Cobalt Strike - S0154
Essential information
- Confidence
- 100/100
- Is family
- No
- Published
- 20/12/2025 19:32
- Modified
- 27/05/2026 21:40
- Revoked
- No
- Author / Source
- AlienVault
- Related entities
- 58 attack patterns (mitre), 2 intrusion sets (apt), 14 sectors, 11 countries, 99 indicators, 18 vulnerabilities (cve), 79 reports
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (58)
-
T1036 usesMasquerading MITRE
-
T1555.003 usesCredentials from Web Browsers MITRE
-
T1566.001 usesSpearphishing Attachment MITRE
-
T1588.001 usesMalware MITRE
-
TA0008 uses
-
T1082 usesSystem Information Discovery MITRE
-
T1592 usesGather Victim Host Information MITRE
-
TA0006 uses
-
T1583 usesAcquire Infrastructure MITRE
-
T1053.005 usesScheduled Task MITRE
-
T1086 uses
-
T1129 usesShared Modules MITRE
Intrusion sets (APT) (2)
-
BlackSuit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Earth Baxia usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (14)
-
Air transport targets
-
Technology Hardware targets
Countries (11)
-
North Macedonia targets
-
Papua New Guinea targets
-
Sri Lanka targets
-
Czechia targets
-
United States of America targets
-
Mongolia targets
-
Germany targets
-
Namibia targets
-
Japan targets
-
Hong Kong targets
-
Kazakhstan targets
Indicators (99)
-
stix 100/100 Revoked· Valid until 19/10/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 14/06/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 18/05/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 06/12/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 20/10/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 16/02/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 20/10/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 04/03/2026 · Source: AlienVault
-
stix 100/100· Valid until 15/11/2026 · Source: AlienVault
Vulnerabilities (CVE) (18)
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary …
- Attack vector
- Network
- Published
- 30/10/2025
- Modified
- 28/01/2026
A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files.
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 11/12/2013
- Modified
- 22/04/2026
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including …
- Attack vector
- NETWORK
- Published
- 11/12/2025
- Modified
- 21/12/2025
Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.
- Attack vector
- Network
- Published
- 19/07/2023
- Modified
- 27/05/2026
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes …
- Attack vector
- NETWORK
- Published
- 03/11/2025
- Modified
- 07/02/2026
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation.
- Published
- 10/01/2022
- Modified
- 20/12/2025
Reflected Cross-Site Scripting (XSS)
- Attack vector
- NETWORK
- Published
- 19/07/2023
- Modified
- 21/12/2025
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing …
- Attack vector
- Network
- Published
- 31/03/2025
- Modified
- 28/01/2026
Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.
- Attack vector
- Network
- Published
- 25/03/2024
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.
- Published
- 03/11/2021
- Modified
- 20/12/2025
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …
- Attack vector
- Network
- Published
- 07/11/2024
- Modified
- 21/12/2025
Reports (79)
-
3 Malwares 34 Observables 1 APT
-
13 MITREs 9 Malwares 7 Observables 1 APT
-
16 CVEs 20 MITREs 40 Malwares 37 Observables 1 APT
-
1 CVE 5 MITREs 13 Malwares 12 Observables
-
2 CVEs 12 MITREs 1 Malware 60 Observables
-
11 MITREs 4 Malwares 34 Observables 1 APT
-
2 CVEs 14 MITREs 3 Malwares 9 Observables 1 APT
-
19 MITREs 3 Malwares 17 Observables 1 APT
-
14 MITREs 6 Malwares 2 Observables 1 APT
-
25 MITREs 4 Malwares 1 APT
-
1 CVE 21 MITREs 3 Malwares 37 Observables 1 APT
-
14 MITREs 1 Malware 1 APT