrime Centre (EC3) has been supporting this case since September 2021 by providing\r\nanalytical and forensic support, and facilitating the information exchange between all the partners.\r\nLaw enforcement used a platform, known as the Malware Information Sharing Platform, to allow the private\r\nsector to share real-time threat intelligence with law enforcement. Over the span of the whole investigation, over\r\n730 pieces of threat intelligence were shared containing almost 1.2 million indicators of compromise.\r\nIn addition, Europol’s EC3 organised over 40 coordination meetings between the law enforcement agencies and\r\nthe private partners. During the week of action, Europol set up a virtual command post to coordinate law\r\nenforcement action across the globe. \r\nThe disruption does not end here. Law enforcement will continue to monitor and carry out similar actions as long\r\nas criminals keep abusing older versions of the tool.\r\nThe following authorities were part of the investigation:\r\nAustralia: Australian Federal Police (AFP)\r\nCanada: Royal Canadian Mounted Police (RCMP)\r\nGermany: Federal Criminal Police Office (Bundeskriminalamt)\r\nThe Netherlands: National Police (Politie)\r\nPoland: Polish Central Cybercrime Bureau (Centralne Biuro Zwalczania Cyberprzestępczości)\r\nUnited Kingdom: National Crime Agency (NCA)\r\nUnited States: U.S. Department of Justice, Federal Bureau of Investigation (FBI)\r\nAuthorities in the following countries supported the disruption activity: \r\nBulgaria\r\nEstonia\r\nFinland\r\nLithuania\r\nJapan\r\nSouth Korea \r\n \r\nSource: https://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike"
	],
	"report_names": [
		"europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434440,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d70cbe6dff0af420c891ee0cb13937ee9ea3c61d.pdf",
		"text": "https://archive.orkl.eu/d70cbe6dff0af420c891ee0cb13937ee9ea3c61d.txt",
		"img": "https://archive.orkl.eu/d70cbe6dff0af420c891ee0cb13937ee9ea3c61d.jpg"
	}
}