All news with #cobalt strike tag

📄 The Belarus-aligned threat actor Ghostwriter (aka UAC-0057/UNC1151) is using Prometheus e-learning themed phishing lures targeting Ukrainian government entities. CERT-UA reports the campaign, active since spring 2026, uses PDF links to deliver a ZIP with JavaScript that stages multiple payloads: OYSTERFRESH, OYSTERBLUES, and OYSTERSHUCK. The operation harvests system data and ultimately deploys Cobalt Strike, with advice to restrict wscript.exe for standard users to reduce risk.

🔒 ReliaQuest observed attackers brute-forcing credentials and bypassing MFA on SonicWall Gen6 SSL‑VPN appliances by exploiting CVE-2024-12802, allowing rapid internal access and attempts to deploy Cobalt Strike and a vulnerable driver. SonicWall warns that installing the firmware update alone on Gen6 devices does not fully mitigate the flaw; administrators must manually reconfigure LDAP settings to restore MFA enforcement. Gen7/Gen8 devices are fully remediated by firmware updates.

🧊 ESET telemetry details newly observed operations by the FrostyNeighbor actor, targeting governmental, military and key sectors in Ukraine and neighbouring Eastern European countries. The March 2026 campaign begins with spearphishing PDFs that link to RAR archives containing a JavaScript dropper; the script deploys a JavaScript variant of PicassoLoader which fetches and executes a Cobalt Strike beacon. Operators use server-side validation of IP and user agent to restrict final payload delivery and often host infrastructure behind Cloudflare. The group also employs diverse lure formats and exploit chains to evade detection.

🔒 Check Point Research uncovered a SystemBC proxy botnet of over 1,570 infected hosts tied to a Gentlemen ransomware affiliate, with telemetry indicating primarily corporate victims across the US, UK, Germany, Australia, and Romania. The discovery shows affiliates pairing SystemBC SOCKS5 tunneling with Cobalt Strike for covert payload delivery and lateral movement. Check Point published IoCs and a YARA signature to help defenders identify related activity.

⚠️ Bitdefender reveals that the Pakistan-aligned actor Transparent Tribe (APT36) has adopted AI-assisted coding to mass-produce disposable malware implants using niche languages like Nim, Zig, Crystal and Rust. The campaign targets Indian government entities and embassies while abusing trusted platforms such as Slack, Discord, Supabase, Google Sheets and Firebase to hide C2. Phishing via ZIP/ISO attachments or PDF lures delivers LNK shortcuts that run PowerShell in memory and fetch backdoors, often followed by deployment of Cobalt Strike and Havoc for post-compromise activity.

🔒 Check Point disclosed an advanced persistent threat dubbed Silver Dragon, active since mid-2024 and assessed to operate under the APT41 umbrella. The group gains access via vulnerable public servers and phishing, deploying loaders such as MonikerLoader and the C++ BamboLoader to stage Cobalt Strike beacons. Post-exploitation tools include screen capture, SSH utilities, and a Google Drive backdoor used for file-based C2.

🔍 A fraud investigation by the Secuinfra Falcon Team uncovered a layered, Python-based malware deployment that led to unauthorised PayPal transfers and visible command output on the victim's desktop. Investigators found hidden PowerShell activity retrieving a PyInstaller-packed executable named svchoss.exe from an IP hosted in Tencent-associated networks, alongside startup scripts and a concealed Python runtime. Memory forensics with Volatility 3 and string extraction exposed heavy obfuscation, references to Cobalt Strike, XWorm RAT, HTran and attempts to harvest browser autofill and wallet data. Although the system was judged fully compromised, the initial infection vector remains unconfirmed, with social engineering and malicious downloads considered likely.

🔒 Unit 42 identified that between June and December 2025 the state-sponsored group Lotus Blossom hijacked the Notepad++ update infrastructure by compromising a shared hosting provider and intercepting WinGUp traffic. Attackers delivered malicious NSIS installers that launched either a Lua-script chain loading Cobalt Strike Beacon or a DLL sideload that deployed the Chrysalis backdoor. Notepad++ released patches, moved hosting, implemented XML signature verification, and Unit 42 published IOCs and hunting guidance for defenders.

🕵️‍♂️ Palo Alto Networks' Unit 42 reports a state-sponsored threat actor tracked as TGR-STA-1030/UNC6619 has run global-scale "Shadow Campaigns," compromising at least 70 government and critical infrastructure organizations across 37 countries and conducting reconnaissance tied to 155 countries. The actor has been active since at least January 2024 and is assessed to operate from Asia. Initial access combined tailored phishing lures hosted on Mega.nz with exploitation of known flaws in SAP Solution Manager, Microsoft Exchange, D-Link, and Windows to deploy loaders such as Diaoyu. Victim environments were instrumented with Cobalt Strike, webshells, tunneling tools, and a bespoke Linux eBPF rootkit named ShadowGuard to hide activity and evade detection.

🔒 Palo Alto Networks Unit 42 reports an Asia-origin, state-backed actor tracked as TGR-STA-1030 breached at least 70 government and critical-infrastructure organizations across 37 countries and scanned infrastructure tied to 155 countries in late 2025. Active since January 2024, the group used MEGA-hosted phishing ZIPs to deliver a guarded loader, Diaoyu Loader, which requires a zero-byte pic1.png and checks for select AV processes before pulling images from GitHub to stage a Cobalt Strike payload. It also exploited N-day flaws, deployed web shells, tunnelers and an eBPF Linux rootkit ShadowGuard, maintaining prolonged access for intelligence collection.

🔎 Palo Alto Networks has identified a new Asia-based cyberespionage group, tracked as TGR-STA-1030 (UNC6619), that has compromised 70 government and critical-infrastructure organizations across 37 countries over the past year. The actor employs phishing, N-day exploits, and a multifaceted toolset including a custom loader named Diaoyu, Cobalt Strike implants, multiple web shells, and a bespoke eBPF-based Linux rootkit called ShadowGuard. Researchers report the group conducts extensive scanning and targeted reconnaissance tied to regional events, operates on GMT+8 hours, and shows indicators consistent with nation-state activity.

🛡️ Zscaler ThreatLabz identified two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, that targeted Indian government entities in September 2025. Gopher Strike relied on tailored phishing PDFs that display a fake update prompt and selectively deliver an ISO payload only to requests originating from India and Windows User-Agents. Sheet Attack abused legitimate services such as Google Sheets, Firebase, and email for command-and-control. The intrusions deploy Golang tools — GOGITTER, GITSHELLPAD, and GOSHELL — to maintain persistence, execute commands, and stage a Cobalt Strike Beacon.

🔎 Zscaler ThreatLabz in September 2025 uncovered two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, aimed at Indian government entities. Gopher Strike used phishing PDFs with a fake Adobe update that conditionally delivers an ISO to Indian Windows hosts, deploying a Golang downloader, GOGITTER, which establishes VBScript-based persistence and scheduled-task execution. Sheet Attack abused legitimate services such as Google Sheets, Firebase and email for command-and-control, while a lightweight backdoor, GITSHELLPAD, and a padded loader, GOSHELL, were used to ultimately deliver Cobalt Strike.

🔴 Researchers observed the critical React2Shell vulnerability (CVE-2025-55182) being exploited to gain initial access and deploy the Weaxor ransomware in under a minute. The attacker executed an obfuscated PowerShell command to stage a Cobalt Strike beacon, disabled Windows Defender real‑time protection, and launched the encryptor. Encrypted files used the .WEAX extension while shadow copies were removed and event logs cleared to impede recovery and forensic analysis.

🛡️ Check Point Research links a sustained espionage campaign to the China-aligned cluster known as Ink Dragon (also tracked as Jewelbug, CL-STA-0049, Earth Alux/REF7707) that has targeted government and telecommunications organisations across Europe, Asia and Africa since at least March 2023. The actor exploits exposed web applications and predictable ASP.NET machine keys to drop web shells and install a custom ShadowPad IIS Listener, turning compromised servers into resilient C2 relays. Operators deploy a modular backdoor FINALDRAFT (aka Squidoor), alongside NANOREMOTE, loaders and tooling such as VARGEIT and Cobalt Strike to enable stealthy lateral movement, credential theft and high-throughput exfiltration.

🔴 React2Shell (CVE-2025-55182) is an unauthenticated remote code execution flaw in React Server Components and frameworks like Next.js, disclosed on December 3, 2025. A public proof-of-concept on December 4 accelerated automated scanning and exploitation; Shadowserver found 77,664 vulnerable IPs (≈23,700 in the US), and Palo Alto reports more than 30 breached organizations. Observed attacks use PowerShell stages, AMSI bypass and Cobalt Strike; mitigation requires updating React, rebuilding and redeploying apps, and reviewing logs for post-exploitation indicators.

🛡️ APT24 has deployed a previously undocumented downloader called BADAUDIO to maintain persistent remote access in a nearly three-year campaign beginning November 2022. The highly obfuscated C++ downloader uses control-flow flattening and DLL search-order hijacking to fetch AES-encrypted payloads from hard-coded C2s; analysts observed Cobalt Strike delivered in at least one case. Operators distributed BADAUDIO via watering holes, supply-chain compromises, typosquatted CDNs and targeted phishing, employing FingerprintJS and encrypted cloud-hosted archives to selectively target victims and evade detection.

🔐 Google Threat Intelligence Group (GTIG) disclosed a previously undocumented loader, BadAudio, used by China-linked APT24 in a multi-year espionage campaign that employed spearphishing, watering-hole infections, and supply-chain compromises. The loader is heavily obfuscated, leverages DLL search-order hijacking and control-flow flattening, and exfiltrates encrypted system data to hard-coded C2 servers. In at least one observed case it delivered an Cobalt Strike Beacon, and many samples remained undetected by most antivirus engines.

🔍 Google Threat Intelligence Group (GTIG) details a three-year espionage campaign by APT24 deploying the obfuscated BADAUDIO downloader to deliver AES-encrypted payloads, including Cobalt Strike beacons. The actor evolved from broad strategic web compromises to targeted supply-chain abuse of a Taiwanese digital marketing firm and spear-phishing lures. BADAUDIO uses DLL search order hijacking, control-flow flattening, and cookie-based beaconing to retrieve decrypted payloads in memory. GTIG added related domains and files to Safe Browsing, issued victim notifications, and published IOCs and YARA rules to support detection and mitigation.

🔒 Cybersecurity researchers disclosed an attempted intrusion against a major U.S. real-estate firm that leveraged the emerging Tuoni C2 and red-team framework. The campaign, observed in mid-October 2025, used Microsoft Teams impersonation and a PowerShell loader that fetched a BMP-steganographed payload from kupaoquan[.]com and executed shellcode in memory. That sequence spawned TuoniAgent.dll, which contacted a C2 server but ultimately failed to achieve its goals. The incident highlights the risk of freely available red-team tooling and AI-assisted code generation being abused by threat actors.