The abuse of the popular adversary simulation tool Cobalt Strike has decreased significantly over the past two years, according to Fortra, the product’s developer.
Cobalt Strike is a legitimate post-exploitation tool designed for adversary simulation, but threat actors have found ways to create cracked copies (usually older versions of the product) that they can leverage in their operations.
The tool has been abused by both profit-driven cybercriminals and state-sponsored threat groups.
In April 2023, Fortra announced teaming up with Microsoft and the Health Information Sharing and Analysis Center (Health-ISAC) to take legal and technical action in an effort to prevent the abuse of Cobalt Strike. This included disrupting attacker infrastructure and filing lawsuits against hackers.
In July 2024, Europol announced the takedown of nearly 600 Cobalt Strike servers linked to cybercrime activities.
Now, nearly two years after it announced teaming up with Microsoft and Health-ISAC, Fortra reports that the number of unauthorized Cobalt Strike copies seen in the wild has dropped by 80%.
The operation has resulted in more than 200 malicious domains being seized and sinkholed to prevent exploitation by malicious hackers.
“Additionally, the average dwell time—the period between initial detection and takedown—has been reduced to less than one week in the United States and less than two weeks worldwide,” Fortra said.
The company says its efforts continue. This includes providing information to law enforcement agencies, sending takedown notices to hosting providers, and raising awareness of the illegal use of unauthorized Cobalt Strike copies.
“We actively track these activities to the point of origin, identifying root causes to prevent reoccurrence. We concurrently issue notices on a persistent basis until these illegal versions are removed from web properties. Compliant web properties are also passively monitored in case of reappearance,” Fortra said.
“These efforts are gaining momentum and have entered a new phase of heightened efficacy. Automation processes have been put into place to further increase efficiency and simplify the takedown process. Additionally, just as cybercriminals adapt their techniques, Fortra continuously updates Cobalt Strike’s security controls to thwart cracking attempts and protect legitimate users,” it explained.
Related: Google Making Cobalt Strike Pentesting Tool Harder to Abuse
Related: BadBox Botnet Powered by 1 Million Android Devices Disrupted
Related: Rydox Cybercrime Marketplace Disrupted, Administrators Arrested