{
	"id": "4ad602ab-77e6-4076-b060-e00a20227ff3",
	"created_at": "2026-04-06T00:13:24.390597Z",
	"updated_at": "2026-04-10T03:24:24.342221Z",
	"deleted_at": null,
	"sha1_hash": "d993a7b6c94e4d9b29e3292539d35a2ee3bdd73d",
	"title": "Making Cobalt Strike harder for threat actors to abuse",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 620864,
	"plain_text": "Making Cobalt Strike harder for threat actors to abuse\r\nBy Greg Sinclair\r\nPublished: 2022-11-18 · Archived: 2026-04-05 17:23:42 UTC\r\nCobalt Strike, the popular tool used by red teams to test the resilience of their cyber defenses, has seen many\r\niterations and improvements over the last decade. First released in 2012, it was originally the commercial spinoff\r\nof the open-source Armitage project that added a graphical user interface (GUI) to the Metasploit framework to\r\nhelp security practitioners detect software vulnerabilities more quickly. \r\nIt has since matured into a point-and-click system for the deployment of the Swiss Army Knife of remote access\r\ntools onto targeted assets. While the intention of Cobalt Strike is to emulate a real cyber threat, malicious actors\r\nhave latched on to its capabilities, and use it as a robust tool for lateral movement in their victim’s network as part\r\nof their second-stage attack payload. \r\nCobalt Strike vendor Fortra (until recently known as Help Systems) uses a vetting process that attempts to\r\nminimize the potential that the software will be provided to actors who will use it for nefarious purposes, but\r\nCobalt Strike has been leaked and cracked over the years. These unauthorized versions of Cobalt Strike are just as\r\npowerful as their retail cousins except that they don’t have active licenses, so they can’t be upgraded easily.\r\nWe are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal\r\nCollection to help the community flag and identify Cobalt Strike’s components and its respective versions. Since\r\nmany threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by\r\ndisrupting its use we can help protect organizations, their employees, and their customers around the globe. \r\nInside Cobalt Strike\r\nhttps://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse\r\nPage 1 of 3\n\nCobalt Strike is a collection of multiple software tools rolled into a single JAR file. An actor begins by activating\r\nthe Team Server component, which sets up a centralized server that operates as both a Command and Control (C2)\r\nendpoint and a coordinating hub for multiple actors to control infected devices.\r\nFigure 1: Typical Cobalt Strike infrastructure setup\r\nActors connect to the Team Server by activating the JAR as a Client. The Client serves the GUI from which the\r\nactor can control the Team Server and infected hosts. The Team Server generates a multitude of attack framework\r\ncomponents that actors can deploy to infect and control remote endpoints. \r\nCobalt Strike contains several delivery templates for Javascript, VBA macros, and Powershell scripts which can\r\ndeploy small shellcode (diskless) implants known as stagers. These stagers call back to the Team Server via one of\r\nthe supported communication channels, including HTTP/HTTPS, SMB, and DNS to download the final stage\r\nimplant known as the Beacon.\r\nThe Beacon is the core binary that gives the actor control over the infected computer. It supports multiple\r\ncommands and operations, while also being extensible to enable downloading and execution of actor developed\r\nmodules. The Team Server/Client model also allows multiple actors to collaborate on a collection of infected\r\nassets.\r\nThe stagers, templates, and beacon are contained within the Cobalt Strike JAR file. They are not created on the fly,\r\nnor are they heavily obfuscated before deployment from the Team Server. Cobalt Strike offers basic protection\r\nusing a reversible XOR encoding. \r\nSolving for hacked Cobalt Strike\r\nWe were able to locate versions of the Cobalt Strike JAR file starting with version 1.44 (circa 2012) up to version\r\n4.7 (the latest version at the time of publishing this blog). We cataloged the stagers, templates, and beacons,\r\nincluding the XOR encodings used by Cobalt Strike since version 1.44.\r\nWith the set of Cobalt Strike components available, we built YARA-based detection across these malicious\r\nvariants in the wild with a high degree of accuracy. Each Cobalt Strike version contains approximately 10 to 100\r\nhttps://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse\r\nPage 2 of 3\n\nattack template binaries. We found 34 different Cobalt Strike release versions with a total of 275 unique JAR files\r\nacross these versions. All told, we estimated a minimum of 340 binaries that must be analyzed and have signatures\r\nwritten to detect them. \r\nFor each release version of Cobalt Strike, we found that a new, unique beacon component is usually created. The\r\nstagers and templates, however, tend to be more constant across versions. Looking for unique stagers, templates,\r\nand beacons across the different versions, a total of 165 signatures were generated to detect these Cobalt Strike\r\ncomponents across the versions of Cobalt Strike up to and including version 4.7. \r\nOur goal was to make high-fidelity detections to enable pinpointing the exact version of particular Cobalt Strike\r\ncomponents. Whenever possible, we built signatures to detect specific versions of the Cobalt Strike component. \r\nContaining Cobalt Strike abuse\r\nWe decided that detecting the exact version of Cobalt Strike was an important component to determining the\r\nlegitimacy of its use by non-malicious actors since some versions have been abused by threat actors.\r\nWe wanted to enable better detection of actions done by bad actors, and we needed a surgical approach to excise\r\nthe bad versions while leaving the legitimate ones untouched. This required detecting the exact version of the\r\nCobalt Strike component. By targeting only the non-current versions of the components, we can leave the most\r\nrecent versions alone, the version that paying customers are using. \r\nThe leaked and cracked versions of Cobalt Strike are not the latest versions from Fortra, but are typically at least\r\none release version behind. We focused on these versions by crafting hundreds of unique signatures that we\r\nintegrated as a collection of community signatures available in VirusTotal. We also released these signatures as\r\nopen source to cybersecurity vendors who are interested in deploying them within their own products, continuing\r\nour commitment to improving open source security across the industry. \r\nOur intention is to move the tool back to the domain of legitimate red teams and make it harder for bad guys to\r\nabuse. For more on using YARA Rules to help stop the abuse of Cobalt Strike, you can listen to this special\r\nGoogle Cloud Security podcast.\r\nPosted in\r\nSecurity \u0026 Identity\r\nSource: https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse\r\nhttps://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
	],
	"report_names": [
		"making-cobalt-strike-harder-for-threat-actors-to-abuse"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434404,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d993a7b6c94e4d9b29e3292539d35a2ee3bdd73d.pdf",
		"text": "https://archive.orkl.eu/d993a7b6c94e4d9b29e3292539d35a2ee3bdd73d.txt",
		"img": "https://archive.orkl.eu/d993a7b6c94e4d9b29e3292539d35a2ee3bdd73d.jpg"
	}
}