August 14, 2025 – Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) has disclosed a series of cyber incidents where attackers deployed CrossC2, a command-and-control (C2) framework capable of extending Cobalt Strike Beacon’s capabilities beyond Windows, targeting Linux and Apple macOS environments.

According to JPCERT/CC, the activity took place between September and December 2024, affecting multiple countries, including Japan. Analysis of artifacts uploaded to VirusTotal revealed that the attackers combined CrossC2 with other tools such as PsExec, Plink, and Cobalt Strike to breach Active Directory (AD) environments.

A key component in the campaign was a custom Cobalt Strike Beacon loader, dubbed ReadNimeLoader, which is built in the Nim programming language. This loader was designed to stealthily execute malicious payloads directly in memory, using a legitimate java.exe process to sideload a malicious DLL (jli.dll). Once executed, ReadNimeLoader deployed an open-source shellcode loader known as OdinLdr, which decoded and ran the embedded Cobalt Strike Beacon without writing it to disk.

Security analysts noted that the malware incorporated anti-debugging and anti-analysis techniques to ensure OdinLdr would only be decoded under safe conditions, complicating detection and analysis.

Links to Ransomware Operations

JPCERT/CC’s investigation uncovered overlaps between this campaign and BlackSuit/Black Basta ransomware operations, as reported by Rapid7 in June 2025. Similarities included the use of the same C2 domains and similarly named files.

The campaign also involved ELF variants of SystemBC, a backdoor often deployed before Cobalt Strike and ransomware infections, further indicating a sophisticated multi-stage intrusion strategy.

The CrossC2 Risk to Linux Servers

CrossC2’s cross-platform capabilities make it a powerful tool for adversaries aiming to infiltrate diverse IT environments. Linux servers—often lacking Endpoint Detection and Response (EDR) solutions—were specifically highlighted as attractive targets for initial access, enabling lateral movement and deeper compromise of internal networks.

“While Cobalt Strike remains a widely abused tool, this case stands out for its use of CrossC2 to compromise Linux servers in internal environments,” noted JPCERT/CC researcher Yuma Masubuchi. “Linux systems require greater security attention due to their frequent lack of monitoring and defensive measures.”

Key Takeaways for Organizations

• Implement EDR or equivalent monitoring on Linux and macOS systems, not just Windows.
• Regularly audit scheduled tasks and legitimate binaries for signs of abuse.
• Watch for unusual network connections to known C2 infrastructure.
• Maintain up-to-date threat intelligence to identify cross-platform attack patterns.

The campaign underscores the evolving threat landscape where adversaries exploit cross-platform C2 frameworks to bypass traditional defenses, demanding a more holistic and proactive security posture.

Source: https://thehackernews.com/2025/08/researchers-warn-crossc2-expands-cobalt.html