Japan’s CERT coordination heart (JPCERT/CC) on Thursday revealed it noticed incidents that concerned the usage of a command-and-control (C2) framework referred to as CrossC2, which is designed to increase the performance of Cobalt Strike to different platforms like Linux and Apple macOS for cross-platform system management.
The company stated the exercise was detected between September and December 2024, focusing on a number of nations, together with Japan, based mostly on an evaluation of VirusTotal artifacts.
“The attacker employed CrossC2 in addition to different instruments corresponding to PsExec, Plink, and Cobalt Strike in makes an attempt to penetrate AD. Additional investigation revealed that the attacker used customized malware as a loader for Cobalt Strike,” JPCERT/CC researcher Yuma Masubuchi stated in a report printed at this time.
The bespoke Cobalt Strike Beacon loader has been codenamed ReadNimeLoader. CrossC2, an unofficial Beacon and builder, is able to executing numerous Cobalt Strike instructions after establishing communication with a distant server specified within the configuration.
Within the assaults documented by JPCERT/CC, a scheduled job arrange by the risk actor on the compromised machine is used to launch the reputable java.exe binary, which is then abused to sideload ReadNimeLoader (“jli.dll”).
Written within the Nim programming language, the loader extracts the content material of a textual content file and executes it immediately in reminiscence in order to keep away from leaving traces on disk. This loaded content material is an open-source shellcode loader dubbed OdinLdr, which in the end decodes the embedded Cobalt Strike Beacon and runs it, additionally in reminiscence.
ReadNimeLoader additionally incorporates numerous anti-debugging and anti-analysis strategies which can be designed to stop OdinLdr from being decoded until the route is evident.
JPCERT/CC stated the assault marketing campaign shares some stage of overlap with BlackSuit/Black Basta ransomware exercise reported by Rapid7 again in June 2025, citing overlaps within the command-and-control (C2) area used and similarly-named information.
One other notable side is the presence of a number of ELF variations of SystemBC, a backdoor that always acts as a precursor to the deployment of Cobalt Strike and ransomware.
“Whereas there are quite a few incidents involving Cobalt Strike, this text centered on the actual case during which CrossC2, a device that extends Cobalt Strike Beacon performance to a number of platforms, was utilized in assaults, compromising Linux servers inside an inside community,” Masubuchi stated.
“Many Linux servers would not have EDR or related programs put in, making them potential entry factors for additional compromise, and thus, extra consideration is required.”
