Exposing a Currently Active and Spreading Cobalt Strike Serving Malicious Software Campaign

0
January 26, 2023

I've just came across to a currently circulating Cobalt Strike serving malicious software campaign and I've decided to share the details with everyone reading this blog.

Original malware hosting location: hxxp://bsctech[.]ac[.]th/css/43[.]exe

MD5: d8d8cb60d196a26765261b1ca8604d1e

Sample C&C server IPs known to have been involved in the campaign include:

hxxp://5[.]253[.]234[.]40 -> hxxp://5[.]253[.]234[.]40/activity -> hxxp://5[.]253[.]234[.]40/activity/submit[.]php

Sample geolocation of the known C&C server IP:


Sample C&C server domains known to have been involved in the campaign include:

hxxp://bpltjykhm[.]online

hxxp://51lqm[.]online

About Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

0 Comments:

Subscribe to: Post Comments (Atom)