Cobalt Strike
Cobalt Strike is a commercial adversarial simulation tool whose beacon payload is widely repurposed by criminal and state-sponsored actors for persistent command-and-control on compromised systems.
Last refreshed: 7 June 2026 · Appears in 1 active topic
Why do ransomware crews use a legitimate pen-testing tool as their attack platform?
Timeline for Cobalt Strike
Delivered as a beacon payload via exploited WebLogic instances
Cybersecurity: Threats and Defences: WebLogic flaw revived as ransomware vector- What is Cobalt Strike and why do hackers use it?
- Cobalt Strike is a legitimate commercial tool designed for security teams to simulate attacks. It includes a Beacon payload that creates a persistent encrypted connection to an attacker's server, enabling lateral movement and data collection. Criminals abuse cracked copies because it is operationally mature, widely documented, and provides management interfaces that substitute for in-house development capability.Source: Fortra product documentation, CISA-FBI-NSA joint advisory
- How can I detect Cobalt Strike on my network?
- EDR platforms broadly detect known Cobalt Strike Malleable C2 profiles using behavioural signatures. Key indicators include characteristic sleep-jitter patterns, reflective DLL injection (MITRE T1055), and HTTP/HTTPS beacon traffic to team server IPs. JARM TLS fingerprinting can identify default Cobalt Strike team server configurations. Custom Malleable profiles evade signature detection; network anomaly detection and memory scanning are the most reliable supplementary controls.Source: MITRE ATT&CK, Cobalt Strike detection community research
- Is Cobalt Strike illegal?
- Cobalt Strike itself is a legal commercial product sold to authorised red teams and penetration testers. Using a cracked or illegally licensed copy, or deploying it against systems without authorisation, is illegal. Fortra and Microsoft took legal action in 2023 against infrastructure distributing cracked versions of the tool.Source: Fortra legal filings, Microsoft Digital Crimes Unit press release 2023
Background
Cobalt Strike is a commercial adversary-simulation and red-team platform developed by Raphael Mudge and now maintained by Fortra (formerly HelpSystems). Its core product is the Beacon payload: a reflective DLL implant that establishes an encrypted command-and-control (C2) channel to an attacker-controlled team server, supporting lateral movement, credential harvesting, pivoting, and staged payload delivery. Cobalt Strike is sold legitimately to penetration-testing firms and red teams, but cracked and licensed copies have circulated widely in criminal and state-sponsored ecosystems since at least 2015. It appears routinely as the post-exploitation stage following initial access gained via exploited vulnerabilities. In this briefing, CVE-2024-21182, an unauthenticated flaw in Oracle WebLogic Server, delivered Cobalt Strike beacons as an intermediate payload before Sodinokibi ransomware deployment, confirming the standard two-stage criminal use: beacon first, ransomware second.
Fortra has pursued legal and technical measures to disrupt cracked Cobalt Strike distributions, including a 2023 joint takedown with Microsoft and Health-ISAC targeting malicious infrastructure hosting leaked 4.x copies, and subsequent intellectual-property litigation against resellers of illegal licences. Detection approaches focus on the beacon's characteristic Malleable C2 profile patterns, sleep-jitter randomisation, and Process Injection Techniques (PITs) documented in MITRE ATT&CK techniques T1055 and T1071. Endpoint detection and response (EDR) vendors broadly detect known Cobalt Strike configurations, but adversaries routinely customise Malleable C2 profiles to evade signature-based detection.
Cobalt Strike's centrality to the criminal ecosystem reflects its operational maturity: it provides a managed C2 interface, team collaboration features, and a broad plugin ecosystem (BOFs, Aggressor scripts) that a criminal crew can operate without in-house development capability. Its legitimacy as a commercial product also complicates attribution: a Cobalt Strike beacon on a compromised host cannot be attributed to a specific threat group without additional artefacts. CISA, FBI and NSA have issued joint advisories documenting Cobalt Strike's appearance in intrusions by multiple state-sponsored and criminal actors.