Europol targets criminals abusing Cobalt Strike tool


Europol takes down close to 600 IP addresses after launching an operation targeting criminals using the Cobalt Strike pen-testing tool to infiltrate victim IT systems.

A joint effort between Europol authorities and the private sector has successfully taken down hundreds of unlicensed versions of Forta’s Cobalt Strike red teaming tool.

Cobalt Strike is designed to help legitimate IT security experts perform attack simulations that identify weaknesses in security operations and incident responses, Europol states.

Yet, Europol authorities say unlicensed versions of Cobalt Strike have been “connected to multiple malware and ransomware investigations, including those into RYUK, Trickbot and Conti.”

Threat actors are reported to have “cracked copies of the testing tools to gain backdoor access to machines and deploy malware.”

The four-day operation, known as Operation MORPHEUS, was launched on June 24th and involved the UK National Crime Agency, and authorities from Australia, Canada, Germany, the Netherlands, Poland and the US.

Europol said 593 IP addresses were taken down out of a total of 690 IP addresses originally flagged as part of the operation which spread across 27 nations. .

The IP addresses were linked to a range of domain names used by hacker groups for online service providers to disable unlicensed versions of the tool, Europol said.

The operation specifically targeted unlicensed versions of the Cobalt Strike red teaming tool.

Europol said the action marks the culmination of a complex investigation initiated in 2021.

Fortra, the company behind Cobalt Strike said it has taken major steps working with law enforcement aimed at preventing abuse of Cobalt trike software its tools.