{
	"id": "b825baa7-3425-4a2c-954f-46a86acc5229",
	"created_at": "2026-04-06T00:10:26.448477Z",
	"updated_at": "2026-04-10T03:24:24.595221Z",
	"deleted_at": null,
	"sha1_hash": "f4d39d482900cf3a2c52bdb934cced547d59e884",
	"title": "Threat Actors Use Older Cobalt Strike Versions to Blend In",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2500741,
	"plain_text": "Threat Actors Use Older Cobalt Strike Versions to Blend In\r\nBy Ionut Ilascu\r\nPublished: 2019-06-18 · Archived: 2026-04-05 23:10:41 UTC\r\nPlenty of outdated Cobalt Strike servers exist in the wild, helping cybercriminals or giving security professionals the upper\r\nhand when testing corporate defenses; and they can be easily identified to stifle intrusions of any purpose.\r\nThe developer of Cobalt Strike, Strategic Cyber, released version 3.13 of the framework in early January and 3.14 in May.\r\nYet there are tens of servers running an older version of the platform, some of which may have been obtained illegally and\r\ndeployed for malicious intentions.\r\nRestricted availability\r\nCobalt Strike is an adversary simulation platform intended for assessing a network's security against an advanced threat\r\nactor. Simply put, its purpose is solely for lawful and ethical security testing.\r\nhttps://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nApart from its expensive price (per-user license is $3,500 for one year, renewable for $2,500), there are restrictions in place\r\nto prevent it from falling into a real adversary's hands. This includes customer screening, limited availability outside the U.S.\r\nand Canada, and controlled exporting.\r\nThese measures, however, are not always sufficient to stop a determined threat actor from applying for and getting a trial\r\nversion of Cobalt Strike or obtaining a licensed copy. Some users on hacker forums offered $25,000 to anyone in the US that\r\ncould get them a genuine copy of the product.\r\nCracked versions of the software can also be found online (the newest we've seen is for trial version 3.13), but they often\r\npack backdoors or fail to include all the features of the original. These cracked versions cannot be updated.\r\nIdentifying unpatched servers\r\nNetwork defenders should be able to detect and deflect Cobalt Strike activity regardless of the motive behind it. To this end,\r\nRecorded Future's Insikt Group scanned the internet searching for clues that may indicate an unpatched server.\r\nBy combining multiple methods for detecting the software in the wild, the researchers told BleepingComputer that they were\r\nable to discover 104 servers they believe were running Cobalt Strike \"based on moderately-high to high confidence\r\ndetections.\"\r\nInsikt Group applied methods already documented by Strategic Cyber. One way, which works for all versions of the\r\nframework, is to look for the default security certificate from the developer. If the admin does not make a change, it is a\r\npretty reliable sign pointing to Cobalt Strike.\r\nhttps://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/\r\nPage 3 of 6\n\nRecorded Future detections January 2019 to May 2019\r\nAnother hint is the DNS server in the framework, which responds with a fake IP address (0.0.0.0) when active. This is not\r\nunique, though, but could be combined with other methods to increase confidence in the detection.\r\nAn open controller port number 50050/TCP may also indicate a Cobalt Strike Team Server, as it would be unexpected to\r\nfind it on other types of servers.\r\nLast on the official list of indicators is a \"404 Not Found\" HTTP error, which was is unique to the NanoHTTPD web servers\r\nrunning on Cobalt Strike 3.13 and earlier.\r\nAn unofficial mark in NanoHTTPD that also gave away the presence of an outdated Cobalt Strike server is the presence of\r\n\"a null space in the HTTP response where “HTTP/1.1” is followed by a blank space (0x20) not found in other web server\r\nresponses.\"\r\nA fix was delivered with version 3.13, as shown in the official release notes: \"removed extraneous space from HTTP status\r\nresponses.\"\r\nFor a year and a half, security outfit Fox IT used this method to identify Cobalt Strike Servers, \"with high confidence\"\r\nbefore it was fixed.\r\nDefenders can take advantage of these techniques to enable proactive protections on the network against an older Cobalt\r\nStrike release, which would likely cater to criminal activity.\r\nhttps://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/\r\nPage 4 of 6\n\nAlthough there may still be room for error, mixing the various detection methods should provide high confidence results.\r\nThe use of the default TLS certificate, though, remains the surest way to identify a Cobalt Strike server.\r\nFingerprinting TLS negotiations\r\nAnother technique to detect Cobalt Strike system is to inspect suspicious network traffic in search for specific markers\r\nrelating to the TLS negotiation between a server and a client. TLS fingerprints like protocol version, accepted ciphers, and\r\nelliptic curve information can be used to identify connections to the server.\r\nJA3, an open-source method for profiling  SSL/TLS connections can help with signatures for both clients and servers. The\r\nproject (and other sources) provides fingerprints for the TLS data exchange by the client beacon (which uses the Windows\r\nsocket to initiate communication) and servers running on Kali Linux.\r\nThis detection method can be thwarted by using a proxy for the connections but such a scenario is not common so it is a\r\nreliable technique to find Cobalt Strike servers, especially in combination with the other solutions.\r\nMingling in\r\nThe techniques described in the report from Recorded Future may be for unpatched versions of the security testing\r\nframework but it does not mean they make for outdated detection routines.\r\nTo keep a low profile, attackers often prefer running an older release if other bad actors have not moved to a newer version.\r\nAnother reason may be that customizations could be lost when upgrading to a new build.\r\nIf a pirated version is used, the threat actor would have to wait for a cracked copy of a newer release.\r\n\"The use of cracked versions of Cobalt Strike or deployment of standard Cobalt Strike instances causes a blending together\r\nof threats, making attribution difficult. Additionally, by running cracked versions of the framework, actors can blend in with\r\nolder versions of Cobalt Strike,\" explains Recorded Future.\r\nhttps://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/\r\nhttps://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/"
	],
	"report_names": [
		"threat-actors-use-older-cobalt-strike-versions-to-blend-in"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434226,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f4d39d482900cf3a2c52bdb934cced547d59e884.pdf",
		"text": "https://archive.orkl.eu/f4d39d482900cf3a2c52bdb934cced547d59e884.txt",
		"img": "https://archive.orkl.eu/f4d39d482900cf3a2c52bdb934cced547d59e884.jpg"
	}
}