Active #CobaltStrike botnet C2 with watermark 100000000 🔥
⛔️https://api.micosoftr .icu/djiowejdf
⛔️https://www.googleapi .top/jquery-3.3.1.min.js
Pointing to:
📡43.163.107 .212:443 Tencent 🇨🇳
Sample:
📄https://bazaar.abuse.ch/sample/91e851f8cd9a32f9077f9fbbf1a64278e6be460ed5908778e4b45e62e495167e/
IOCs on ThreatFox 🦊
https://threatfox.abuse.ch/browse/tag/cs-watermark-100000000/
Operation DRAGONCLONE: Chinese Telecom Targeted by Malware
A sophisticated campaign targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile, has been uncovered. The attack employs VELETRIX, a new loader, and VShell, a known adversary simulation tool. The infection chain begins with a malicious ZIP file containing executable and DLL files. VELETRIX uses anti-analysis techniques, IPFuscation, and a callback mechanism to execute VShell. The campaign shows overlaps with UNC5174 (Uteus) and Earth Lamia, known China-nexus threat actors. The infrastructure utilizes tools like SuperShell, Cobalt Strike, and Asset Lighthouse System. Active since March 2025, this operation demonstrates advanced tactics, techniques, and procedures associated with Chinese state-sponsored threat groups.
Pulse ID: 6844107300a6d8cdddd3cf53
Pulse Link: https://otx.alienvault.com/pulse/6844107300a6d8cdddd3cf53
Pulse Author: AlienVault
Created: 2025-06-07 10:12:03
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#China #Chinese #CobaltStrike #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Telecom #ZIP #bot #AlienVault
Cobalt on the weekends
#CobaltStrike
https://intelinsights.substack.com/p/cobalt-on-the-weekends
Operation DRAGONCLONE: Chinese Telecom Targeted by Malware
A sophisticated cyber campaign targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile, has been uncovered. The operation, dubbed DRAGONCLONE, utilizes VELETRIX and VShell malware to infiltrate systems. The attack chain begins with a malicious ZIP file containing executable files and DLLs, exploiting DLL sideloading against Wondershare Repairit software. VELETRIX, a loader, employs anti-analysis techniques and IPFuscation to decode and execute VShell, a cross-platform OST framework. The campaign shows infrastructure overlaps with known China-nexus threat actors like UNC5174 and Earth Lamia. The attackers utilize various tools including Cobalt Strike, SuperShell, and Asset Lighthouse System for reconnaissance and post-exploitation activities.
Pulse ID: 6842f45696f96557e5f757b1
Pulse Link: https://otx.alienvault.com/pulse/6842f45696f96557e5f757b1
Pulse Author: AlienVault
Created: 2025-06-06 13:59:50
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#China #Chinese #CobaltStrike #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #RAT #SideLoading #Telecom #ZIP #bot #AlienVault
🚨 Chinese Hackers Breach U.S. Local Governments via Trimble Cityworks Zero-Day Exploit🚨 Contact for Security: support@wiretor.com
https://wiretor.com/chinese-hackers-breach-u-s-governments-via-zero-day-exploit
#CityworksZeroDay #CVE20250994 #ChineseHackers #TrimbleExploit #UAT6382 #CobaltStrike #RustMalware #WebShells #AntSword #ChopperWebshell #MaLoader #CyberAttack2025 #IISVulnerability #CybersecurityNews #WireTorCyberSecurity #VulnerabilityManagement
Trojanized KeePass used to deploy Cobalt Strike & ransomware; download ONLY from official sources. #KeePass #CobaltStrike #Ransomware
More details: https://www.helpnetsecurity.com/2025/05/20/trojanized-keepass-keeloader-ransomware - https://www.flagthis.com/news/15397
New Open-Source Tool Spotlight 🚨🚨🚨
AggressorScripts is a curated collection of .cna scripts enhancing Cobalt Strike's functionality. From Beacon-to-Empire migrations to Slack notifications for new Beacons, it’s packed with Red Team utilities. Highlights: OPSEC profiles, mimikatz automation, and stale beacon alerts. #RedTeam #CobaltStrike
🔗 Project link on #GitHub 👉 https://github.com/bluscreenofjeff/AggressorScripts
#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity
— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴☠️
Are you ready to outsmart cyber threats with advanced adversary simulation? 🤖
It's time to master the art of Adversary Simulation with @Fortra Cobalt Strike!
Simulate advanced adversary tactics, collaborate on realistic red team engagements, and elevate your operations with a flexible and innovative framework.
👉Request a Demo with @emt Distribution META: https://zurl.co/4PRzL
#CobaltStrike #RedTeaming #CyberSecurity #AdversarySimulation #emtDisti
For hobbyist Cobalt Strike Beacon collectors, note that the recently announced 4.11 update introduces a number of changes to frustrate Beacon configuration extraction, namely through the new `transform-obfuscate` field.
When set, this field can apply multiple layers of encoding, encryption and compression (with some recent Beacons observed with a 32 byte XOR key, configurable upto 2048 bytes!).
While still reasonably trivial to decode manually, standard automated workflows (say, through the SentinelOne parser) will now fail, not least because of changes to the well-known field markers.
Beacons with these characteristics have thus far been observed with watermarks indicative of licensed instances, though I imagine it is only a matter of time before the 4.11 capabilities become accessible to all manner of miscreants.
A sample configuration, via a staged Beacon on 104.42.26[.]200 is attached, including the three distinct XOR keys used to decode it.
https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping
New analysis: #TrojanW97M exploits #CVE-2021-40444 in Office docs to run remote code, dropping #CobaltStrike beacons. Patch now and watch for suspicious CAB/DLL files. Details: https://redteamnews.com/exploit/cve/trojan-w97m-cve202140444-a-analyzing-the-microsoft-office-exploit-that-enables-remote-code-execution/
Cobalt Strike 4.11: Shhhhhh, Beacon is Sleeping....
#CobaltStrike
https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping
If you're not already blocking DoH services through your proxy, now might be a good time to re-evaluate:
"Cobalt Strike 4.11 introduces a DNS over HTTPS (DoH) Beacon, which provides another stealthy network egress option for Cobalt Strike users. Assuming DNS C2 infrastructure has already been configured, using the DoH Beacon is as simple as enabling it on payload generation, as demonstrated below, and it will run out-of-the-box with all the default options.
By default, Beacon will use mozilla.cloudflare-dns.com,cloudflare-dns.com as its target DoH-compatible DNS server. However, you can configure Beacon’s DoH settings via Malleable C2”:
https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping
Because the infosec community is too beholden to the corporations and are afraid of sharing information, here's the BlackBasta chat logs:
BlackBasta Data Leak Analysis: CobaltStrike Team Servers
Retrohunt for outbound connections to these addresses. Validate your own CTI findings as a result of any potential hits in your environment. I’m just a person on the internet sharing information.
91[.]191[.]209[.]70
88[.]119[.]170[.]162
78[.]128[.]113[.]102
70[.]34[.]211[.]31
51[.]89[.]62[.]218
51[.]222[.]194[.]208
5[.]78[.]41[.]126
5[.]188[.]206[.]50
5[.]161[.]227[.]233
47[.]250[.]58[.]195
45[.]227[.]254[.]7
216[.]146[.]25[.]72
206[.]71[.]148[.]41
206[.]189[.]62[.]224
203[.]23[.]128[.]72
198[.]27[.]121[.]195
194[.]32[.]77[.]162
194[.]165[.]17[.]9
194[.]165[.]16[.]19
193[.]149[.]176[.]38
192[.]153[.]57[.]252
179[.]60[.]149[.]10
172[.]86[.]98[.]173
168[.]119[.]110[.]217
167[.]114[.]199[.]75
165[.]22[.]8[.]91
151[.]80[.]52[.]32
15[.]204[.]170[.]49
147[.]182[.]231[.]59
142[.]93[.]146[.]149
141[.]98[.]9[.]152
141[.]98[.]81[.]48
128[.]140[.]36[.]37
104[.]248[.]175[.]193
104[.]156[.]59[.]220
Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access. #CobaltStrike #haking https://www.bleepingcomputer.com/news/security/hackers-exploit-cityworks-rce-bug-to-breach-microsoft-iis-servers/
https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
Interesting Case Study by dfirreport
#dfir #blueteam #infosec #cobaltstrike #ransomware #LockBitRansomware
Are you ready to outsmart cyber threats with advanced adversary simulation? 🤖
It's time to master the art of Adversary Simulation with @Fortra Cobalt Strike!
Simulate advanced adversary tactics, collaborate on realistic red team engagements, and elevate your operations with a flexible and innovative framework.
👉Request a DEMO with @emt Distribution META : https://zurl.co/yxekb
#CobaltStrike #RedTeaming #CyberSecurity #AdversarySimulation #emtDisti
Stolen Images Campaign Ends in Conti Ransomware
➡️Initial Access: Stolen Images IcedID Campaign
➡️Discovery: net, ipconfig, Invoke-ShareFinder, chcp, etc.
➡️Persistence: Scheduled Task & Atera Agent
➡️C2: #CobaltStrike & Atera
➡️Impact: Conti Ransomware
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
🚨 New red team tool Splinter discovered by Palo Alto's Unit 42. Not as advanced as #CobaltStrike, but still a threat if misused. Built with Rust, it enables process injection & C2 communication.
https://thehackernews.com/2024/09/cybersecurity-researchers-warn-of-new.html
Cyber pros, stay alert!
Happy Monday everyone!
The researchers at Trend Micro witnessed a threat group named #EarthBaxia conducting spear-phishing campaigns and exploiting a vulnerability in the open source geospatial data sharing server, GeoServer.
Something interesting to note, and there is a lot here, is that the adversary utilized a tool commonly seen in attacks, which is #CobaltStrike. The thing to note here is that they customized the version they had which removed the MZ header, which is most likely a defense-evasion technique to get around security tools.
This technique goes to show that while adversaries may continue to use off-the-shelf and publicly available tools, some will go as far as taking the time and effort to modify them to become undetectable. Enjoy and Happy Hunting!
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday Cyborg Security, Now Part of Intel 471
