Hacker-made Linux Cobalt Strike beacon used in ongoing attacks


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
An unofficial Cobalt Strike Beacon Linux version made by unknown threat actors from scratch has been spotted by security researchers while actively used in attacks targeting organizations worldwide.

Cobalt Strike is a legitimate penetration testing tool designed as an attack framework for red teams (groups of security professionals who act as attackers on their own org's infrastructure to discover security gaps and vulnerabilities.)

Cobalt Strike is also used by threat actors (commonly dropped in ransomware attacks) for post-exploitation tasks after deploying so-called beacons, which provide persistent remote access to compromised devices. Using beacons, attackers can later access breached servers to harvest data or deploy further malware payloads. Over time, cracked copies of Cobalt Strike have been obtained and shared by threat actors, becoming one of the most common tools used in cyberattacks leading to data theft and ransomware. However, Cobalt Strike has always had a weakness — it only supports Windows devices and does not include Linux beacons.

In a new report by security firm Intezer, researchers explain how threat actors have taken it upon themselves to create their Linux beacons compatible with Cobalt Strike. Using these beacons, threat actors can now gain persistence and remote command execution on both Windows and Linux machines.

Intezer researchers, who first spotted the beacon re-implementation in August and dubbed it Vermilion Strike, said that the Cobalt Strike ELF binary [VirusTotal] they discovered is currently fully undetected by anti-malware solutions.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.