Malicious use of Cobalt Strike down 80% after crackdown, Fortra says

The number of unauthorized copies of the testing tool Cobalt Strike used in the wild is down 80% over the last two years following the launch of a global crackdown, the security firm Fortra said Friday. 

Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC) and Fortra, which bought Cobalt Strike in 2020, have worked since 2023 to address the longstanding issue of pirated and unlicensed versions of the software being downloaded by criminals from illegal marketplaces and used in cyberattacks. 

Developed in 2012, Cobalt Strike is an adversary simulator and penetration testing software used by red teams to detect vulnerabilities and plan response, but older versions of the program have been widely exploited by cybercriminals, ransomware gangs and nation-state attackers. 

Unlicensed versions of Cobalt Strike are typically used in spearphishing emails that aim to install a beacon on the target’s device. This beacon then allows the attacker to profile and remotely access the victim’s network.

In March 2023, the U.S. District Court for the Eastern District of New York issued an order allowing Microsoft, Fortra and Health-ISAC to go after the “malicious infrastructure” used in attacks, such as command-and-control servers.

The order allowed the three entities to notify relevant internet service providers and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline — severing the connection between criminal operators and infected victim computers.

Fortra explained in a blog post Friday that a three-year operation named “Morpheus” culminated in July 2024 with the coordinated global takedown of known IP addresses and domain names associated with criminal activity related to unauthorized versions of Cobalt Strike.

That effort, headed by the UK's National Crime Agency, led to 690 IP addresses being flagged to online service providers in 27 countries, 593 of which have been taken down to date. The operation was assisted by law enforcement agencies in Australia, the U.S., Canada, Germany, the Netherlands and Poland. 

The 80% decrease in unauthorized copies has helped “drastically reduce availability to cybercriminals,” Fortra said. 

“We have successfully seized and sinkholed over 200 malicious domains, effectively cutting off their ability to accept legitimate traffic and preventing further exploitation by threat actors,” the company said. “Additionally, the average dwell time — the period between initial detection and takedown — has been reduced to less than one week in the United States and less than two weeks worldwide.”

Fortra associate vice president Bob Erdman told Recorded Future News that collaborating with Microsoft and other partners allowed them to expand the speed and scale of their actions. 

“Every unauthorized Cobalt Strike system taken down or domain name that is seized interrupts potential attacks across the globe,” he said. “The additional involvement of global law enforcement organizations allows us to share intelligence and IOCs in real time to the relevant authorities for enforcement actions.”

Microsoft previously said they found evidence of nation-state groups from Russia, China, Vietnam and Iran using cracked copies of Cobalt Strike. Experts have seen Cobalt Strike used in dozens of ransomware attacks on healthcare institutions and was deployed in the ransomware attack that impacted the government of Costa Rica in 2022. 

A Microsoft spokesperson told Recorded Future News that the success in reducing the use of unauthorized, legacy copies of Cobalt Strike “underscores the power of collaboration in combating cybercrime.”