Threat Intelligence

CrossC2 enables multi-platform Cobalt Strike attacks on Linux, macOS

Plain code with the word "cyberattack" in red.

CrossC2, an unofficial framework that adapts Cobalt Strike Beacon for use on multiple platforms, has been linked to a series of intrusions targeting organizations in Japan and other countries, The Hacker News reports.

According to Japan's CERT coordination center (JPCERT/CC), incidents observed between September and December 2024 targeted organizations in Japan and other countries, leveraging CrossC2 alongside utilities such as PsExec and Plink. The attackers deployed a custom loader, named ReadNimeLoader, to run Cobalt Strike Beacons on compromised systems. Written in programming language Nim, the loader executes payloads entirely in memory, using an open-source shellcode loader called OdinLdr, and employs anti-analysis safeguards to prevent detection. "While there are numerous incidents involving Cobalt Strike, this article focused on the particular case in which CrossC2, a tool that extends Cobalt Strike Beacon functionality to multiple platforms, was used in attacks, compromising Linux servers within an internal network," said researcher Yuma Masubuchi. In documented cases, it was launched via a legitimate Java binary configured in a scheduled task to sideload a malicious dynamic link library. JPCERT/CC noted infrastructure and file naming overlaps with ransomware activity tied to BlackSuit/Black Basta, as well as the presence of ELF variants of the SystemBC backdoor. The agency warned that many Linux servers lack endpoint detection tools, making them attractive initial access points in such campaigns.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds