Cobalt Strike
Also known as: BEACON, CobaltStrike, Agentemis, cobeacon
Cobalt Strike is a commercial adversary simulation platform created by Raphael Mudge in 2012 and acquired by Fortra (formerly HelpSystems) in 2020. Licensed at roughly $5,900/year per operator, it's designed for red team engagements. Cracked copies have circulated since at least 2015, and by 2021 commodity crimeware operators were using it more than APT groups -- Proofpoint documented a 161% increase in malicious use between 2019 and 2020.
The platform deploys an implant called Beacon that communicates with a Linux-based Team Server. Beacon supports C2 over HTTP, HTTPS, DNS, SMB named pipes, and raw TCP, with configurable sleep intervals and jitter. Malleable C2 profiles let operators reshape all network indicators to mimic legitimate traffic like jQuery CDN requests or cloud API calls. Encryption uses RSA for initial key exchange and AES-256 for session traffic.
Post-exploitation capabilities cover most of the ATT&CK lifecycle: shellcode injection, built-in Mimikatz for credential dumping, Kerberos ticket manipulation, lateral movement via PsExec/WMI/WinRM, port scanning, and Beacon Object Files (BOFs) for in-process extension without spawning new processes. The sleep mask feature encrypts Beacon in memory between callbacks.
Cobalt Strike is used across the full range of threat actors. APT29 deployed custom Beacon loaders in the SolarWinds campaign. APT41 uses it as a first-stage payload in mixed espionage and financial operations. FIN7 and ransomware groups including Conti, LockBit, and BlackBasta rely on it for post-exploitation and lateral movement before encryption.
Law enforcement has pushed back hard. In 2023, Microsoft, Fortra, and Health-ISAC obtained a court order to seize infrastructure hosting cracked copies. Operation Morpheus in June 2024, led by the UK NCA and Europol across 7 countries, took down 593 servers in one week. Fortra reports an 80% reduction in unauthorized copies as of 2024.
Linked Threat Actors
C2 Infrastructure
Last 7 days
| Date | C2 Hosts |
|---|---|
| Apr 14, 2026 | 12 |
| Apr 13, 2026 | 12 |
| Apr 12, 2026 | 14 |
| Apr 11, 2026 | 13 |
| Apr 10, 2026 | 6 |
| Apr 9, 2026 | 10 |
| Apr 8, 2026 | 19 |
Further Reading
Mandiant's definitive component taxonomy. Precisely defines Team Server, Client, Beacon, Listeners, and Malleable C2 from both red team and IR perspectives.
Google's release of 165 open-source YARA rules targeting Cobalt Strike components across 34 release versions up to 4.7.
Grounded in real intrusion data. Covers which loaders deliver CS (IcedID, TrickBot, Qbot), what commands attackers actually run, and detection at each stage.
Network detection deep dive: domain fronting, SOCKS proxy traffic, C2 pattern analysis, Sigma rules, JARM/JA3 fingerprinting, and RITA beaconing detection.
Walks through manual beacon config extraction. Covers the settings structure, encryption layers, and what each field means operationally (C2 URLs, sleep, jitter, watermark).
Best technical breakdown of the Malleable C2 DSL. Shows how profiles transform metadata encoding, URI structure, headers, and body formatting.
Internet-wide scanning methodology for finding active Team Servers. TLS certificate analysis, staging URI checksum8 detection, and behavioral fingerprinting.
Protocol-level analysis of Beacon's RSA/AES key exchange, session key derivation, and how to decrypt captured C2 traffic given the private key.
The landmark study quantifying CS's shift from APT tool to commodity crimeware. 161% increase in malicious use 2019-2020, dropping from 66% to 15% attributable to known actors.
Canonical technique mapping spanning nearly every Enterprise ATT&CK tactic. Cross-references dozens of group profiles and campaign reports.