{ "id": "56a6c232-f175-413d-9db0-984b7c4655e0", "created_at": "2026-04-06T00:21:01.878008Z", "updated_at": "2026-04-10T03:37:33.421013Z", "deleted_at": null, "sha1_hash": "f339eaa9225e566f2ddd44e9db0a1c3434fdffbc", "title": "Identifying Rogue Cobalt Strike Servers: A Recorded Future Approach | Recorded Future", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 867055, "plain_text": "Identifying Rogue Cobalt Strike Servers: A Recorded Future\r\nApproach | Recorded Future\r\nBy THE RECORDED FUTURE TEAM\r\nArchived: 2026-04-05 15:49:30 UTC\r\nWhat Is Cobalt Strike?\r\nIt all began with cybersecurity professionals realizing that sometimes the best defense is a good offense. As the\r\nprinciple of “deny all” has become increasingly difficult to implement at scale, more organizations have begun\r\nlooking to tools and techniques designed to penetrate information systems in order to identify gaps in security.\r\nCobalt Strike is one such tool. Designed and distributed by D.C.-based Strategic Cyber, Cobalt Strike was, and is\r\nto this day, meant to specifically aid in red team operations, giving friendly “bad guys” the means of quickly\r\nreplicating what sophisticated hackers might set up on their own.\r\nOver time, as distribution grew, these tools began to fall into the wrong hands. Malicious hackers and nation-states\r\ndownloaded trials of Cobalt Strike and found ways to crack the software, or gain access to the full version.\r\nFortunately, researchers began to notice quirks about some Cobalt Strike servers. Chief among them was an\r\ninability for some versions of Cobalt Strike to receive updates from the central servers at Strategic Cyber.\r\nUnpatched versions became increasingly recognizable.\r\nhttps://www.recordedfuture.com/blog/identifying-cobalt-strike-servers\r\nPage 1 of 6\n\nRecorded Future combined several disparate detection methods and tested their combined effectiveness on\r\nsamples of suspected Cobalt Strike servers, demonstrating how using multiple methods could increase the\r\ncertainty of identification.\r\nCobalt Strike Hits the Market\r\nWhen Cobalt Strike first hit the market in 2012, distribution of the software was carefully controlled. Strategic\r\nCyber realized the potential for it to be used for harm and vetted users in addition to charging significant fees.\r\nSoon, red teams around the world were using Cobalt Strike to conduct authorized penetration tests, helping\r\norganizations identify flaws in their information systems.\r\nDespite the controls in place, Cobalt Strike eventually fell into the wrong hands. The trial available for immediate\r\ndownload was cracked and unauthorized copies began to emerge in dark web marketplaces.\r\nProliferation of the software continued worldwide, but it was difficult to know which servers were being used for\r\nauthorized testing and which were being used for criminal or other destructive activity. The problem of identifying\r\nCobalt Strike as a possible red team trying to demonstrate gaps in network defense was further complicated by\r\nCobalt Strike servers in the wild that could actually do harm\r\nFalling Into the Wrong Hands\r\nNotorious organizations known to have used Cobalt Strike include APT29 (Cozy Bear), Magic Hound, and\r\nWinnti. Malicious IP addresses known to be responsible for sending phishing campaigns have also been found to\r\nbe associated with Cobalt Strike server certificates.\r\nhttps://www.recordedfuture.com/blog/identifying-cobalt-strike-servers\r\nPage 2 of 6\n\nDiscovering Methods of Detection\r\nBecause cybersecurity teams need to be able to detect Cobalt Strike servers regardless of who is using them and\r\nwhat those actors intend to do when they access a network, they have developed useful methods of detecting\r\nCobalt Strike.\r\nhttps://www.recordedfuture.com/blog/identifying-cobalt-strike-servers\r\nPage 3 of 6\n\nThe primary method begins with detection of a malicious payload (file/link). In this scenario, existing security\r\ninfrastructure like a SIEM or alert system will notify the security team that a malicious payload has entered (or is\r\nattempting to enter) the network. Threat analysts can then trace the origin of the payload and look for a Cobalt\r\nStrike certificate associated with the email server and related systems.\r\nAttackers using Cobalt Strike may also be discovered as they move throughout a network. A security team may\r\nnotice improper privilege escalation or lateral movement that calls for a closer look. Upon inspection, the actions\r\ncan be tied to a certain IP address or domain and these can be analyzed for associations with Cobalt Strike.\r\nValidating Methods of Detection\r\nStrategic Cyber recognized the growing threat of unlicensed copies of Cobalt Strike being in the wild and got to\r\nwork on a solution:\r\nIn January 2019, Cobalt Strike in release notes identified an anomaly with “removed extraneous space\r\nfrom HTTP status responses.”\r\nIn February 2019, Cobalt Strike released a study highlighting multiple techniques to ID Cobalt Strike\r\nservers, including an HTTP 404 Not Found response anomaly.\r\nMeanwhile, independent researchers were also looking for a solution:\r\nIn February 2019, researchers at Fox-IT in the Netherlands published a study based on a null space in an\r\nHTTP response from NanoHTTPD servers. They identified the exact anomaly, which Cobalt Strike did not\r\nprovide.\r\nLater in February 2019, researchers at Knownsec in China released a blog based on Fox-IT’s study, which\r\nwas mentioned by Cobalt Strike earlier that month.\r\nhttps://www.recordedfuture.com/blog/identifying-cobalt-strike-servers\r\nPage 4 of 6\n\nOther known methods of detection included checking the TLS certificate and looking for an open port\r\n50050.\r\nTaking all methods of detection into consideration, Recorded Future validated a highly effective method of\r\ndetecting Cobalt Strike, which can be accomplished by combining methods of assessing the connection to a\r\nmalicious IP or domain.\r\nAnalysts using this method can cleverly combine specific aspects of unpatched (and therefore, potentially illicit)\r\nCobalt Strike servers and cross-reference the IP addresses of those servers against threat intelligence to develop a\r\nlevel of confidence about both the presence of Cobalt Strike and the likelihood of the party behind Cobalt Strike\r\nbeing malicious.\r\nThe Value of Combining Methods\r\nPrior to Recorded Future validating this research, there was a widespread perception that identifying Cobalt Strike\r\nservers was highly resource intensive. That kind of thinking could inhibit those in small and medium-sized\r\nbusinesses from taking steps to detect the servers and protect their organizations. Now, by combining a few simple\r\nmethods, cybersecurity managers at any organization are better equipped to find Cobalt Servers and prevent\r\nattacks.\r\nhttps://www.recordedfuture.com/blog/identifying-cobalt-strike-servers\r\nPage 5 of 6\n\nSecurity Teams at the Forefront\r\nAs security teams adopt the methods discussed in the report (and as Cobalt Strike continue to roll out patches for\r\nlegitimate servers), the gulf between legitimate and pirated versions widens, exposing more harmful Cobalt Strike\r\nservers and empowering security teams to guard against them.\r\nUltimately, the story of Cobalt Strike shows that cybersecurity is less about thinking along strictly defensive or\r\noffensive lines. Each has its importance. The challenge and where the fight is won is in the transition from offense\r\nto defense and defense to offense.\r\nSource: https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers\r\nhttps://www.recordedfuture.com/blog/identifying-cobalt-strike-servers\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers" ], "report_names": [ "identifying-cobalt-strike-servers" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434861, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f339eaa9225e566f2ddd44e9db0a1c3434fdffbc.pdf", "text": "https://archive.orkl.eu/f339eaa9225e566f2ddd44e9db0a1c3434fdffbc.txt", "img": "https://archive.orkl.eu/f339eaa9225e566f2ddd44e9db0a1c3434fdffbc.jpg" } }