Ethical Hacking News
Cybersecurity experts have identified a new vector for Cobalt Strike attacks using CrossC2, an unconventional command-and-control framework. This development highlights the evolving nature of cybersecurity threats and underscores the importance of robust incident response measures. Discover the intricacies of this threat actor's tactics and strategies in our in-depth article.
JPCERT/CC analysis revealed a sophisticated threat actor using CrossC2 C2 framework to extend Cobalt Strike Beacon across multiple platforms. The attacker used CrossC2, PsExec, Plink, and other tools to penetrate Active Directory (AD) in various incidents between September and December 2024. A bespoke Cobalt Strike Beacon loader called ReadNimeLoader was discovered, demonstrating CrossC2's ability to execute Cobalt Strike commands remotely. The attack vector leverages a scheduled task to launch the legitimate java.exe binary, abusing it for sideloading the ReadNimeLoader loader. ReadNimeLoader incorporates advanced anti-debugging and anti-analysis techniques to prevent detection. JPCERT/CC observed overlaps with BlackSuit/Black Basta ransomware activity, highlighting the complex interplay between threat actors. The discovery underscores the importance of robust incident response measures, vigilance among security professionals, and ongoing awareness regarding potential vulnerabilities in Linux servers.
In a recent revelation, Japan's CERT coordination center (JPCERT/CC) has shed light on a sophisticated threat actor that leveraged an unconventional command-and-control (C2) framework called CrossC2 to extend the reach of Cobalt Strike Beacon across multiple platforms, including Linux and Apple macOS. This unprecedented development underscores the evolving nature of cybersecurity threats and highlights the importance of robust incident response measures.
The observation was made through an analysis of VirusTotal artifacts, which revealed a series of incidents targeting various countries, including Japan, between September and December 2024. According to JPCERT/CC researcher Yuma Masubuchi, "The attacker employed CrossC2 as well as other tools such as PsExec, Plink, and Cobalt Strike in attempts to penetrate AD."
A bespoke Cobalt Strike Beacon loader, codenamed ReadNimeLoader, was discovered, which demonstrates the ability of CrossC2 to execute various Cobalt Strike commands after establishing communication with a remote server specified in the configuration. This modular approach to threat emulation enhances the attackers' capabilities and underscores their willingness to adapt and evolve their tactics.
The attack vector leverages a scheduled task set up on the compromised machine, which is used to launch the legitimate java.exe binary, only to abuse it for sideloading ReadNimeLoader ("jli.dll"). This loader, written in the Nim programming language, extracts the content of a text file and executes it directly in memory, thus avoiding any potential traces on disk.
Furthermore, ReadNimeLoader incorporates advanced anti-debugging and anti-analysis techniques designed to prevent OdinLdr from being decoded unless the route is clear. The deployment of this loader underscores the sophisticated nature of the attack and highlights the need for robust security measures to counter such threats.
Notably, JPCERT/CC observed overlaps between this attack campaign and BlackSuit/Black Basta ransomware activity reported by Rapid7 in June 2025, citing commonalities in C2 domain usage and similarly-named files. This finding underscores the complex interplay between various threat actors and highlights the importance of comprehensive incident response measures.
The presence of ELF versions of SystemBC, a backdoor that often functions as a precursor to Cobalt Strike and ransomware deployment, further reinforces this notion. Masubuchi noted, "While there are numerous incidents involving Cobalt Strike, this article focused on the particular case in which CrossC2, a tool that extends Cobalt Strike Beacon functionality to multiple platforms, was used in attacks."
He also emphasized, "Many Linux servers do not have EDR or similar systems installed, making them potential entry points for further compromise, and thus, more attention is required." This observation underscores the importance of vigilance among security professionals and highlights the need for increased awareness regarding potential vulnerabilities in Linux servers.
The discovery of this threat actor's use of CrossC2 to extend Cobalt Strike Beacon functionality across multiple platforms has significant implications for cybersecurity practitioners. It underscores the evolving nature of threats, the importance of robust incident response measures, and the need for ongoing vigilance in detecting and countering such attacks.
In conclusion, the exploitation of CrossC2 by this threat actor represents a significant escalation in the sophistication of Cobalt Strike attacks. As security professionals navigate the complex landscape of emerging threats, it is essential to remain vigilant and proactive in identifying and mitigating potential vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Exploitation-of-CrossC2-A-New-Vector-for-Cobalt-Strike-Attacks-ehn.shtml
https://thehackernews.com/2025/08/researchers-warn-crossc2-expands-cobalt.html
https://www.esecurityplanet.com/threats/new-cobalt-strike-beacon-variant-targets-linux/
Published: Thu Aug 14 09:31:07 2025 by llama3.2 3B Q4_K_M
