Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Cobalt Strike

39
Global rank
35 infographic chevron month
Month rank
37 infographic chevron week
Week rank
0
IOCs

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Penetration software
Type
Unknown
Origin
20 February, 2012
First seen
6 October, 2025
Last seen

How to analyze Cobalt Strike with ANY.RUN

Penetration software
Type
Unknown
Origin
20 February, 2012
First seen
6 October, 2025
Last seen

IOCs

IP addresses
195.123.241.147
104.194.10.206
169.239.128.54
192.169.6.82
107.178.111.39
61.184.215.178
119.84.129.25
36.249.65.20
47.52.23.165
5.188.86.162
147.45.112.220
147.45.112.220
Hashes
f6e04b3710044f76666468559fd2b6688ccac091284d138e461c2257c387d7d3
260b7a551f4aa6786861accf8336991a27c58617bcb084587477aa4b3dc971eb
41a3442445aa886b81e361e5e288459d8325895445bb36f9e4c1be54f76b92cb
07415dcd1ed9dbc095abe74f5f5e59b3022ad796c08c40b180c05ff5e129b9d2
be8cd88e95acf8968ae097bf213552b6c961b8061d874e0c30d8e364d799329e
252c15aa858191102849efb83cb98909dd8235540162d87ece9eb5380baecdad
37481edec2f31b2931d4eab0ac3c3dac793f30e3f3e1caf0d0112caf3dcc4a5a
135467c3b3e77f62b6d60e290439ad7a6617512738292d53088c4a46a124dadc
8a30099e59508e4eefd88b2035a61b380a06fd919c99389cb62f786e51c0e756
471f3ef89cacca7e14127aa9c123e4d3ae8343a9b5cd6101b2b459547b0e268c
0007b4ec7c22fa3c380ca09a195818398f6b7a5c0c91914994fd5df36e36af38
4cf53d055f8e509c4ae4dccd72dd8b369e6656ae9e10b2beba1438b9b530b7ef
688bad6e742d9ba51f0205a1d2d83ecd555d0213c94b5684b1aac4525f971658
26b2f12906c3590c8272b80358867944fd86b9f2cc21ee6f76f023db812e5bb1
d091bc3af8594ce40edfcfa3790c64295b5ce585673c98223d3c5f9784c10ca3
f408d79dcfcd22dffa9556281051117f871b4c3935a1600e12634a7f078cfc0d
ff1d2120f0862987b44b2bb6f209c372cfdb83a3060d149a1b48f52b67c4672a
4ef740da98b7a23dc32bf94dcf2f83aa48285d2c09859e59b456a0f2025b2b35
c45c1add474b278c136b2637d52c38f2c5b58d8d7d085a0feddca314a480b35f
54fcfbf975b4e712634ad0e196242bbec304029d3ce0ae2a6a660e27d1e64def
Domains
bestvega.com
signup.africavolunteeringforum.org
www1.thegreatethiopian.com
managemen.onlinestephanie.xyz
authoritative.rogerwlaker.xyz
cloudflare.robertstratton.xyz
status.jarredlike.xyz
Last Seen at

Recent blog posts

post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 1399
comments 0
post image
FunkSec’s FunkLocker: How AI Is Powering the...
watchers 3022
comments 0
post image
ANY.RUN & MS Defender: Enrich Alerts Faster,...
watchers 3045
comments 0

What is Cobalt Strike malware

Cobalt Strike is a licensed penetration software package developed by Forta (previously Help Systems), that helps red teams simulate an adversary in red-vs-blue games.

While the software itself is completely legal and designed for cybersecurity testing, over the years, many versions of it have been cracked and leaked into the wild. Despite several attempts to stop its abuse — by the developer and the online community — attackers continue to employ it to install multiple payloads after compromising their victims' networks.

Most of these cracked versions were obtained by accessing a trial — which is only given to verified parties, but evidently, hackers found a way to skirt this — and bypass the license check and then trial restrictions. (The trial version of Cobalt Strike has many deliberate giveaways such as the EICAR string embedded in all payloads and a watermark.)

Being a legitimate tool, there is a ton of educational material online, which illustrates what Cobalt Strike can do. Like this official playlist on YouTube. This, of course, lowers the entry threshold and contributes to the popularity of the software among bad actors. One can literally learn how to abuse it directly from its creators.

Cracked Cobalt Strike versions are circulating freely in various underground forums and are sometimes found on clearnet resources, like GitHub. Although most of them are somewhat outdated, they still pose a serious threat — many criminal groups use them to gain initial access and move laterally through victim’s networks.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Cobalt Strike malware analysis review

Cobalt Strike consists of multiple components, which together form a comprehensive hacking suit. The central element of the software is the Team Server component — which acts as both the C2 server and a coordinating program that helps multiple adversaries work together and control hijacked devices. To access it, actors use a Client component which serves as the GUI for the Team Server.

Team Server can generate shellcode implants called Stagers. These fileless implants are available as VBA, Javascript and Powershell macro templates. When an attacker infiltrates and injects one of the Stagers into the victim's network, they can contact the Team Server via HTTP/HTTPS, SMB, or DNS to fetch and install the main payload known as the Beacon.

The Beacon is the core binary which allows the attacker to control infected machines remotely. It supports a wide list of malicious operations, and is designed to be configurable and expandable. This feature is often used to deliver and run custom modules, and makes Cobalt Strike's malicious capabilities virtually limitless. What’s more, there are built-in modules that allow attackers to customize the payload to avoid detection: these include the Artifact Kit, Malleable C2 Profiles, and Resource Kit.

Also, it’s important to note that since Cobalt Strike was originally designed for team exercises, the Team Server and Client modules allow criminal gangs to coordinate hacks with multiple attackers acting simultaneously, potentially targeting multiple weak spots.

The payloads usually delivered by Cobalt Strike range from Ransomware to spyware and even Advanced Persistent Threats.

How to get more information from Cobalt Strike malware

ANY.RUN helps analysts track the execution process of Cobalt Strike in an interactive online sandbox.

Cobalt Strike malware configuration

Figure 1: Cobalt Strike malware configuration

ANY.RUN users can access the analysis results 10 seconds after launching the sandbox, which saves crucial time, especially during incident response when every second matters.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Cobalt Strike execution process

The execution of CobaltStike varies greatly from sample to sample. Not only are there lots of iterations of the client, but the program itself is frequently updated by the developers. Besides the common type that uses an executable file, there are also versions that use powershell or JS to dominate the infected system.

In ANY.RUN, users can study the config of CobaltStrike’s utility to better understand how it works.

Distribution of Cobalt Strike

Unfortunately, the distribution of Cobalt Strike is poorly documented, but it’s believed to be delivered using macros that come with an infected executable embedded in a phishing email. There are few reports of this particular malware, so the conclusion was drawn based on the little information available, and the fact that it is by far the most common attack vector.

Conclusion

Cobalt Strike has gained an excellent reputation among cybercriminals who continue to use it as their Command and Control system of choice to deliver and execute a wide variety of payloads. This is a perfect example of what a legitimate piece of kit can do in the wrong hands. That said, its abuse is a fairly well-researched topic in the community, and there are guides like this one and this one that can help you defend against attacks using this software.

We hope that as the good research continues, and organizations arm themselves against cracked copies of Cobalt Strike, the abuse of this powerful cybersecurity tool will eventually stop.

HAVE A LOOK AT

BTMOB RAT screenshot
BTMOB RAT
btmob
BTMOB RAT is a remote access Trojan (RAT) designed to give attackers full control over infected devices. It targets Windows and Android endpoints. Its modular structure allows operators to tailor capabilities, making it suitable for espionage, credential theft, financial fraud, and establishing long-term footholds in corporate networks.
Read More
Xeno RAT screenshot
Xeno RAT
xenorat
Xeno RAT is an open-source malware mainly distributed through drive-by downloads. The core capabilities of this threat include remote control, keystroke logging, webcam and microphone access. Equipped with advanced utilities, such as Hidden Virtual Network Computing and Socks5 reverse proxy, Xeno RAT is most frequently used in attacks against individual users.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More
Botnet screenshot
Botnet
botnet
A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.
Read More
DragonForce screenshot
DragonForce
dragonforce
DragonForce is a ransomware strain operating under the Ransomware-as-a-Service (RaaS) model. First reported in December 2023, it encrypts files with ChaCha8, renames them with random strings, and appends “.dragonforce_encrypted.” By disabling backups, wiping recovery, and spreading across SMB shares, DragonForce maximizes damage and pressures victims into multimillion-dollar ransom negotiations. It has targeted manufacturing, construction, IT, healthcare, and retail sectors worldwide, making it a severe threat to modern enterprises.
Read More