GTIG is tracking a multi-year APT24 cyberespionage campaign leveraging the BADAUDIO downloader.

Notable elements:
• Control-flow flattening + DLL Search Order Hijacking
• Targeted supply chain compromises impacting 1K+ domains
• Cobalt Strike Beacon (shared watermark w/ prior APT24 ops)
• Cloud-hosted phishing + JS injection on legitimate sites
• Strategic web compromise → selective payload delivery

Full report:
https://www.technadu.com/chinese-apt24-cyberespionage-campaign-targets-taiwan-with-badaudio-malware/614191/

Follow @technadu for daily threat intelligence.

#APT24 #BADAUDIO #CyberEspionage #ChinaCyber #GTIG #SupplyChainAttack #Taiwan #CobaltStrike #Malware #ThreatIntel

Pivot to Multi-Vector Attacks

APT24, a Chinese threat actor, has conducted a three-year cyber espionage campaign using BADAUDIO, a highly obfuscated first-stage downloader. The group has evolved from broad strategic web compromises to more sophisticated tactics, including supply chain attacks and targeted phishing. They compromised a Taiwanese digital marketing firm, affecting over 1,000 domains. APT24 uses advanced techniques like control flow flattening, fingerprinting, and covert data exfiltration. The malware integrates with Cobalt Strike Beacon and employs DLL Search Order Hijacking for execution. The campaign demonstrates the actor's persistent and adaptive capabilities, highlighting the growing sophistication of Chinese cyber threats.

Pulse ID: 691f6f351b8c5d05831416d7
Pulse Link: https://otx.alienvault.com/pulse/691f6f351b8c5d05831416d7
Pulse Author: AlienVault
Created: 2025-11-20 19:42:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CobaltStrike #CyberSecurity #Espionage #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #SupplyChain #bot #AlienVault

Не Cobalt Strike и не Brute Ratel: почему злоумышленники выбрали AdaptixC2 и как его обнаружить

В сентябре 2025 года исследователи из Angara MTDR обнаружили, что фреймворк AdaptixC2 стал использоваться в атаках на организации в Российской Федерации. Сегодня мы, Лада Антипова и Александр Гантимуров, расскажем, что представляет собой фреймворк постэксплуатации AdaptixC2, как выявлять следы его использования и чем отличается выявленный способ эксплуатации фреймворка от всех описанных публично ранее. В результате расследования компьютерного инцидента был выявлен инструмент злоумышленников, который использовался для закрепления в скомпрометированной системе. Он выгодно отличался от других видов типового и самописного ВПО, которые эти же злоумышленники использовали в ходе атаки. Образец обладал обширным набором команд, был хорошо спроектирован, а также имел широкие возможности по конфигурации. После непродолжительного исследования стало ясно, что перед нами агент Beacon от фреймворка постэксплуатации AdaptixC2. AdaptixC2 — это фреймворк для постэксплуатации, который часто сравнивают с такими известными инструментами, как Cobalt Strike и Brute Ratel. В отличие от них, AdaptixC2 полностью бесплатен и доступен на GitHub . Ранее о его применении в кибератаках на другие страны сообщали Symantec , Palo Alto и « Лаборатория Касперского ». Поэтому появление AdaptixC2 в арсенале злоумышленников, атакующих организации в России, было лишь вопросом времени.

https://habr.com/ru/companies/angarasecurity/articles/962088/

#фреймфорк #впо #cobaltstrike #кибератаки #автоматизация #вредоносы

Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)

The Kinsing threat actor continues to distribute malware by exploiting known vulnerabilities, particularly CVE-2023-46604 in ActiveMQ. They target both Linux and Windows systems, using various malware types including XMRig, Stager, and Sharpire. The attack process involves exploiting the ActiveMQ vulnerability to execute remote commands, installing downloaders, and using tools like CobaltStrike, Meterpreter, and PowerShell Empire to control infected systems. The actor's main objectives include cryptocurrency mining, information theft, and potential ransomware installation. The vulnerability has also been exploited by other groups such as Andariel, HelloKitty, and Mauri ransomware. Organizations are advised to apply security updates to mitigate the risk.

Pulse ID: 690481bbc5f17d52a890f470
Pulse Link: https://otx.alienvault.com/pulse/690481bbc5f17d52a890f470
Pulse Author: AlienVault
Created: 2025-10-31 09:30:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ActiveMQ #Andariel #CobaltStrike #CyberSecurity #InfoSec #InformationTheft #Kinsing #Linux #Malware #OTX #OpenThreatExchange #PowerShell #RansomWare #Vulnerability #Windows #bot #cryptocurrency #AlienVault

Team46 and TaxOff: Two Sides of the Same Coin

This intelligence report reveals that Team46 and TaxOff are likely the same APT group, now referred to as Team46. The analysis compares their attack methods, including the use of similar PowerShell commands, URL patterns, and loader functionality. Both groups utilized zero-day exploits and developed sophisticated malware, indicating a long-term strategy for maintaining persistence in compromised systems. The report details the encryption layers and decryption process of the Trinper backdoor, as well as the use of auxiliary tools for system reconnaissance. The unified group's infrastructure mimics legitimate services, and their techniques include phishing emails, DLL hijacking, and the use of Cobalt Strike beacons.

Pulse ID: 6901f129a41c174ffad3e746
Pulse Link: https://otx.alienvault.com/pulse/6901f129a41c174ffad3e746
Pulse Author: AlienVault
Created: 2025-10-29 10:49:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CobaltStrike #CyberSecurity #Email #Encryption #ICS #InfoSec #Malware #Mimic #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #ZeroDay #bot #AlienVault

🌟New report out today!🌟

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

➡️ Fake tax form JS (Lunar Spider) → Brute Ratel
➡️ Latrodectus → Cobalt Strike → BackConnect → .NET backdoor
➡️ Cred theft: LSASS, browsers, plaintext DA creds
➡️ Rclone exfil 20 days in
➡️ Nearly 2 months of C2 before eviction — no ransomware, just deep persistence.

Report: https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion

#DFIR #ThreatIntel #BruteRatel #CobaltStrike #IncidentResponse #DFIR

Artificial Intelligence for Post-Exploitation
#CobaltStrike
https://www.cobaltstrike.com/blog/artificial-intelligence-for-post-exploitation

🤖 Villager: AI + Kali Linux = Automated Pentests

Researchers discovered the Villager framework, which automates cyberattacks with natural language, self-destructing containers, and adaptive AI orchestration.
⚡ Already downloaded 10K+ times since July.
⚡ Could it become the “next Cobalt Strike”?

💬 Does this innovation strengthen red teams or hand threat actors another weapon? Comment & follow @technadu for continuous analysis.

#CyberSecurity #AI #PenTesting #Villager #DeepSeek #CobaltStrike

CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks
#CobaltStrike #CrossC2 #ReadNimeLoader
https://blogs.jpcert.or.jp/en/2025/08/crossc2.html

DNS: A Small but Effective C2 system

This analysis explores the exploitation of DNS for command-and-control operations and data exfiltration. It details how cybercriminals leverage DNS tunneling to create covert communication channels, bypassing traditional security measures. The article examines various DNS tunneling families, including Cobalt Strike, DNSCat2, and Iodine, discussing their prevalence and unique characteristics. It also highlights Infoblox's Threat Insight machine learning algorithms, which can detect and block tunneling domains within minutes. The study provides insights into the detection rates of different tunneling families and discusses the challenges in differentiating between legitimate and malicious DNS traffic.

Pulse ID: 6878f6e5d14da64ae460ad61
Pulse Link: https://otx.alienvault.com/pulse/6878f6e5d14da64ae460ad61
Pulse Author: AlienVault
Created: 2025-07-17 13:13:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #DNS #ICS #InfoSec #Mac #OTX #OpenThreatExchange #RAT #bot #AlienVault

Sponsor Shout-out!
We are proud to announce Fortra as a sponsor for Adversary Village at @defcon 33! Their commitment to security excellence and community, helps us create an impactful village for leaders and practitioners in offensive cyber security and adversary attack simulation research.
Thank you, @fortraofficial team, for believing in our mission and helping us make this happen!
Learn more about Fortra
https://www.fortra.com/
#Fortra CobaltStrike #CobaltStrike #DEFCON33 #AdversaryVillage Outflank #AdversarySimulation #DEFCON @AdversaryVillage

Active #CobaltStrike botnet C2 with watermark 100000000 🔥

⛔️https://api.micosoftr .icu/djiowejdf
⛔️https://www.googleapi .top/jquery-3.3.1.min.js

Pointing to:
📡43.163.107 .212:443 Tencent 🇨🇳

Sample:
📄https://bazaar.abuse.ch/sample/91e851f8cd9a32f9077f9fbbf1a64278e6be460ed5908778e4b45e62e495167e/

IOCs on ThreatFox 🦊
https://threatfox.abuse.ch/browse/tag/cs-watermark-100000000/

Cobalt on the weekends
#CobaltStrike
https://intelinsights.substack.com/p/cobalt-on-the-weekends

🚨 Chinese Hackers Breach U.S. Local Governments via Trimble Cityworks Zero-Day Exploit🚨 Contact for Security: support@wiretor.com

https://wiretor.com/chinese-hackers-breach-u-s-governments-via-zero-day-exploit

#CityworksZeroDay #CVE20250994 #ChineseHackers #TrimbleExploit #UAT6382 #CobaltStrike #RustMalware #WebShells #AntSword #ChopperWebshell #MaLoader #CyberAttack2025 #IISVulnerability #CybersecurityNews #WireTorCyberSecurity #VulnerabilityManagement

New Open-Source Tool Spotlight 🚨🚨🚨

AggressorScripts is a curated collection of .cna scripts enhancing Cobalt Strike's functionality. From Beacon-to-Empire migrations to Slack notifications for new Beacons, it’s packed with Red Team utilities. Highlights: OPSEC profiles, mimikatz automation, and stale beacon alerts. #RedTeam #CobaltStrike

🔗 Project link on #GitHub 👉 https://github.com/bluscreenofjeff/AggressorScripts

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

Are you ready to outsmart cyber threats with advanced adversary simulation? 🤖

It's time to master the art of Adversary Simulation with @Fortra Cobalt Strike!

Simulate advanced adversary tactics, collaborate on realistic red team engagements, and elevate your operations with a flexible and innovative framework.

👉Request a Demo with @emt Distribution META: https://zurl.co/4PRzL

#CobaltStrike #RedTeaming #CyberSecurity #AdversarySimulation #emtDisti

For hobbyist Cobalt Strike Beacon collectors, note that the recently announced 4.11 update introduces a number of changes to frustrate Beacon configuration extraction, namely through the new `transform-obfuscate` field.

When set, this field can apply multiple layers of encoding, encryption and compression (with some recent Beacons observed with a 32 byte XOR key, configurable upto 2048 bytes!).

While still reasonably trivial to decode manually, standard automated workflows (say, through the SentinelOne parser) will now fail, not least because of changes to the well-known field markers.

Beacons with these characteristics have thus far been observed with watermarks indicative of licensed instances, though I imagine it is only a matter of time before the 4.11 capabilities become accessible to all manner of miscreants.

A sample configuration, via a staged Beacon on 104.42.26[.]200 is attached, including the three distinct XOR keys used to decode it.

https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping

#cobaltstrike #malwareanalysis #forensics #blueteam

New analysis: #TrojanW97M exploits #CVE-2021-40444 in Office docs to run remote code, dropping #CobaltStrike beacons. Patch now and watch for suspicious CAB/DLL files. Details: https://redteamnews.com/exploit/cve/trojan-w97m-cve202140444-a-analyzing-the-microsoft-office-exploit-that-enables-remote-code-execution/

Cobalt Strike 4.11: Shhhhhh, Beacon is Sleeping....
#CobaltStrike
https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping

If you're not already blocking DoH services through your proxy, now might be a good time to re-evaluate:

"Cobalt Strike 4.11 introduces a DNS over HTTPS (DoH) Beacon, which provides another stealthy network egress option for Cobalt Strike users. Assuming DNS C2 infrastructure has already been configured, using the DoH Beacon is as simple as enabling it on payload generation, as demonstrated below, and it will run out-of-the-box with all the default options.

By default, Beacon will use mozilla.cloudflare-dns.com,cloudflare-dns.com as its target DoH-compatible DNS server. However, you can configure Beacon’s DoH settings via Malleable C2”:

https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping

#cobaltstrike