Japan’s CERT coordination heart (JPCERT/CC) on Thursday revealed it noticed incidents that concerned the usage of a command-and-control (C2) framework known as CrossC2, which is designed to increase the performance of Cobalt Strike to different platforms like Linux and Apple macOS for cross-platform system management.
The company mentioned the exercise was detected between September and December 2024, focusing on a number of nations, together with Japan, primarily based on an evaluation of VirusTotal artifacts.
“The attacker employed CrossC2 in addition to different instruments similar to PsExec, Plink, and Cobalt Strike in makes an attempt to penetrate AD. Additional investigation revealed that the attacker used customized malware as a loader for Cobalt Strike,” JPCERT/CC researcher Yuma Masubuchi mentioned in a report revealed at present.
The bespoke Cobalt Strike Beacon loader has been codenamed ReadNimeLoader. CrossC2, an unofficial Beacon and builder, is able to executing numerous Cobalt Strike instructions after establishing communication with a distant server specified within the configuration.
Within the assaults documented by JPCERT/CC, a scheduled process arrange by the risk actor on the compromised machine is used to launch the official java.exe binary, which is then abused to sideload ReadNimeLoader (“jli.dll”).
Written within the Nim programming language, the loader extracts the content material of a textual content file and executes it straight in reminiscence in order to keep away from leaving traces on disk. This loaded content material is an open-source shellcode loader dubbed OdinLdr, which in the end decodes the embedded Cobalt Strike Beacon and runs it, additionally in reminiscence.
ReadNimeLoader additionally incorporates numerous anti-debugging and anti-analysis strategies which are designed to stop OdinLdr from being decoded except the route is obvious.
JPCERT/CC mentioned the assault marketing campaign shares some stage of overlap with BlackSuit/Black Basta ransomware exercise reported by Rapid7 again in June 2025, citing overlaps within the command-and-control (C2) area used and similarly-named recordsdata.
One other notable side is the presence of a number of ELF variations of SystemBC, a backdoor that always acts as a precursor to the deployment of Cobalt Strike and ransomware.
“Whereas there are quite a few incidents involving Cobalt Strike, this text targeted on the actual case wherein CrossC2, a device that extends Cobalt Strike Beacon performance to a number of platforms, was utilized in assaults, compromising Linux servers inside an inner community,” Masubuchi mentioned.
“Many Linux servers would not have EDR or related methods put in, making them potential entry factors for additional compromise, and thus, extra consideration is required.”
