JPCERT/CC observed incidents involving the CrossC2 framework, which extends Cobalt Strike functionality to Linux and macOS. Detected between September and December 2024, the activity targeted multiple countries. The attacker employed CrossC2 alongside tools like PsExec and Cobalt Strike, utilizing a bespoke loader named ReadNimeLoader. This loader, written in Nim, sideloads another open-source shellcode loader, OdinLdr, to run commands in memory while avoiding detection. The campaign shares similarities with previous ransomware activities, particularly overlapping command-and-control domains.
Japan's CERT coordination center (JPCERT/CC) observed incidents involving the CrossC2 framework, enhancing Cobalt Strike functionality for Linux and macOS systems.
The attacks targeted multiple countries, including Japan, with the attacker utilizing a unique loader called ReadNimeLoader to execute custom malware.
Collection
[
|
...
]