Skip to main content
close search
site logo

Cobalt Strike takedown effort cuts cracked versions by 80%

Fortra, Microsoft and Health-ISAC partnership reduced unauthorized copies of red team tool over the last two years.

Published March 7, 2025
By
Contributing Reporter
Image of healthcare equipment
Just_Super via Getty Images

Dive Brief:

  • Fortra's Cobalt Strike has been a widely used weapon for a variety of cybercriminals and nation-state threat actors, who frequently use cracked copies of the red teaming tool to establish command-and-control communications and persistent access inside victim environments.
  • Fortra, Microsoft's Digital Crimes Unit (DCU) and Health Information Sharing and Analysis Center (Health-ISAC) formed a partnership two years ago to reduce malicious activity stemming from Cobalt Strike. Those efforts have cut the number of unauthorized copies in the wild by 80%, Fortra said in a blog post Friday.
  • The partnership is one of many collaborative efforts from the cybersecurity industry and law enforcement agencies in recent years that have focused on curbing abuse of Cobalt Strike, which has been a particularly popular tool for ransomware gangs.

Dive Insight:

Attackers such as ransomware actors favor Cobalt Strike because the red team tool can help them evade detection. Additionally, it can be difficult for enterprise security teams to distinguish between illicit use of Cobalt Strike and authorized use within its network by an approved penetration testing or red team.

The partnership between Fortra, Microsoft DCU and Health-ISAC seized and sinkholed more than 200 malicious domains associated with malicious Cobalt Strike activity. Bob Erdman, associate vice president of research and development at Fortra, told Cybersecurity Dive that the domains were "generally under U.S. jurisdiction," as the takedowns were executed through the U.S. judicial system.

Fortra also said the partnership helped reduce "dwell time" for malicious Cobalt Strike activity, which is the time between the initial detection of a server running an unauthorized version and the takedown of that server. Dwell time fell to less than one week in the U.S., and less than two weeks worldwide.

"In large part we attribute this reduction in time to the processes and automation of identification, verification and takedown notice to hosting providers that have been built between Fortra, Microsoft and our partners," Erdman said via email.

Last year, Fortra assisted with Operation Morpheus, an international law enforcement effort that took action against IP addresses associated with malicious Cobalt Strike activity. The operation flagged 690 IPs in 27 different countries and took down 593. In 2022, Google published a set of YARA rules to help organizations detect illicit Cobalt Strike versions used by attackers.

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
DISA Data Breach Investigation
From Migliaccio & Rathod LLP
February 25, 2025
Whalebone Secures €13.35M in Funding to Accelerate Global Growth and Innovation
From Whalebone
February 18, 2025
BeyondTrust Pathfinder Delivers a One-Platform Approach to Identity-Centric Security
From BeyondTrust
February 26, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.