Less Lucrative Ransomware Market Makes Attackers Alter Methods
Ransomware actors are ditching Cobalt Strike in favor of native Windows tools, as payment rates hit record lows and data theft surges.
Stay informed on Cobalt Strike-related threats. Get the latest news, analyses, and trends in information security with our focused coverage.
Search across headline titles and summaries.
Background for this topic.
Cobalt Strike is a commercial penetration testing tool designed to simulate advanced attacker behaviors, including command and control (C2) communication, lateral movement, and data exfiltration. Originally intended for red team exercises, it provides features such as customizable payloads, beacon implants, and post-exploitation modules that mimic real-world attack techniques.
Its dual-use nature means threat actors often repurpose Cobalt Strike for unauthorized intrusions, leveraging its stealthy C2 channels and modular capabilities to maintain persistence and evade detection. Security teams should monitor for Cobalt Strike indicators like unusual beacon traffic and employ endpoint detection strategies focused on its known payload behaviors to mitigate risks associated with its misuse.
Weekly headline count for the current query.
Ransomware actors are ditching Cobalt Strike in favor of native Windows tools, as payment rates hit record lows and data theft surges.
Fortra, Microsoft, and Health-ISAC have combined forces to claw back one of hackers' most prized attack tools, with massive takedowns.
The campaign uses a multistage payload-delivery process and various mechanisms for evasion and persistence.
The targeted operation utilized CVE-2017-8570 as the initial vector and employed a notable custom loader for Cobalt Strike, yet attribution to any known threat actor remains elusive.
Threat actors seen using Go-language implementation of the red-teaming tool on Intel and Apple silicon-based macOS systems.
Members of the former ransomware group are using a FIN7 backdoor to deliver malware —including Cobalt Strike — to victim systems.
The effort aims to disrupt the use of altered Cobalt Strike software by cybercriminals in ransomware and other attacks.
The framework-as-a-service signals an intensification of the cat-and-mouse game between defenders detecting lateral movement, and cybercriminals looking to go unnoticed.
The popular pen-testing tool is often cracked and repurposed by threat actors. Google now has a plan to address that.
The comprehensive, multiplatform framework comes loaded with weapons, and it is likely another effort by a China-based threat group to develop an alternative to Cobalt Strike and Sliver.
Microsoft and others say they have observed nation-state actors, ransomware purveyors, and assorted cybercriminals pivoting to an open source attack-emulation tool in recent campaigns.
The state-sponsored threat actor has switched up its tactics, also adding an automated SQL-injection tool to its bag of tricks for initial access.
The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries.
The PyPI "pymafka" package is the latest example of growing attacker interest in abusing widely used open source software repositories.