Hackers Found Using CrossC2 to Expand Cobalt Strike Beacon’s Reach to Linux and macOS

Aug 14, 2025Ravie LakshmananThreat Intelligence / Linux

Japan’s CERT coordination center (JPCERT/CC) on Thursday revealed it observed incidents that involved the use of a command-and-control (C2) framework called CrossC2, which is designed to extend the functionality of Cobalt Strike to other platforms like Linux and Apple macOS for cross-platform system control.

The agency said the activity was detected between September and December 2024, targeting multiple countries, including Japan, based on an analysis of VirusTotal artifacts.

“The attacker employed CrossC2 as well as other tools such as PsExec, Plink, and Cobalt Strike in attempts to penetrate AD. Further investigation revealed that the attacker used custom malware as a loader for Cobalt Strike,” JPCERT/CC researcher Yuma Masubuchi said in a report published today.

The bespoke Cobalt Strike Beacon loader has been codenamed ReadNimeLoader. CrossC2, an unofficial Beacon and builder, is capable of executing various Cobalt Strike commands after establishing communication with a remote server specified in the configuration.

In the attacks documented by JPCERT/CC, a scheduled task set up by the threat actor on the compromised machine is used to launch the legitimate java.exe binary, which is then abused to sideload ReadNimeLoader (“jli.dll”).

Written in the Nim programming language, the loader extracts the content of a text file and executes it directly in memory so as to avoid leaving traces on disk. This loaded content is an open-source shellcode loader dubbed OdinLdr, which ultimately decodes the embedded Cobalt Strike Beacon and runs it, also in memory.

ReadNimeLoader also incorporates various anti-debugging and anti-analysis techniques that are designed to prevent OdinLdr from being decoded unless the route is clear.

JPCERT/CC said the attack campaign shares some level of overlap with BlackSuit/Black Basta ransomware activity reported by Rapid7 back in June 2025, citing overlaps in the command-and-control (C2) domain used and similarly-named files.

Another notable aspect is the presence of several ELF versions of SystemBC, a backdoor that often acts as a precursor to the deployment of Cobalt Strike and ransomware.

“While there are numerous incidents involving Cobalt Strike, this article focused on the particular case in which CrossC2, a tool that extends Cobalt Strike Beacon functionality to multiple platforms, was used in attacks, compromising Linux servers within an internal network,” Masubuchi said.

“Many Linux servers do not have EDR or similar systems installed, making them potential entry points for further compromise, and thus, more attention is required.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!