CrossC2 and ReadNimeLoader Cobalt Strike activity
Malware Activity
Summary
Hide ▲
Show ▼
JPCERT/CC documented CrossC2-enabled Cobalt Strike activity that expanded Beacon control to Linux and Apple macOS, raising cross-platform intrusion risk inside internal networks. The activity was observed between September and December 2024 and included attempts to penetrate AD. Attackers used ReadNimeLoader to sideload and run the Beacon chain in memory, reducing on-disk traces and complicating detection.
Related Happenings
PassiveNeuron multi-region espionage campaign
Campaign
First: 22.10.2025 11:58
Last: 22.10.2025 11:58
Sources 1
About this happening:
**PassiveNeuron** is an **active cyber espionage campaign** targeting **government, financial, and industrial organizations** across **Asia, Africa, and Latin America**, with a fr...
PassiveNeuron multi-region espionage campaign
CampaignAbout this happening: **PassiveNeuron** is an **active cyber espionage campaign** targeting **government, financial, and industrial organizations** across **Asia, Africa, and Latin America**, with a fr...
Timeline
-
14.08.2025 16:16 1 articles · 9mo ago
JPCERT/CC discloses CrossC2 intrusions and ReadNimeLoader chain
Initial DisclosureJPCERT/CC disclosed CrossC2-based intrusions affecting multiple countries, including Japan, and said the activity was detected between September and December 2024. The attacker used CrossC2, PsExec, Plink, and Cobalt Strike to penetrate AD, then used a scheduled task to launch java.exe and sideload ReadNimeLoader (jli.dll), which loaded OdinLdr and executed Cobalt Strike Beacon in memory on compromised systems, including Linux servers inside an internal network.
Show sources
- Hackers Found Using CrossC2 to Expand Cobalt Strike Beacon’s Reach to Linux and macOS — thehackernews.com — 14.08.2025 16:16