#CobaltStrike

Commercial adversary simulation framework, widely abused by APTs, ransomware operators and initial access brokers

Subscribe (RSS)


#CobaltStrike

Adversary simulation tool abused by APTs and ransomware crews

Subscribe (RSS)

IOCs by window

Today

0

IOCs tagged #CobaltStrike

Week

2

IOCs tagged #CobaltStrike

Month

13

IOCs tagged #CobaltStrike

Year

4,711

IOCs tagged #CobaltStrike

Counts as of 2026-06-29. Regenerated daily.

About #CobaltStrike

  • Type: commercial adversary simulation framework. Team Server + Beacon implant architecture, supports HTTP, HTTPS, DNS and named-pipe C2. Vendor: Fortra (formerly Strategic Cyber LLC).
  • Abuse pattern: pirated and cracked copies dominate the wild. Routinely deployed by APTs (e.g., APT41, FIN7), ransomware affiliates (Conti, BlackCat, Akira) and initial access brokers as the second stage after phishing or exploit landing pages.
  • Detection signals: default Beacon profiles leak through HTTP URI patterns, named pipes, sleep jitter and process injection. Defenders watch for stager URIs, JA3/JA4 fingerprints and hardcoded watermarks; YARA covers known stomped DLL patterns.
  • References: MITRE ATT&CK S0154 · Malpedia · Vendor (Fortra).

Recent IOCs tagged #CobaltStrike

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/cobaltstrike.

Date Type Value Source
Jun 23, 18:12 url http://159.223.34.28 @skocherhan
Jun 23, 18:12 ip 159.223.34.28 @skocherhan
Jun 15, 08:40 url https://49.232.4.71 @etugenio
Jun 15, 08:40 url http://49.232.4.71 @etugenio
Jun 15, 08:40 ip 49.232.4.71 @etugenio
Jun 14, 15:34 url http://104.236.69.171:443 @skocherhan
Jun 14, 15:34 ip 104.236.69.171 @skocherhan
Jun 13, 18:22 domain tier-suffering-contamination-cumulative.trycloudflare.com @skocherhan
Jun 13, 18:22 url http://tier-suffering-contamination-cumulative.trycloudflare... @skocherhan
Jun 13, 18:22 md5 112cc66323d5115ae18d80ce9e681c9f @skocherhan

Related tags

Tags that frequently co-occur with #CobaltStrike.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Cobalt Strike?

Cobalt Strike is a commercial adversary simulation and red-team framework developed by Fortra (formerly Strategic Cyber LLC). It pairs a Team Server with a Beacon implant that runs on a target machine, supporting HTTP, HTTPS, DNS and named-pipe C2. It is licensed for legitimate red-team engagements, but pirated and cracked copies dominate the wild and are routinely deployed by APTs, ransomware affiliates and initial access brokers as the second stage after phishing or exploit landing pages.

Is Cobalt Strike legal?

Possessing and operating an officially licensed Cobalt Strike copy for authorised red-team work is legal. Distributing, possessing or running cracked Cobalt Strike copies is not. The IOCs on this page are extracted from public threat-research tweets and tag servers that researchers have observed in real-world intrusions; vendor licensing status is not asserted for any specific IP, domain or hash.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Cobalt Strike-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Cobalt Strike subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Cobalt Strike IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).