#cobaltstrike — Public Fediverse posts

Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

Pulse ID: 69e63f93a0ddbd53fcab3f51
Pulse Link: https://otx.alienvault.com/pulse/69e63f93a0ddbd53fcab3f51
Pulse Author: AlienVault
Created: 2026-04-20 15:00:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault

China-Linked AI Pentest Tool ‘Villager’ Raises Concern After 10K Downloads https://hackread.com/china-ai-pentest-tool-villager-10k-downloads/ #Cybersecurity #CobaltStrike #Cyberspike #Security #AsyncRAT #Straiker #Villager #HSCSEC #China #PyPI #CTF

Cobalt Strike Beacon delivered via GitHub and social media – Source: securelist.com https://ciso2ciso.com/cobalt-strike-beacon-delivered-via-github-and-social-media-source-securelist-com/ #rssfeedpostgeneratorecho #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #Targetedattacks #cyberespionage #DLLsideloading #Socialnetworks #Windowsmalware #securelistcom #CobaltStrike #DLLhijacking #shellcode #research #Malware #GitHub #Trojan

Cobalt Strike Beacon delivered via GitHub and social media – Source: securelist.com https://ciso2ciso.com/cobalt-strike-beacon-delivered-via-github-and-social-media-source-securelist-com/ #rssfeedpostgeneratorecho #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #Targetedattacks #cyberespionage #DLLsideloading #Socialnetworks #Windowsmalware #securelistcom #CobaltStrike #DLLhijacking #shellcode #research #Malware #GitHub #Trojan

Cobalt Strike Beacon delivered via GitHub and social media – Source: securelist.com https://ciso2ciso.com/cobalt-strike-beacon-delivered-via-github-and-social-media-source-securelist-com/ #rssfeedpostgeneratorecho #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #Targetedattacks #cyberespionage #DLLsideloading #Socialnetworks #Windowsmalware #securelistcom #CobaltStrike #DLLhijacking #shellcode #research #Malware #GitHub #Trojan

Cobalt Strike Beacon delivered via GitHub and social media – Source: securelist.com https://ciso2ciso.com/cobalt-strike-beacon-delivered-via-github-and-social-media-source-securelist-com/ #rssfeedpostgeneratorecho #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #Targetedattacks #cyberespionage #DLLsideloading #Socialnetworks #Windowsmalware #securelistcom #CobaltStrike #DLLhijacking #shellcode #research #Malware #GitHub #Trojan

The SOC files: Rumble in the jungle or APT41’s new target in Africa – Source: securelist.com https://ciso2ciso.com/the-soc-files-rumble-in-the-jungle-or-apt41s-new-target-in-africa-source-securelist-com/ #rssfeedpostgeneratorecho #APT(Targetedattacks) #CyberSecurityNews #Targetedattacks #DLLsideloading #securelistcom #CobaltStrike #DLLhijacking #TIandIRposts #Incidents #APT #SOC

Rumble in the jungle: APT41’s new target in Africa – Source: securelist.com https://ciso2ciso.com/rumble-in-the-jungle-apt41s-new-target-in-africa-source-securelist-com/ #rssfeedpostgeneratorecho #APT(Targetedattacks) #CyberSecurityNews #Targetedattacks #DLLsideloading #securelistcom #CobaltStrike #DLLhijacking #TIandIRposts #Incidents #APT #SOC

Finding Minhook in a sideloading attack – and Sweden too – Source: news.sophos.com https://ciso2ciso.com/finding-minhook-in-a-sideloading-attack-and-sweden-too-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #DLLsideloading #ThreatResearch #nakedsecurity #nakedsecurity #cobaltstrike #minhook

Chinese Hackers Targeted Taiwanese Research Institute with ShadowPad and Cobalt Strike https://thecyberexpress.com/chinese-hackers-apt41-targeted-taiwan/ #TheCyberExpressNews #CybersecurityNews #Taiwaneseresearch #TheCyberExpress #FirewallDaily #cobaltstrike #ShadowPad #Taiwanese #Chinese #APT41

#Europol blockt rund 600 in kriminellen Aktivitäten gefundene IPs und Domains | Security https://www.heise.de/news/Europol-Operation-Morpheus-Rund-600-IPs-und-Domains-hops-genommen-9789103.html #CobaltStrike #Conti #Trickbot #Ryuk #RAT

The Not-So-Secret Network Access Broker x999xx

https://krebsonsecurity.com/2024/07/the-not-so-secret-network-access-broker-x999xx/

#OzerskTechnologicalInstituteNationalResearchNuclearUniversity #kirtsov@telecom.ozersk.ru #MaksimGeorgievichKirtsov #U.S.DepartmentofJustice #maxnmalias[email protected] #КирцовМаксимГеоргиевич #ConstellaIntelligence #dashin2008@yahoo.com #Ne'er-Do-WellNews #maksya@icloud.com #OperationEndgame #osint.industries #MikhailMatveev #RecordedFuture #CobaltStrike #Breadcrumbs

Law Enforcement and Private Sector Team Up to Disrupt Cobalt Strike Abuse https://thecyberexpress.com/law-enforcement-disrupt-cobalt-strike-abuse/ #TheCyberExpressNews #CybersecurityNews #CyberEssentials #TheCyberExpress #RansomwareNews #LawEnforcement #FirewallDaily #cobaltstrike #Governance #Ransomware #TrickBot #Ryuk

The Not-So-Secret Network Access Broker x999xx https://krebsonsecurity.com/2024/07/the-not-so-secret-network-access-broker-x999xx/ #OzerskTechnologicalInstituteNationalResearchNuclearUniversity #kirtsov@telecom.ozersk.ru #MaksimGeorgievichKirtsov #U.S.DepartmentofJustice #maxnmalias[email protected] #КирцовМаксимГеоргиевич #ConstellaIntelligence #dashin2008@yahoo.com #Ne'er-Do-WellNews #maksya@icloud.com #OperationEndgame #osint.industries #MikhailMatveev #RecordedFuture #CobaltStrike #Breadcrumbs

Belarusian Government-Linked Threat Actor ‘UNC1151’ Targets Ukraine’s Ministry of Defense https://thecyberexpress.com/unc1151-targets-ukraine-ministry-of-defense/ #UkrainesMinistryofDefence #TheCyberExpressNews #CybersecurityNews #cybersecuritynews #CRILresearchers #TheCyberExpress #FirewallDaily #cybersecurity #ThreatActors #cobaltstrike #AgentTesla #Phishing #njRAT #CRIL

#dfir #knowledgedrop

How to spot active #cobaltstrike activity?

1) 7-letter binaries often in Temp-folder (find with e.g. MFT, journal)

2) rundll.exe starting weird programs (find with e.g. #velociraptor pslist, #volatility pslist/pstee)

3) named pipes activity (find with e.g. velociraptor handles())

4) Powershell commands with base64 code (find in ps history, e.g. velociraptor psreadline)

Good luck!

Our latest report on a CN #APT targeting tens of governments entities worldwide has been published 🥳 After monitoring it for a long time we realized it is likely related to the recent I-Soon company leaks. It discusses their TTPs and provides lots of IOCs https://trendmicro.com/en_us/research/24/c/earth-krahang.html
Targets are spread among 5 continents, although some countries are targeted more heavily: one country had 11 of its government entities compromised. Previous victims are used to compromise new ones by abusing their infrastructure to send spear-phishing emails or host malware.
Their favorite malware toolkit are Reshell, a basic .NET backdoor, and Xdealer, also named Dinodas RAT, two custom malwares. They also use the infamous #CobaltStrike, #PlugX and #Shadowpad. Many of their offensive and post-exploitation tools are retrieved from public sources.

#hack100days Day 10. Back to #CRTO and the lab. More initial compromise and some host enumeration. #RedTeam #CobaltStrike

#hack100days Day 10. Back to #CRTO and the lab. More initial compromise and some host enumeration. #RedTeam #CobaltStrike

#hack100days Day 10. Back to #CRTO and the lab. More initial compromise and some host enumeration. #RedTeam #CobaltStrike

#hack100days Day 10. Back to #CRTO and the lab. More initial compromise and some host enumeration. #RedTeam #CobaltStrike

#hack100days Day 10. Back to #CRTO and the lab. More initial compromise and some host enumeration. #RedTeam #CobaltStrike

#hack100days Day 7. Spent more time on extending #CobaltStrike section of #CRTO. Grokking Aggressor Scripts are CS client extensions. Looked harder at Beacon Object Files, not sure if that's going to be important for the test, though. Found https://github.com/CCob/BOF.NET as a way to pull in some .Net, but it's not yet obvious to me how that works. Regardless. Must. Hit. The. Lab.

#hack100days Day 7. Spent more time on extending #CobaltStrike section of #CRTO. Grokking Aggressor Scripts are CS client extensions. Looked harder at Beacon Object Files, not sure if that's going to be important for the test, though. Found https://github.com/CCob/BOF.NET as a way to pull in some .Net, but it's not yet obvious to me how that works. Regardless. Must. Hit. The. Lab.

#hack100days Day 7. Spent more time on extending #CobaltStrike section of #CRTO. Grokking Aggressor Scripts are CS client extensions. Looked harder at Beacon Object Files, not sure if that's going to be important for the test, though. Found https://github.com/CCob/BOF.NET as a way to pull in some .Net, but it's not yet obvious to me how that works. Regardless. Must. Hit. The. Lab.

#hack100days Day 7. Spent more time on extending #CobaltStrike section of #CRTO. Grokking Aggressor Scripts are CS client extensions. Looked harder at Beacon Object Files, not sure if that's going to be important for the test, though. Found https://github.com/CCob/BOF.NET as a way to pull in some .Net, but it's not yet obvious to me how that works. Regardless. Must. Hit. The. Lab.

#hack100days Day 7. Spent more time on extending #CobaltStrike section of #CRTO. Grokking Aggressor Scripts are CS client extensions. Looked harder at Beacon Object Files, not sure if that's going to be important for the test, though. Found https://github.com/CCob/BOF.NET as a way to pull in some .Net, but it's not yet obvious to me how that works. Regardless. Must. Hit. The. Lab.

The cyber crims are working through the holidays, and so are we. Here's Monday's newsletter on all the developments in infosec, just for you:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-744?sd=pf

International law enforcement agencies notched up another win last week, having successfully taken down the notorious Initial Access Broker Genesis Marketplace last week - or did they? The site remains active and the admins appear to have gotten away unscathed, so what victory was there to be had?

#Microsoft, in collaboration with #Fortra and the Health ISAC, are commencing work to dismantle infrastructure used by actors abusing cracked versions of the offensive Cobalt Strike framework. It'll be an uphill battle, and it remains to be seen if they can make a dent in the sprawling global footprint achieved by the cyber crim's implant of choice.

Be warned - a PoC exploit has been released for a CVSS 10.0 Sandbox Escape vulnerability impacting the VM2 JavaScript Sandbox, which itself has >16 million monthly downloads on #npm. Researchers have also uncovered a vulnerability in #WiFi APs that could allow hijacking and snooping of client traffic; #Apple patches two actively exploited 0-days in #iOS, #iPadOS and #macOS, and #CISA urges patching of #Zimbra bugs exploited by Russian APTs.

The #redteam have some great tooling and tradecraft to help with Microsoft #MFA enumeration and performing port forwarding on compromised #Cisco gear, while the #blueteam are again spoiled for choice - a new database of exploited drivers, research on abuse of SFX archives for persistence, and threat models for #AWS KMS and CI/CD pipelines - take your pick!

Check out the newsletter and catch all this and much more excellent threat and tradecraft research, to help you gear up for the week ahead:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-744?sd=pf

Happy Easter Monday to everyone lucky enough to be enjoying the holiday, I hope you're all having a great break wherever you are, and a reminder that if you're travelling on the roads, to please drive safe!

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #newsletter #hacking #security #technology #hacker #vulnerability #vulnerabilities #exploit #PoC #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #CobaltStrike #IAB #InitialAccessBroker #GenesisMarketplace

HIRING: Penetration Testers - Red Team ICS/OT and Network Experience / Florida https://infosec-jobs.com/J23745/ #InfoSec #InfoSecJobs #Cybersecurity #jobsearch #hiringnow #CyberCareers #Florida #Aircrack #APIs #Blackbox #BurpSuite #Cpp #CEH #Clearance #Cloud #CobaltStrike #EDR

Cobalt Strike is a popular tool used by red teams to test the resilience of their cyber defenses https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse/ #CobaltStrike #Armitage #Metasploit #sharegeneratedinpartwithgpt3

Extracting a #CobaltStrike beacon config from #PCAP in 5 simple steps:
🚜 #CapLoader
⛏️ #NetworkMiner
⌨️ cmd.exe
🐍 1768 K
🦹‍♂️ Cobalt Strike Beacon Config

Full video, writeup and link to pcap file is available here:
https://netresec.com/?b=21536fc