article featured image


Security researchers discovered an unauthorized Cobalt Strike Beacon Linux version used in attacks against companies all across the world.

Cobalt Strike is a legitimate penetration testing tool created as an attack framework for red teams (security professionals who act as attackers against their own organization’s infrastructure in an attempt to find security flaws and vulnerabilities.)

Cobalt Strike is also used by threat actors for post-exploitation activities after distributing so-called beacons, which allow continuous remote access to compromised devices (often exploited in ransomware campaigns).

Attackers can afterward utilize beacons to connect directly to compromised systems and gather data or distribute further malware payloads.

What Happened?

In time, threat actors obtained and disseminated cracked versions of Cobalt Strike, making it one of the most prevalent tools used in assaults involving data theft and ransomware.

Cobalt Strike has always had a flaw: it only works with Windows devices and does not support Linux beacons.

Researchers describe how threat actors have taken it upon themselves to make their Linux beacons compatible with Cobalt Strike in a new study from security firm Intezer.

The threat actors may now acquire permanence and remote command execution on both Windows and Linux devices by using these beacons.

The Cobalt Strike ELF binary found by Intezer researchers, who first saw the beacon re-implementation in August and called it Vermilion Strike, is currently undetectable by anti-malware solutions.

Vermilion Strike uses the same configuration format as the official Windows beacon and can communicate with all Cobalt Strike servers.

Technical similarities (the same functionality and command-and-control servers) between this new Linux virus and Windows DLL files point to the same creator.

The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files.The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia.


Vermilion Strike is apparently able to perform the following tasks once deployed on a compromised Linux system:

  • Change working directory
  • Get current working directory
  • Append/write to file
  • Upload file to C2
  • Execute command via popen
  • Get disk partitions
  • List files

Vermilion Strike Attacks Started in August 2021

Intezer identified multiple organizations targeted using Vermilion Strike since August 2021 using telemetry data provided by McAfee Enterprise ATR, ranging from telecom companies and government agencies to IT companies, financial institutions, and consultancy firms around the world.

Vermilion Strike isn’t the first or only conversion of Cobalt Strike’s Beacon to Linux, as geacon, an open-source Go-based equivalent, has been publicly accessible for the last two years.

This is the first Linux implementation that has been utilized for genuine assaults.

The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor.


Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo