ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool Cobalt Strike

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Cobalt Strike

NamesCobalt Strike
CobaltStrike
Agentemis
BEACON
cobeacon
CategoryTools
TypeBackdoor, Vulnerability scanner, Keylogger, Tunneling, Loader, Exfiltration
DescriptionCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
Information<https://www.cobaltstrike.com/>
<https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html>
<https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html>
<https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py>
<https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html>
<http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems>
<https://www.lac.co.jp/lacwatch/people/20180521_001638.html>
<https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/>
<https://www.bleepingcomputer.com/news/security/threat-actors-use-older-cobalt-strike-versions-to-blend-in/>
<https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf>
<https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html>
<https://www.bleepingcomputer.com/news/security/alleged-source-code-of-cobalt-strike-toolkit-shared-online/>
<https://www.darkreading.com/threat-intelligence/how-to-identify-cobalt-strike-on-your-network/a/d-id/1339357>
<https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/>
<https://www.darkreading.com/attacks-breaches/cobalt-strike-becomes-a-preferred-hacking-tool-by-cybercrime-apt-groups/d/d-id/1341073>
<http://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor>
<https://blog.malwarebytes.com/researchers-corner/2021/06/cobalt-strike-a-penetration-testing-tool-popular-among-criminals/>
<https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware>
<https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/>
<https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/>
<https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/>
<https://www.recordedfuture.com/detect-cobalt-strike-inside-look/>
<https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9>
<https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/>
<https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot>
<https://asec.ahnlab.com/en/31811/>
<https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/>
<https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/>
<https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/>
<https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/>
<https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse>
<https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/>
<https://securityintelligence.com/posts/defining-cobalt-strike-reflective-loader/>
<https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/>
<https://asec.ahnlab.com/en/59110/>
<https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/>
<https://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike>
MITRE ATT&CK<https://attack.mitre.org/software/S0154/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:Cobalt%20Strike>

Last change to this tool card: 26 August 2024

Download this tool card in JSON format

All groups using tool Cobalt Strike

ChangedNameCountryObserved

APT groups

 APT 19, Deep Panda, C0d0so0China2013-Mar 2022X
 APT 29, Cozy Bear, The DukesRussia2008-Jun 2024X
 APT 32, OceanLotus, SeaLotusVietnam2013-Aug 2024 HOTX
 APT 41China2012-Aug 2024 HOTX
     ↳ Subgroup: Earth LongzhiChina2020-Apr 2023 
 Aquatic PandaChina2020 
 BariumChina2016-Nov 2017X
 Bronze HighlandChina2012-Jul 2024 
 Bronze StarlightChina2021-Mar 2023 
 Carbanak, AnunakUkraine2013-Apr 2023X
 ChamelGangChina2021-Jun 2023 
 ChimeraChina2018-Oct 2019 
 Cobalt GroupRussia2016-Oct 2019X
 CopyKittens, Slayer KittenIran2013-Jan 2017 
 DalbitChina2022 
 DarkHydrus, LazyMeerkatIran2016-Jan 2019 
 Doppel SpiderRussia2019-Sep 2023X
 Earth BaxiaChina2024 
 Earth KrahangChina2022 
 Earth LuscaChina2019-Sep 2024 HOT 
 Earth WendigoChina2019 
 FIN6, Skeleton Spider[Unknown]2015-Oct 2021X
 FIN7Russia2013-Jul 2024X
 FIN12[Unknown]2018 
 GalliumChina2018-Jun 2022 
 GelsemiumChina2014-Mid 2022 
 Grayling[Unknown]2023 
 Harvester[Unknown]2021 
 Hydrochasma[Unknown]2022 
 Indrik SpiderRussia2007-Oct 2024 HOTX
 Ke3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-Late 2022 
 LeadChina2016 
 Leviathan, APT 40, TEMP.PeriscopeChina2013-Jul 2021X
 LuminousMothChina2020 
 MuddyWater, Seedworm, TEMP.Zagros, Static KittenIran2017-May 2024X
 Mustang Panda, Bronze PresidentChina2012-Mar 2024 
 OldGremlinRussia2020-Feb 2021 
 OPERA1ER[Unknown]2016-Jul 2023X
 Operation GhostwriterBelarus2017-Apr 2024X
 Operation Silent Skimmer[Unknown]2022 
 Operation SLOW#TEMPESTChina2024 
 PassCVChina2016 
 Pinchy Spider, Gold SouthfieldRussia2018-May 2024X
 RancorChina2017 
 Reaper, APT 37, Ricochet Chollima, ScarCruftNorth Korea2012-Sep 2024 HOTX
 RedDeltaChina2020-Feb 2022 
 RedGolfChina2014 
 RedHotel, TAG-22China2021 
 SaintBear, Lorec53Russia2021-Oct 2022 
 SharpPanda, Sharp DragonChina2018-Mar 2024 
 Sprite Spider, Gold Dupont[Unknown]2015-Nov 2022 
 Stone Panda, APT 10, menuPassChina2006-Feb 2022X
 TA2101, Maze Team[Unknown]2019-Feb 2024X
 TAG-28China2021 
 TAG-100China2024 
 Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu KittensChina2010-Oct 2018X
 UNC2447[Unknown]2020 
 Winnti Group, Wicked PandaChina2010-Mar 2021 
 Wizard Spider, Gold BlackburnRussia2014-Dec 2023X

Other groups

 ALTDOS[Unknown]2020-Sep 2021X
 GambleForceChina2023 
 Karakurt[Unknown]2021-Sep 2022 
 TA511[Unknown]2018-Oct 2020 
 UNC1878[Unknown]2020 

64 groups listed (59 APT, 5 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]