{ "id": "d28d9ca5-77d5-4970-bdd4-b55314e823c3", "created_at": "2026-04-06T00:06:36.310605Z", "updated_at": "2026-04-10T03:24:23.659821Z", "deleted_at": null, "sha1_hash": "e5b26f225f2364dc23ac772d1447c108899f343e", "title": "Malware Targets InfoSec: Fake PoC Delivers Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1923727, "plain_text": "Malware Targets InfoSec: Fake PoC Delivers Cobalt Strike\r\nPublished: 2022-05-20 · Archived: 2026-04-05 16:28:17 UTC\r\nMalware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon\r\nMalware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of\r\nConcept to Deliver Cobalt-Strike Beacon\r\nIt becomes essential for the Infosec Community members to check the credibility of sources before downloading\r\nany proof of concept.\r\nRecently Cyble researchers came across a post where a researcher mentioned about fake Proof of Concept (POC) of\r\nCVE-2022-26809. Upon further investigation, we discovered that it’s malware disguised as an Exploit. Similarly,\r\nwe found a malicious sample that appears to be a fake POC of CVE-2022-24500. Both the malicious samples were\r\navailable on GitHub. Interestingly both repositories belong to the same profile, indicating the possibility that Threat\r\nActor (TA) might be hosting a malware campaign targeting Infosec Community.\r\nhttps://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/\r\nPage 1 of 9\n\nFigures 1 and 2 show the malware hosted on GitHub.\r\nFigure 1: Exploit for CVE-2022-26809\r\nFigure 2: Exploit for CVE-2022-24500\r\nTA used this unique technique to lure individuals into executing the malware. In the last 24 hours, TAs were also\r\ndiscussing these exploits on the cybercrime forum. For example, we came across a post where TAs discussed CVE-2022-24500, pointing to the fake POC GitHub repository, as shown in Figure 3.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/\r\nPage 2 of 9\n\nFigure 3: Post on a cybercrime forum\r\nTechnical Details:\r\nThe malware is a .Net binary packed with ConfuserEX, a free, open-source protector for .NET applications. The\r\nfigure below shows the file details.\r\nhttps://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/\r\nPage 3 of 9\n\nFigure 4: File details\r\nThe malware does not have any exploit code targeting the above vulnerabilities. Instead, it prints a fake message\r\nshowing that it is trying to exploit and executes shellcode, as shown in Figure 5.\r\nFigure 5: Prints fake message\r\nThe malware uses the Sleep() function to print the messages after a small interval, to appear more legitimate. Figure\r\n6 shows the code snippet of malware that print fake messages on execution.\r\nhttps://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/\r\nPage 4 of 9\n\nFigure 6: Unpacked Code\r\nAfter printing the fake message, the malware executes the hidden PowerShell command using cmd.exe to deliver\r\nthe actual payload. The below figure depicts the network communication to a command-and-control server for\r\ndownloading the Cobalt-Strike Beacon.\r\nFigure 7: Network communication\r\nThe Cobalt-Strike Beacon can be used for other malicious activities such as downloading additional payloads,\r\nlateral movement, etc. This fact possibly indicates that the infosec community is also an active target of attackers.\r\nConclusion\r\nhttps://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/\r\nPage 5 of 9\n\nTAs are adopting various techniques to carry out attacks. In this case, we witnessed how the TA used fake POCs to\r\nlure the victims into executing the malware. Usually, people working in information security or TAs use exploits to\r\ncheck for vulnerabilities. Hence, this malware might only target people from this community. Therefore, it becomes\r\nessential for the Infosec Community members to check the credibility of sources before downloading any proof of\r\nconcept.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nAvoid downloading files from unknown websites.\r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.  \r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs. \r\nEnable Data Loss Prevention (DLP) Solution on the employees’ systems. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic  Technique ID  Technique Name \r\nExecution   T1204  User Execution \r\nDefense Evasion  T1140 Deobfuscate/Decode Files or Information\r\nCommand and Control  T1071 Application Layer Protocol \r\nIndicators of Compromise (IOCs)\r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\n192.10.22.112 45.197.132.72 IP C2\r\n7e0c8be0d03c75bbdc6fd286a796434a\r\n0e2e0d26caa32840a720be7f67b49d45094861cb\r\n6c676773700c1de750c3f8767dbce9106317396d66a004aabbdd29882435d5e0\r\nMD5\r\nSHA-1 \r\nSHA-256 \r\nMalicious\r\nbinary\r\nfdcf0aad080452fa14df221e74cca7d0\r\n7431846d707140783eea466225e872f8757533e3\r\nfa78d114e4dfff90a3e4ba8c0a60f8aa95745c26cc4681340e4fda79234026fd  \r\nMD5\r\nSHA-1 \r\nSHA-256 \r\nMalicious\r\nBinary\r\nhttps://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/\r\nPage 6 of 9\n\nGet Threat Assessment Report\r\nIdentify External Threats Targeting Your Business\r\nThreat Landscape Reports 2025\r\nUpcoming Webinars\r\nhttps://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/\r\nPage 7 of 9\n\nhttps://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/\r\nPage 8 of 9\n\nRelated Posts\r\nSource: https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-co\r\nbalt-strike-beacon/\r\nhttps://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/" ], "report_names": [ "malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433996, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5b26f225f2364dc23ac772d1447c108899f343e.pdf", "text": "https://archive.orkl.eu/e5b26f225f2364dc23ac772d1447c108899f343e.txt", "img": "https://archive.orkl.eu/e5b26f225f2364dc23ac772d1447c108899f343e.jpg" } }