Aug 14, 2025Ravie LakshmananThreat Intelligence / Linux
Japan’s CERT coordination heart (JPCERT/CC) on Thursday revealed it noticed incidents that concerned using a command-and-control (C2) framework referred to as CrossC2, which is designed to increase the performance of Cobalt Strike to different platforms like Linux and Apple macOS for cross-platform system management.
The company mentioned the exercise was detected between September and December 2024, focusing on a number of nations, together with Japan, primarily based on an evaluation of VirusTotal artifacts.
“The attacker employed CrossC2 in addition to different instruments resembling PsExec, Plink, and Cobalt Strike in makes an attempt to penetrate AD. Additional investigation revealed that the attacker used customized malware as a loader for Cobalt Strike,” JPCERT/CC researcher Yuma Masubuchi mentioned in a report revealed as we speak.
The bespoke Cobalt Strike Beacon loader has been codenamed ReadNimeLoader. CrossC2, an unofficial Beacon and builder, is able to executing varied Cobalt Strike instructions after establishing communication with a distant server specified within the configuration.
Within the assaults documented by JPCERT/CC, a scheduled job arrange by the risk actor on the compromised machine is used to launch the respectable java.exe binary, which is then abused to sideload ReadNimeLoader (“jli.dll”).
Written within the Nim programming language, the loader extracts the content material of a textual content file and executes it immediately in reminiscence in order to keep away from leaving traces on disk. This loaded content material is an open-source shellcode loader dubbed OdinLdr, which finally decodes the embedded Cobalt Strike Beacon and runs it, additionally in reminiscence.
ReadNimeLoader additionally incorporates varied anti-debugging and anti-analysis methods which might be designed to forestall OdinLdr from being decoded except the route is evident.
JPCERT/CC mentioned the assault marketing campaign shares some stage of overlap with BlackSuit/Black Basta ransomware exercise reported by Rapid7 again in June 2025, citing overlaps within the command-and-control (C2) area used and similarly-named recordsdata.
One other notable side is the presence of a number of ELF variations of SystemBC, a backdoor that always acts as a precursor to the deployment of Cobalt Strike and ransomware.
“Whereas there are quite a few incidents involving Cobalt Strike, this text targeted on the actual case during which CrossC2, a software that extends Cobalt Strike Beacon performance to a number of platforms, was utilized in assaults, compromising Linux servers inside an inside community,” Masubuchi mentioned.
“Many Linux servers should not have EDR or comparable programs put in, making them potential entry factors for additional compromise, and thus, extra consideration is required.”
