Connect with us

Hi, what are you looking for?


Malware & Threats

Technical, Legal Action Taken to Prevent Abuse of Cobalt Strike, Microsoft Software

Microsoft, Fortra and Health-ISAC have taken legal and technical action to prevent the abuse of the Cobalt Strike exploitation tool and Microsoft software.

Microsoft addresses Cobalt Strike abuse

Microsoft, cybersecurity firm Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) have taken legal and technical action in an effort to prevent the abuse of the Cobalt Strike exploitation tool, as well as the abuse of Microsoft software. 

Cobalt Strike is a legitimate post-exploitation tool designed by Fortra for adversary simulation. While the company has been trying to prevent the abuse of its product, including by verifying the customers it’s sold to, threat actors have found ways to create cracked copies — typically older versions of the software — and abuse them in their malicious operations.

Cobalt Strike has been widely abused, including by profit-driven cybercriminals that run ransomware operations and state-sponsored threat groups associated with China, Russia, Iran and Vietnam.

Health-ISAC was involved in the operation alongside Microsoft and Fortra because Cobalt Strike has often been abused in ransomware attacks targeting the healthcare sector. The exploitation tool has been observed in 68 ransomware attacks that hit healthcare organizations across 19 countries.

In addition to the abuse of Cobalt Strike, Microsoft said its own SDKs and APIs have been leveraged by threat actors to develop and distribute malware.

The technical action taken against threat actors abusing Cobalt Strike and Microsoft software includes disrupting the infrastructure used by the attackers, such as domains and hosting servers. This was achieved through a court order issued on March 31 by a New York district court. 

ISPs and CERTs helped Microsoft and Fortra take down attacker infrastructure and block the hackers’ access to infected devices.

Advertisement. Scroll to continue reading.

Malicious infrastructure used for these attacks was identified in countries such as the United States, Russia, and China. 

The lawsuit filed by Microsoft, Fortra and Health-ISAC names 16 John Does as plaintiffs. While their real identities are not known, the complaint reveals that they are members of the Conti, BlackCat and LockBit ransomware groups, initial access brokers, and members of the Evil Corp cybercrime group.  

“Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics. Today’s action also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm,” said Amy Hogan-Burney, GM of Microsoft’s Digital Crimes Unit. 

Microsoft and Fortra’s actions come just months after Google announced the release of Yara rules and a VirusTotal Collection to help detect malicious use of Cobalt Strike.

Related: Healthcare Organizations Warned of Royal Ransomware Attacks

Related: New Tool Made by Microsoft and Mitre Emulates Attacks on Machine Learning Systems

Related: Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...