Cobalt Strike - S0154
Essential information
- Confidence
- 100/100
- Is family
- No
- Published
- 20/12/2025 19:32
- Modified
- 27/05/2026 21:40
- Revoked
- No
- Author / Source
- AlienVault
- Related entities
- 58 attack patterns (mitre), 2 intrusion sets (apt), 14 sectors, 11 countries, 99 indicators, 18 vulnerabilities (cve), 79 reports
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (58)
-
T1203 usesExploitation for Client Execution MITRE
-
T1039 usesData from Network Shared Drive MITRE
-
T1078 usesValid Accounts MITRE
-
T1012 usesQuery Registry MITRE
-
T1222.001 usesWindows File and Directory Permissions Modification MITRE
-
T1543.003 usesWindows Service MITRE
-
T1132.002 usesNon-Standard Encoding MITRE
-
T1027.005 usesIndicator Removal from Tools MITRE
-
T1566.002 usesSpearphishing Link MITRE
-
T1036.001 usesInvalid Code Signature MITRE
-
T1471 MITRE
-
TA0001 uses
Intrusion sets (APT) (2)
-
BlackSuit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Earth Baxia usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (14)
-
Business Services targets
-
Education targets
-
Legal consulting targets
-
Road transport targets
-
Telecommunications targets
-
Multimedia targets
-
Commercial Facilities targets
-
Critical Manufacturing targets
-
Professional and scientific services targets
-
Manufacturing targets
-
Consulting targets
-
Technology targets
Countries (11)
-
North Macedonia targets
-
Papua New Guinea targets
-
Sri Lanka targets
-
Czechia targets
-
United States of America targets
-
Mongolia targets
-
Germany targets
-
Namibia targets
-
Japan targets
-
Hong Kong targets
-
Kazakhstan targets
Indicators (99)
-
stix 100/100 Revoked· Valid until 19/10/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 14/06/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 18/05/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 06/12/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 20/10/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 16/02/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 20/10/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 04/03/2026 · Source: AlienVault
-
stix 100/100· Valid until 15/11/2026 · Source: AlienVault
Vulnerabilities (CVE) (18)
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary …
- Attack vector
- Network
- Published
- 30/10/2025
- Modified
- 28/01/2026
A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files.
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 11/12/2013
- Modified
- 22/04/2026
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including …
- Attack vector
- NETWORK
- Published
- 11/12/2025
- Modified
- 21/12/2025
Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.
- Attack vector
- Network
- Published
- 19/07/2023
- Modified
- 27/05/2026
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes …
- Attack vector
- NETWORK
- Published
- 03/11/2025
- Modified
- 07/02/2026
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation.
- Published
- 10/01/2022
- Modified
- 20/12/2025
Reflected Cross-Site Scripting (XSS)
- Attack vector
- NETWORK
- Published
- 19/07/2023
- Modified
- 21/12/2025
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing …
- Attack vector
- Network
- Published
- 31/03/2025
- Modified
- 28/01/2026
Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.
- Attack vector
- Network
- Published
- 25/03/2024
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.
- Published
- 03/11/2021
- Modified
- 20/12/2025
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …
- Attack vector
- Network
- Published
- 07/11/2024
- Modified
- 21/12/2025
Reports (79)
-
3 Malwares 34 Observables 1 APT
-
13 MITREs 9 Malwares 7 Observables 1 APT
-
16 CVEs 20 MITREs 40 Malwares 37 Observables 1 APT
-
1 CVE 5 MITREs 13 Malwares 12 Observables
-
2 CVEs 12 MITREs 1 Malware 60 Observables
-
11 MITREs 4 Malwares 34 Observables 1 APT
-
2 CVEs 14 MITREs 3 Malwares 9 Observables 1 APT
-
19 MITREs 3 Malwares 17 Observables 1 APT
-
14 MITREs 6 Malwares 2 Observables 1 APT
-
25 MITREs 4 Malwares 1 APT
-
1 CVE 21 MITREs 3 Malwares 37 Observables 1 APT
-
14 MITREs 1 Malware 1 APT