CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

CrossC2 Framework Expands Cobalt Strike Beacon to Linux and macOS

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

Threat actors have been observed using the CrossC2 framework to extend Cobalt Strike Beacon’s functionality to Linux and macOS systems. Between September and December 2024, multiple countries, including Japan, were targeted. The attacks involved custom malware, including ReadNimeLoader and OdinLdr, to deploy Cobalt Strike Beacons and evade detection. The campaign shares similarities with BlackSuit/Black Basta ransomware activity, indicating potential overlap in threat actors or tactics. The use of CrossC2 highlights the increasing threat to Linux servers, which often lack endpoint detection and response (EDR) systems.

Timeline

  1. 14.08.2025 16:16 📰 1 articles

    CrossC2 Framework Used to Expand Cobalt Strike Beacon to Linux and macOS

    Between September and December 2024, threat actors used the CrossC2 framework to extend Cobalt Strike Beacon’s functionality to Linux and macOS systems. The campaign involved custom malware, including ReadNimeLoader and OdinLdr, to deploy Cobalt Strike Beacons and evade detection. The attacks targeted multiple countries, including Japan, and shared similarities with BlackSuit/Black Basta ransomware activity.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

WhatsApp Zero-Day Exploited in Targeted Spyware Campaign

A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against fewer than 200 users. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The attacks were sophisticated and involved chaining with a separate Apple vulnerability (CVE-2025-43300) affecting iOS, iPadOS, and macOS. The vulnerability was patched in WhatsApp's messaging apps for Apple iOS and macOS. The exploit could have allowed attackers to trigger the processing of content from arbitrary URLs on a target's device, potentially leading to spyware deployment. The attacks were part of a targeted spyware campaign, with WhatsApp sending in-app threat notifications to affected users. Apple has also sent multiple threat notifications since 2021, alerting users in over 150 countries about these sophisticated attacks. Apple has introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities. The spyware market has seen an increase in U.S. investors and new entities in various countries.

Open in new tab

UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats

A China-nexus threat actor, UNC6384, has been targeting diplomats in Southeast Asia and other entities globally. The campaign, detected in March 2025, uses a multi-stage attack chain involving advanced social engineering, valid code signing certificates, adversary-in-the-middle (AitM) attacks, and indirect execution techniques to deploy the PlugX (SOGU) backdoor. The attacks leverage captive portal redirects and valid TLS certificates to evade detection and deceive targets into downloading malware disguised as software updates. The threat actor shares tactical and tooling overlaps with Mustang Panda, a known Chinese hacking group. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. The campaign targeted around two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The attack chain involves intercepting captive portal checks via compromised edge devices and uses a valid TLS certificate issued by Let's Encrypt to avoid browser security warnings. The STATICPLUGIN downloader is signed by Chengdu Nuoxin Times Technology Co. Ltd., which has signed at least 25 known malware samples since January 2023. The CANONSTAGER launcher uses unconventional techniques such as API hashing, TLS array usage, and executing code with window procedures and message queues to hide its activities.

Open in new tab

Global Phishing Campaign Installs RATs via Malicious Scripts

A rapidly spreading phishing campaign targets Windows users worldwide, stealing credentials and deploying remote access trojans (RATs) via malicious scripts. The campaign is particularly impacting organizations in manufacturing, technology, healthcare, construction, and retail/hospitality sectors. The attack begins with socially engineered emails leading to personalized phishing pages, which deliver JavaScript files acting as droppers for UpCrypter malware. This malware deploys various RATs, including PureHVNC, DCRat, and Babylon RAT, providing long-term access to the compromised networks. The campaign has shown rapid growth, with detection counts doubling in just two weeks. The attack chain involves obfuscated scripts, personalized phishing pages, and sophisticated evasion techniques to avoid detection. The use of ready-made tools and phishing kits from underground sites contributes to the campaign's complexity and spread. Additionally, attackers are exploiting legitimate services like Google Classroom, Microsoft 365, and OneNote for phishing campaigns, and using client-side evasion techniques to bypass defenses. Defenders are advised to implement multi-layered defenses, including strong email filters, employee training, and up-to-date security tools.

Open in new tab

APT36 Linux .desktop File Abuse for Malware Delivery in Ongoing Espionage Campaign

APT36, a Pakistani cyber espionage group, is actively exploiting Linux .desktop files to deliver malware in attacks targeting government and defense entities in India. The campaign, which began on August 1, 2025, uses phishing emails to distribute ZIP archives containing malicious .desktop files disguised as PDFs. These files execute a payload that establishes persistent access and exfiltrates data. The attack leverages the 'Exec=' field in .desktop files to run shell commands, fetching and executing a hex-encoded payload from attacker-controlled servers or Google Drive. The payload is a Go-based ELF executable designed for espionage, capable of maintaining stealth and setting up persistence through cron jobs and systemd services. Communication with the command and control (C2) server is conducted over a bi-directional WebSocket channel. APT36 has also been observed targeting Windows and BOSS Linux systems, using spoofed domains and infrastructure hosted on Pakistan-based servers to steal credentials and 2FA codes.

Open in new tab

XenoRAT malware campaign targets foreign embassies in South Korea

A state-sponsored espionage campaign has targeted foreign embassies in South Korea since March 2025, deploying XenoRAT malware from malicious GitHub repositories. The campaign has launched at least 19 spearphishing attacks against high-value targets, including Central and Western European embassies. The attacks have been attributed to North Korean actor Kimsuky (APT43) with medium confidence, but there are indications of possible Chinese involvement. The malware, XenoRAT, is a powerful trojan capable of logging keystrokes, capturing screenshots, accessing webcams and microphones, performing file transfers, and facilitating remote shell operations. The campaign used highly contextual and multilingual email lures, often timed to match real events, and delivered password-protected archives containing malicious .LNK files. The campaign used cloud storage solutions like Dropbox and Daum Cloud to deliver the XenoRAT payload. The campaign's activity patterns, including timezone analysis and holiday pauses, suggest possible Chinese involvement. The attackers used a decoy document to mask the malicious activity. The campaign's activity was largely originating from a timezone consistent with China. The attackers practiced 'rapid' infrastructure rotation to avoid detection. The campaign used cloud infrastructure to help malicious activities fly under the radar. The attackers used Korean services and infrastructure to blend into the South Korean network.

Open in new tab