CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks
From September to December 2024, incidents involving CrossC2, an extension tool for Cobalt Strike Beacon on Linux, were confirmed. The attacker used CrossC2 along with other tools like PsExec, Plink, and Cobalt Strike to penetrate AD. A custom malware called ReadNimeLoader was used as a loader for Cobalt Strike. The campaign may have affected multiple countries. CrossC2 is an unofficial Beacon and builder compatible with Cobalt Strike 4.1+, designed for Linux and macOS. It contains anti-analysis features and encrypted configuration data. The attack flow involved java.exe, ReadNimeLoader, and OdinLdr to execute Cobalt Strike Beacon. Other tools used include SystemBC, GetNPUsers, and privilege escalation tools. The campaign shows potential connections to BlackBasta based on similar characteristics.
AI Analysis
Technical Summary
CrossC2 is a sophisticated extension tool designed to expand the capabilities of the Cobalt Strike Beacon framework to support cross-platform attacks, specifically targeting Linux and macOS environments. From September to December 2024, multiple incidents involving CrossC2 were observed, highlighting its use in advanced persistent threat (APT) campaigns. The threat actors leveraged CrossC2 alongside well-known lateral movement and privilege escalation tools such as PsExec, Plink, SystemBC, and custom loaders like ReadNimeLoader and OdinLdr to infiltrate and maintain persistence within Active Directory (AD) environments. ReadNimeLoader serves as a custom loader for Cobalt Strike, facilitating stealthy execution by employing anti-analysis techniques and encrypted configuration data to evade detection. The attack chain typically involves execution through java.exe, followed by the deployment of ReadNimeLoader and OdinLdr to launch the Cobalt Strike Beacon. The campaign also utilized credential dumping tools like GetNPUsers and various privilege escalation techniques to deepen access within compromised networks. Notably, the campaign exhibits behavioral and technical overlaps with the BlackBasta ransomware group, suggesting potential attribution or collaboration. CrossC2’s compatibility with Cobalt Strike 4.1+ and its focus on Linux and macOS platforms mark a significant evolution in threat actor toolsets, moving beyond traditional Windows-centric attacks to target heterogeneous enterprise environments. The campaign’s use of multiple TTPs (Tactics, Techniques, and Procedures) such as process injection, masquerading, credential dumping, and persistence mechanisms underscores its complexity and the advanced skill level of the adversaries involved.
Potential Impact
For European organizations, the CrossC2 campaign poses a substantial risk due to its ability to compromise multi-platform environments, including Linux and macOS systems that are increasingly prevalent in enterprise infrastructures. The penetration of Active Directory environments enables attackers to escalate privileges, move laterally, and potentially deploy ransomware or data exfiltration operations. The use of stealthy loaders and encrypted configurations complicates detection and response efforts, increasing dwell time and the likelihood of significant operational disruption. Organizations in sectors with critical infrastructure, finance, healthcare, and government are particularly vulnerable given their reliance on diverse operating systems and the strategic value of their data. The campaign’s association with BlackBasta, a known ransomware group, raises concerns about potential ransomware deployment following initial compromise, which could lead to data loss, financial damage, reputational harm, and regulatory penalties under GDPR. The cross-platform nature of the threat also challenges traditional security monitoring tools that may be more Windows-focused, necessitating enhanced visibility across all operating systems. Additionally, the use of legitimate tools like PsExec and Plink for lateral movement complicates detection, as these tools are often whitelisted or considered benign in many environments.
Mitigation Recommendations
European organizations should adopt a multi-layered defense strategy tailored to the cross-platform nature of this threat. Specific recommendations include: 1) Implement comprehensive endpoint detection and response (EDR) solutions that provide visibility and behavioral analytics across Windows, Linux, and macOS systems to detect anomalous activities such as unauthorized process injections or unusual network connections. 2) Harden Active Directory environments by enforcing strict credential hygiene, including the use of strong, unique passwords, multi-factor authentication (MFA) for all privileged accounts, and regular auditing of account permissions and group memberships. 3) Monitor and restrict the use of legitimate administrative tools like PsExec and Plink, employing application control policies or allowlisting to prevent unauthorized execution. 4) Deploy network segmentation to limit lateral movement opportunities, especially between user workstations and critical servers. 5) Conduct regular threat hunting exercises focused on indicators of compromise related to CrossC2, ReadNimeLoader, and associated tools, leveraging threat intelligence feeds and behavioral indicators. 6) Ensure timely patching of all systems, including Linux and macOS, to reduce the attack surface. 7) Educate security teams on the evolving TTPs of groups like BlackBasta to improve incident response readiness. 8) Utilize deception technologies or honeypots to detect early-stage intrusions involving CrossC2 components. 9) Maintain robust backup and recovery processes to mitigate ransomware impact if deployed post-compromise.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Switzerland
Indicators of Compromise
- ip: 162.33.179.247
- hash: 2562895965e8f788293790145a69bdd3
- hash: 70f762906348e9ffda7de43efdcefb40
- hash: cbab5757c973d4366352043d27e0860f
- hash: d67a7903c6777d64b69845b6fcd5db65
- hash: 5112bb076f791ef9116390159e6ede27062d5e6f
- hash: 9aec636dbd172f325923b240a5533de6a5038f4f
- hash: c0430aa4e9b5396a170e1b4ec2afd38f894085cb
- hash: 0ab709728666f8759ad8db574d4009cf74ebce36ef2572ef52b058997a9b2a25
- hash: 28d668f3e1026a56d55bc5d6e36fad71622c1ab20ace52d3ab12738f9f8c6589
- hash: 3079a29575a0adff91f04c5493a7f3e1c89795e3a90cf842650cd8bd45c4e1bc
- hash: 3f96b6589996e57abc1c4d9b732528d2d11dea5c814f8241170c14ca2cd0281d
- hash: 56b941f6dcb769ae6d6995412559012abab830f05d5d8acf2648f7fa48c20833
- hash: 6246fb5c8b714707ac49ade53e6fe5017d96442db393b1c0ba964698ae24245d
- hash: 6b80d602472c76b1d0f05bcce62e0a34de758232d9d570ba61b540784c663c01
- hash: 70b3b8e07752c1f3d4a462b2ab47ca3d9fb5094131971067230031b8b2cd84f2
- hash: 74a33138ce1e57564baa4ea4db4a882d6bf51081b79a167a6cb2bf9130ddad7f
- hash: 7ccff87db7b4e6bc8c5a7e570f83e26ccb6f3a8f72388210af466048d3793b00
- hash: 99d6b73b1a9e66d7f6dcb3244ea0783b60776efd223d95c4f95e31fde434e258
- hash: 9e8c550545aea5212c687e15399344df8a2c89f8359b90d8054f233a757346e7
- hash: ac02aee660d44a8bfbc69e9c46cf402fd41e99915e13d0de3977e662ef13b2ca
- hash: acdf2a87ed03f2c6fe1d9899e8a74e8b56f7b77bb8aed5adf2cc374ee5465168
- hash: ad90a4490d82c7bd300fdbbdca0336e5ad2219d63ea0f08cebc33050d65b7ef2
- hash: d74eac55eeaa3138bc1e723c56013bb1af7709f0a77308bfbf268d4e32b37243
- hash: dfe79b9c57cfb9fc10597b43af1c0a798991b6ceeec2af9b1e0ed46e6a8661c8
- hash: e0e827198a70eef6c697559660106cfab7229483b0cd7f0c7abd384a3d2ee504
- hash: ecca3194613b0bab02059c3544fdc90f6d4af5a4c06518c853517eb1d81b9735
- hash: f79e047ae4834e6a9234ca1635f18b074a870b366fe4368c10c2ddc56dfbb1bc
- ip: 179.60.149.209
- ip: 64.52.80.62
- ip: 64.95.10.209
- ip: 67.217.228.55
- url: http://api.glazeceramics.com:443
- url: http://comdoc1.docu-duplicator.com:53
- url: http://doc.docu-duplicator.com:53
- url: http://doc2.docu-duplicator.com:53
- domain: api.glazeceramics.com
- domain: comdoc1.docu-duplicator.com
- domain: doc.docu-duplicator.com
- domain: doc2.docu-duplicator.com
CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks
Description
From September to December 2024, incidents involving CrossC2, an extension tool for Cobalt Strike Beacon on Linux, were confirmed. The attacker used CrossC2 along with other tools like PsExec, Plink, and Cobalt Strike to penetrate AD. A custom malware called ReadNimeLoader was used as a loader for Cobalt Strike. The campaign may have affected multiple countries. CrossC2 is an unofficial Beacon and builder compatible with Cobalt Strike 4.1+, designed for Linux and macOS. It contains anti-analysis features and encrypted configuration data. The attack flow involved java.exe, ReadNimeLoader, and OdinLdr to execute Cobalt Strike Beacon. Other tools used include SystemBC, GetNPUsers, and privilege escalation tools. The campaign shows potential connections to BlackBasta based on similar characteristics.
AI-Powered Analysis
Technical Analysis
CrossC2 is a sophisticated extension tool designed to expand the capabilities of the Cobalt Strike Beacon framework to support cross-platform attacks, specifically targeting Linux and macOS environments. From September to December 2024, multiple incidents involving CrossC2 were observed, highlighting its use in advanced persistent threat (APT) campaigns. The threat actors leveraged CrossC2 alongside well-known lateral movement and privilege escalation tools such as PsExec, Plink, SystemBC, and custom loaders like ReadNimeLoader and OdinLdr to infiltrate and maintain persistence within Active Directory (AD) environments. ReadNimeLoader serves as a custom loader for Cobalt Strike, facilitating stealthy execution by employing anti-analysis techniques and encrypted configuration data to evade detection. The attack chain typically involves execution through java.exe, followed by the deployment of ReadNimeLoader and OdinLdr to launch the Cobalt Strike Beacon. The campaign also utilized credential dumping tools like GetNPUsers and various privilege escalation techniques to deepen access within compromised networks. Notably, the campaign exhibits behavioral and technical overlaps with the BlackBasta ransomware group, suggesting potential attribution or collaboration. CrossC2’s compatibility with Cobalt Strike 4.1+ and its focus on Linux and macOS platforms mark a significant evolution in threat actor toolsets, moving beyond traditional Windows-centric attacks to target heterogeneous enterprise environments. The campaign’s use of multiple TTPs (Tactics, Techniques, and Procedures) such as process injection, masquerading, credential dumping, and persistence mechanisms underscores its complexity and the advanced skill level of the adversaries involved.
Potential Impact
For European organizations, the CrossC2 campaign poses a substantial risk due to its ability to compromise multi-platform environments, including Linux and macOS systems that are increasingly prevalent in enterprise infrastructures. The penetration of Active Directory environments enables attackers to escalate privileges, move laterally, and potentially deploy ransomware or data exfiltration operations. The use of stealthy loaders and encrypted configurations complicates detection and response efforts, increasing dwell time and the likelihood of significant operational disruption. Organizations in sectors with critical infrastructure, finance, healthcare, and government are particularly vulnerable given their reliance on diverse operating systems and the strategic value of their data. The campaign’s association with BlackBasta, a known ransomware group, raises concerns about potential ransomware deployment following initial compromise, which could lead to data loss, financial damage, reputational harm, and regulatory penalties under GDPR. The cross-platform nature of the threat also challenges traditional security monitoring tools that may be more Windows-focused, necessitating enhanced visibility across all operating systems. Additionally, the use of legitimate tools like PsExec and Plink for lateral movement complicates detection, as these tools are often whitelisted or considered benign in many environments.
Mitigation Recommendations
European organizations should adopt a multi-layered defense strategy tailored to the cross-platform nature of this threat. Specific recommendations include: 1) Implement comprehensive endpoint detection and response (EDR) solutions that provide visibility and behavioral analytics across Windows, Linux, and macOS systems to detect anomalous activities such as unauthorized process injections or unusual network connections. 2) Harden Active Directory environments by enforcing strict credential hygiene, including the use of strong, unique passwords, multi-factor authentication (MFA) for all privileged accounts, and regular auditing of account permissions and group memberships. 3) Monitor and restrict the use of legitimate administrative tools like PsExec and Plink, employing application control policies or allowlisting to prevent unauthorized execution. 4) Deploy network segmentation to limit lateral movement opportunities, especially between user workstations and critical servers. 5) Conduct regular threat hunting exercises focused on indicators of compromise related to CrossC2, ReadNimeLoader, and associated tools, leveraging threat intelligence feeds and behavioral indicators. 6) Ensure timely patching of all systems, including Linux and macOS, to reduce the attack surface. 7) Educate security teams on the evolving TTPs of groups like BlackBasta to improve incident response readiness. 8) Utilize deception technologies or honeypots to detect early-stage intrusions involving CrossC2 components. 9) Maintain robust backup and recovery processes to mitigate ransomware impact if deployed post-compromise.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blogs.jpcert.or.jp/en/2025/08/crossc2.html"]
- Adversary
- BlackBasta
- Pulse Id
- 689f1c5321801f3a8be22b42
- Threat Score
- null
Indicators of Compromise
Ip
Value | Description | Copy |
---|---|---|
ip162.33.179.247 | — | |
ip179.60.149.209 | — | |
ip64.52.80.62 | — | |
ip64.95.10.209 | — | |
ip67.217.228.55 | — |
Hash
Value | Description | Copy |
---|---|---|
hash2562895965e8f788293790145a69bdd3 | — | |
hash70f762906348e9ffda7de43efdcefb40 | — | |
hashcbab5757c973d4366352043d27e0860f | — | |
hashd67a7903c6777d64b69845b6fcd5db65 | — | |
hash5112bb076f791ef9116390159e6ede27062d5e6f | — | |
hash9aec636dbd172f325923b240a5533de6a5038f4f | — | |
hashc0430aa4e9b5396a170e1b4ec2afd38f894085cb | — | |
hash0ab709728666f8759ad8db574d4009cf74ebce36ef2572ef52b058997a9b2a25 | — | |
hash28d668f3e1026a56d55bc5d6e36fad71622c1ab20ace52d3ab12738f9f8c6589 | — | |
hash3079a29575a0adff91f04c5493a7f3e1c89795e3a90cf842650cd8bd45c4e1bc | — | |
hash3f96b6589996e57abc1c4d9b732528d2d11dea5c814f8241170c14ca2cd0281d | — | |
hash56b941f6dcb769ae6d6995412559012abab830f05d5d8acf2648f7fa48c20833 | — | |
hash6246fb5c8b714707ac49ade53e6fe5017d96442db393b1c0ba964698ae24245d | — | |
hash6b80d602472c76b1d0f05bcce62e0a34de758232d9d570ba61b540784c663c01 | — | |
hash70b3b8e07752c1f3d4a462b2ab47ca3d9fb5094131971067230031b8b2cd84f2 | — | |
hash74a33138ce1e57564baa4ea4db4a882d6bf51081b79a167a6cb2bf9130ddad7f | — | |
hash7ccff87db7b4e6bc8c5a7e570f83e26ccb6f3a8f72388210af466048d3793b00 | — | |
hash99d6b73b1a9e66d7f6dcb3244ea0783b60776efd223d95c4f95e31fde434e258 | — | |
hash9e8c550545aea5212c687e15399344df8a2c89f8359b90d8054f233a757346e7 | — | |
hashac02aee660d44a8bfbc69e9c46cf402fd41e99915e13d0de3977e662ef13b2ca | — | |
hashacdf2a87ed03f2c6fe1d9899e8a74e8b56f7b77bb8aed5adf2cc374ee5465168 | — | |
hashad90a4490d82c7bd300fdbbdca0336e5ad2219d63ea0f08cebc33050d65b7ef2 | — | |
hashd74eac55eeaa3138bc1e723c56013bb1af7709f0a77308bfbf268d4e32b37243 | — | |
hashdfe79b9c57cfb9fc10597b43af1c0a798991b6ceeec2af9b1e0ed46e6a8661c8 | — | |
hashe0e827198a70eef6c697559660106cfab7229483b0cd7f0c7abd384a3d2ee504 | — | |
hashecca3194613b0bab02059c3544fdc90f6d4af5a4c06518c853517eb1d81b9735 | — | |
hashf79e047ae4834e6a9234ca1635f18b074a870b366fe4368c10c2ddc56dfbb1bc | — |
Url
Value | Description | Copy |
---|---|---|
urlhttp://api.glazeceramics.com:443 | — | |
urlhttp://comdoc1.docu-duplicator.com:53 | — | |
urlhttp://doc.docu-duplicator.com:53 | — | |
urlhttp://doc2.docu-duplicator.com:53 | — |
Domain
Value | Description | Copy |
---|---|---|
domainapi.glazeceramics.com | — | |
domaincomdoc1.docu-duplicator.com | — | |
domaindoc.docu-duplicator.com | — | |
domaindoc2.docu-duplicator.com | — |
Threat ID: 689f2c73ad5a09ad006c9d78
Added to database: 8/15/2025, 12:47:47 PM
Last enriched: 8/15/2025, 1:04:24 PM
Last updated: 8/18/2025, 12:47:10 PM
Views: 7
Related Threats
ThreatFox IOCs for 2025-08-18
MediumFake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumSupply Chain Risk in Python: Termcolor and Colorama Explained
MediumMicrosoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.