#cobaltstrike
Commercial adversary simulation framework, widely abused by APTs, ransomware operators and initial access brokers
#cobaltstrike
Adversary simulation tool abused by APTs and ransomware crews
IOCs by window
0
IOCs tagged #cobaltstrike
0
IOCs tagged #cobaltstrike
2
IOCs tagged #cobaltstrike
7,543
IOCs tagged #cobaltstrike
Counts as of 2026-04-29. Regenerated daily.
About #cobaltstrike
- Type: commercial adversary simulation framework. Team Server + Beacon implant architecture, supports HTTP, HTTPS, DNS and named-pipe C2. Vendor: Fortra (formerly Strategic Cyber LLC).
- Abuse pattern: pirated and cracked copies dominate the wild. Routinely deployed by APTs (e.g., APT41, FIN7), ransomware affiliates (Conti, BlackCat, Akira) and initial access brokers as the second stage after phishing or exploit landing pages.
- Detection signals: default Beacon profiles leak through HTTP URI patterns, named pipes, sleep jitter and process injection. Defenders watch for stager URIs, JA3/JA4 fingerprints and hardcoded watermarks; YARA covers known stomped DLL patterns.
- References: MITRE ATT&CK S0154 · Malpedia · Vendor (Fortra).
Recent IOCs tagged #cobaltstrike
Latest 2 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/cobaltstrike.
| Date | Type | Value | Source |
|---|---|---|---|
| url | |||
| ip |
Past-month volume is low; the year aggregate (7,543) reflects historical activity. For a longer window, query api.tweetfeed.live/v1/year/cobaltstrike.
Related tags
Frequently asked questions
What is Cobalt Strike?
Cobalt Strike is a commercial adversary simulation and red-team framework developed by Fortra (formerly Strategic Cyber LLC). It pairs a Team Server with a Beacon implant that runs on a target machine, supporting HTTP, HTTPS, DNS and named-pipe C2. It is licensed for legitimate red-team engagements, but pirated and cracked copies dominate the wild and are routinely deployed by APTs, ransomware affiliates and initial access brokers as the second stage after phishing or exploit landing pages.
Is Cobalt Strike legal?
Possessing and operating an officially licensed Cobalt Strike copy for authorised red-team work is legal. Distributing, possessing or running cracked Cobalt Strike copies is not. The IOCs on this page are extracted from public threat-research tweets and tag servers that researchers have observed in real-world intrusions; vendor licensing status is not asserted for any specific IP, domain or hash.
How is this list updated?
Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Cobalt Strike-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.
What is the license? Can I use this commercially?
All TweetFeed IOC data, including this Cobalt Strike subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.
License
Cobalt Strike IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).