The source code of Cobalt Strike, a legitimate penetration testing toolkit used by red teams, has allegedly been leaked online. The tool is quite popular in the cybercrime world as well. Experts fear this code can be reused, updated, or enhanced by the cybercrime groups exploiting it.

What has happened?

Cobalt Strike comes with multiple capabilities and enables its users to carry out a variety of tricky intrusion-related operations. Recently, a GitHub repository was created that appeared to contain the source code for Cobalt Strike 4.0, released on December 5th, 2019. Although the source code is not the original one, it is a matter of great security concern.
  • In the alleged leaked source code, a license check for Cobalt Strike has been removed for compilers who want to crack the program.
  • The person behind this leak has manually decompiled the Java code and then fixed any dependencies.
  • So far, the repository has been forked 172 times, making it harder to stop the spread of the source code.

Recent use of this tool

  • Cobalt Strike is frequently being used by cybercriminals for post-exploitation, covert communication, and browser pivoting, among other malicious purposes. This tool has become the preferred choice among ransomware operators.
  • Recently, ransomware operators used malicious fake ads for Microsoft Teams updates, along with backdoors that used Cobalt Strike. Furthermore, cybercriminals were seen exploiting vulnerable Oracle WebLogic servers to deploy Cobalt Strike beacons.


The alleged source code leak of such an offensive tool opens doors to new challenges for security agencies and analysts. Therefore, experts suggest several precautionary activities, such as looking up for the open port on 50050/TCP or checking the default TLS certificate from the vendor. In addition, limiting admin privileges to essential users can help.

Cyware Publisher