Skip to main content

CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks

Medium
Published: Fri Aug 15 2025 (08/15/2025, 11:38:59 UTC)
Source: AlienVault OTX General

Description

From September to December 2024, incidents involving CrossC2, an extension tool for Cobalt Strike Beacon on Linux, were confirmed. The attacker used CrossC2 along with other tools like PsExec, Plink, and Cobalt Strike to penetrate AD. A custom malware called ReadNimeLoader was used as a loader for Cobalt Strike. The campaign may have affected multiple countries. CrossC2 is an unofficial Beacon and builder compatible with Cobalt Strike 4.1+, designed for Linux and macOS. It contains anti-analysis features and encrypted configuration data. The attack flow involved java.exe, ReadNimeLoader, and OdinLdr to execute Cobalt Strike Beacon. Other tools used include SystemBC, GetNPUsers, and privilege escalation tools. The campaign shows potential connections to BlackBasta based on similar characteristics.

AI-Powered Analysis

AILast updated: 08/15/2025, 13:04:24 UTC

Technical Analysis

CrossC2 is a sophisticated extension tool designed to expand the capabilities of the Cobalt Strike Beacon framework to support cross-platform attacks, specifically targeting Linux and macOS environments. From September to December 2024, multiple incidents involving CrossC2 were observed, highlighting its use in advanced persistent threat (APT) campaigns. The threat actors leveraged CrossC2 alongside well-known lateral movement and privilege escalation tools such as PsExec, Plink, SystemBC, and custom loaders like ReadNimeLoader and OdinLdr to infiltrate and maintain persistence within Active Directory (AD) environments. ReadNimeLoader serves as a custom loader for Cobalt Strike, facilitating stealthy execution by employing anti-analysis techniques and encrypted configuration data to evade detection. The attack chain typically involves execution through java.exe, followed by the deployment of ReadNimeLoader and OdinLdr to launch the Cobalt Strike Beacon. The campaign also utilized credential dumping tools like GetNPUsers and various privilege escalation techniques to deepen access within compromised networks. Notably, the campaign exhibits behavioral and technical overlaps with the BlackBasta ransomware group, suggesting potential attribution or collaboration. CrossC2’s compatibility with Cobalt Strike 4.1+ and its focus on Linux and macOS platforms mark a significant evolution in threat actor toolsets, moving beyond traditional Windows-centric attacks to target heterogeneous enterprise environments. The campaign’s use of multiple TTPs (Tactics, Techniques, and Procedures) such as process injection, masquerading, credential dumping, and persistence mechanisms underscores its complexity and the advanced skill level of the adversaries involved.

Potential Impact

For European organizations, the CrossC2 campaign poses a substantial risk due to its ability to compromise multi-platform environments, including Linux and macOS systems that are increasingly prevalent in enterprise infrastructures. The penetration of Active Directory environments enables attackers to escalate privileges, move laterally, and potentially deploy ransomware or data exfiltration operations. The use of stealthy loaders and encrypted configurations complicates detection and response efforts, increasing dwell time and the likelihood of significant operational disruption. Organizations in sectors with critical infrastructure, finance, healthcare, and government are particularly vulnerable given their reliance on diverse operating systems and the strategic value of their data. The campaign’s association with BlackBasta, a known ransomware group, raises concerns about potential ransomware deployment following initial compromise, which could lead to data loss, financial damage, reputational harm, and regulatory penalties under GDPR. The cross-platform nature of the threat also challenges traditional security monitoring tools that may be more Windows-focused, necessitating enhanced visibility across all operating systems. Additionally, the use of legitimate tools like PsExec and Plink for lateral movement complicates detection, as these tools are often whitelisted or considered benign in many environments.

Mitigation Recommendations

European organizations should adopt a multi-layered defense strategy tailored to the cross-platform nature of this threat. Specific recommendations include: 1) Implement comprehensive endpoint detection and response (EDR) solutions that provide visibility and behavioral analytics across Windows, Linux, and macOS systems to detect anomalous activities such as unauthorized process injections or unusual network connections. 2) Harden Active Directory environments by enforcing strict credential hygiene, including the use of strong, unique passwords, multi-factor authentication (MFA) for all privileged accounts, and regular auditing of account permissions and group memberships. 3) Monitor and restrict the use of legitimate administrative tools like PsExec and Plink, employing application control policies or allowlisting to prevent unauthorized execution. 4) Deploy network segmentation to limit lateral movement opportunities, especially between user workstations and critical servers. 5) Conduct regular threat hunting exercises focused on indicators of compromise related to CrossC2, ReadNimeLoader, and associated tools, leveraging threat intelligence feeds and behavioral indicators. 6) Ensure timely patching of all systems, including Linux and macOS, to reduce the attack surface. 7) Educate security teams on the evolving TTPs of groups like BlackBasta to improve incident response readiness. 8) Utilize deception technologies or honeypots to detect early-stage intrusions involving CrossC2 components. 9) Maintain robust backup and recovery processes to mitigate ransomware impact if deployed post-compromise.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://blogs.jpcert.or.jp/en/2025/08/crossc2.html"]
Adversary
BlackBasta
Pulse Id
689f1c5321801f3a8be22b42
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip162.33.179.247
ip179.60.149.209
ip64.52.80.62
ip64.95.10.209
ip67.217.228.55

Hash

ValueDescriptionCopy
hash2562895965e8f788293790145a69bdd3
hash70f762906348e9ffda7de43efdcefb40
hashcbab5757c973d4366352043d27e0860f
hashd67a7903c6777d64b69845b6fcd5db65
hash5112bb076f791ef9116390159e6ede27062d5e6f
hash9aec636dbd172f325923b240a5533de6a5038f4f
hashc0430aa4e9b5396a170e1b4ec2afd38f894085cb
hash0ab709728666f8759ad8db574d4009cf74ebce36ef2572ef52b058997a9b2a25
hash28d668f3e1026a56d55bc5d6e36fad71622c1ab20ace52d3ab12738f9f8c6589
hash3079a29575a0adff91f04c5493a7f3e1c89795e3a90cf842650cd8bd45c4e1bc
hash3f96b6589996e57abc1c4d9b732528d2d11dea5c814f8241170c14ca2cd0281d
hash56b941f6dcb769ae6d6995412559012abab830f05d5d8acf2648f7fa48c20833
hash6246fb5c8b714707ac49ade53e6fe5017d96442db393b1c0ba964698ae24245d
hash6b80d602472c76b1d0f05bcce62e0a34de758232d9d570ba61b540784c663c01
hash70b3b8e07752c1f3d4a462b2ab47ca3d9fb5094131971067230031b8b2cd84f2
hash74a33138ce1e57564baa4ea4db4a882d6bf51081b79a167a6cb2bf9130ddad7f
hash7ccff87db7b4e6bc8c5a7e570f83e26ccb6f3a8f72388210af466048d3793b00
hash99d6b73b1a9e66d7f6dcb3244ea0783b60776efd223d95c4f95e31fde434e258
hash9e8c550545aea5212c687e15399344df8a2c89f8359b90d8054f233a757346e7
hashac02aee660d44a8bfbc69e9c46cf402fd41e99915e13d0de3977e662ef13b2ca
hashacdf2a87ed03f2c6fe1d9899e8a74e8b56f7b77bb8aed5adf2cc374ee5465168
hashad90a4490d82c7bd300fdbbdca0336e5ad2219d63ea0f08cebc33050d65b7ef2
hashd74eac55eeaa3138bc1e723c56013bb1af7709f0a77308bfbf268d4e32b37243
hashdfe79b9c57cfb9fc10597b43af1c0a798991b6ceeec2af9b1e0ed46e6a8661c8
hashe0e827198a70eef6c697559660106cfab7229483b0cd7f0c7abd384a3d2ee504
hashecca3194613b0bab02059c3544fdc90f6d4af5a4c06518c853517eb1d81b9735
hashf79e047ae4834e6a9234ca1635f18b074a870b366fe4368c10c2ddc56dfbb1bc

Url

ValueDescriptionCopy
urlhttp://api.glazeceramics.com:443
urlhttp://comdoc1.docu-duplicator.com:53
urlhttp://doc.docu-duplicator.com:53
urlhttp://doc2.docu-duplicator.com:53

Domain

ValueDescriptionCopy
domainapi.glazeceramics.com
domaincomdoc1.docu-duplicator.com
domaindoc.docu-duplicator.com
domaindoc2.docu-duplicator.com

Threat ID: 689f2c73ad5a09ad006c9d78

Added to database: 8/15/2025, 12:47:47 PM

Last enriched: 8/15/2025, 1:04:24 PM

Last updated: 8/16/2025, 9:53:45 AM

Views: 6

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats