top of page
  • Admin

Google Helps Foil Cobalt Strike Attacks

Published: February 05, 2023 on our newsletter Security Fraud News & Alerts Newsletter.

Many organizations help fortify their cyber defenses using something called Cobalt Attack. This tool helps to provide a simulated threat actor (think penetration test) to test the soundness of their cyber defenses. However, such assessments using Cobalt Attack, which ideally provides teams with a valuable assessment tool, can become the chosen tool of real threat actors. That’s the bad news.

But there is some good news, fortunately. We’ll get to that shortly.

So, over the years Cobalt Strike has still been cracked using leaked versions of the product. These unauthorized versions are as powerful and useful as licensed versions, but often are used against legitimate organizations. Hence the need to figure out how to swoop in and find the bad guys before they can foil your cyber-secure plans.

But in comes our hero, Google. The Google Cloud Threat Intelligence research and applications team took this threat extremely seriously and proceeded to analyze 34 cracked versions (every version they could find) of the Cobalt Strike tool. The team looked for unique stagers, beacons, and attack templates, and then developed a set of detection rules (YARA rules) to determine which versions may potentially be used maliciously.

Penetration tests are great tools to help an organization find out potential weaknesses in their perimeter security. The threat actors know this, so chose a popular tool used for this exact purpose, hoping to slip invisibly past the defenses.

The result of Google’s heroic efforts includes a set of 165 YARA rules. These rules are a collection of community signatures that have been open-sourced so that those in charge of the organization’s cybersecurity, as well as cybersecurity researchers and professionals can make use of them to help detect malicious actors.

It’s unclear what YARA truly stands for, as the creator isn’t forthcoming. However, according to legend, it stands for “Yet Another Ridiculous Acronym.” Keep that in your pocket. You never know when you might need it.

Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at


bottom of page