Security Experts:

Connect with us

Hi, what are you looking for?



Cobalt Strike Beacon Reimplementation ‘Vermilion Strike’ Targets Windows, Linux

Security researchers with Intezer have identified a reimplementation of the infamous Cobalt Strike Beacon payload, which features completely new code.

Security researchers with Intezer have identified a reimplementation of the infamous Cobalt Strike Beacon payload, which features completely new code.

Dubbed Vermilion Strike, the malware can be used to target Linux and Windows devices and provides attackers with remote access capabilities such as file manipulation and shell command execution.

Since August 2021, adversaries have been using the new beacon to target government agencies, financial institutions, IT companies, telecommunication providers, and advisory companies worldwide. Limited targeting, however, suggests the malware is being used in specific attacks only.

“The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” Intezer says.

A Linux-targeting sample uploaded from Malaysia has strings similar with previously observed Cobalt Strike variants and also triggers YARA rules designed to detect encoded Cobalt Strike configurations. Using OpenSSL via dynamic linking, the file is built on Red Hat and can only be used on machines running Linux distributions based on Red Hat’s code base.

Command and control (C&C) is mainly performed over DNS, but can be done over HTTP as well. The approach is meant to evade defenses based on the monitoring of HTTP traffic.

Vermilion Strike can perform tasks such as: get disk partitions, get the working directory and change it, append or write to files, upload files to the C&C server, execute commands, and list files. The Windows implementation of the beacon carries almost the same functionality and has the same C&C domains.

“Cobalt Strike is a Windows-only malware so making a custom Linux file communicate with a Cobalt Strike server is impressive,” Intezer says. “We don’t believe this has ever happened before in APT attacks.”

The beacon currently has a very low detection rate and this is especially true for the Linux variant. However, Vermilion Strike is not the only Linux port of Cobalt Strike and most likely not the last either.

“Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment. Linux threats often have low detection rates compared to their Windows counterparts,” Intezer notes.

Related: Cobalt Strike Bug Exposes Attacker Servers

Related: How Low-level Hackers Access High-end Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...