Fortra and Microsoft Cut Malicious Cobalt Strike Use by 80%

Fortra’s Cobalt Strike has long been a favored tool among cybercriminals and nation-state actors, who frequently exploit cracked versions to establish command-and-control communications and maintain persistent access within compromised environments. However, a collaborative effort between Fortra, Microsoft’s Digital Crimes Unit (DCU), and the Health Information Sharing and Analysis Center (Health-ISAC) has significantly reduced the presence of unauthorized copies in circulation. According to Fortra, their initiative has led to an 80% decrease in malicious Cobalt Strike activity.

This partnership is part of a broader trend in the cybersecurity industry, where collaboration between private sector entities and law enforcement agencies aims to curb the misuse of offensive security tools. Cobalt Strike, originally designed for legitimate penetration testing and red team exercises, is often exploited by ransomware groups due to its ability to evade detection. Security teams frequently struggle to differentiate between its legitimate use and unauthorized deployment by threat actors.

Through coordinated efforts, Fortra, Microsoft, and Health-ISAC have successfully seized and sinkholed over 200 domains linked to malicious Cobalt Strike activity. Most of these takedowns occurred within U.S. jurisdiction, facilitated through the U.S. judicial system. Additionally, the initiative has reduced the “dwell time”—the period between identifying an unauthorized Cobalt Strike server and taking it offline. In the U.S., dwell time has dropped to less than a week, while globally, it now takes under two weeks to disable such threats.

Fortra credits these improvements to enhanced processes and automation, which streamline the identification, verification, and removal of malicious servers through cooperation with hosting providers. Their efforts build upon previous crackdowns, including Operation Morpheus, an international law enforcement action that targeted IP addresses involved in Cobalt Strike abuse. The operation flagged 690 IPs across 27 countries, successfully taking down 593 of them. Furthermore, Google has contributed to the fight against Cobalt Strike misuse by releasing YARA rules in 2022 to help organizations detect unauthorized versions used by attackers.

The ongoing fight against the illicit use of Cobalt Strike highlights the importance of industry-wide collaboration and rapid response mechanisms. By continuing to refine detection techniques and strengthen partnerships, cybersecurity defenders can mitigate the risks posed by adversaries who weaponize legitimate security tools.

Source: Cybersecurity Dive

The European Cyber Intelligence Foundation is a nonprofit think tank specializing in intelligence and cybersecurity, offering consultancy services to government entities. To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.