COBEACON
COBEACON is malware identified in the provided content as Cobalt Strike Beacon. It is used by the China-linked espionage threat actor Earth Alux, which overlaps with activity tracked as Jewelbug, CL-STA-0049, and REF7707. In the described intrusions, Earth Alux used COBEACON alongside tools such as VARGEIT, RAILLOAD, and RAILSETTER to establish persistence, steal credentials, and maintain command and control. The activity targeted government, technology, logistics, manufacturing, telecommunications, IT services, and retail organizations, primarily in the Asia-Pacific and Latin American regions. The broader intrusion tradecraft associated with these operations included initial access via webshells, use of renamed legitimate binaries such as cdb.exe disguised as fontdrvhost.exe to execute shellcode, process injection into legitimate Windows processes including MSPaint, calc.exe, and notepad.exe, DLL side-loading, browser credential theft, and exfiltration of compressed sensitive data to cloud storage buckets. High-confidence detection opportunities mentioned in the content include unusual process paths, suspicious DLL loading, credential access behavior, and abnormal network connections originating from trusted Windows binaries.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Earth Alux employs multiple custom tools including VARGEIT, RAILLOAD, RAILSETTER, and COBEACON to establish persistence, steal credentials, and maintain command and control.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Credential Access
1 techniqueEarth Alux employs multiple custom tools including VARGEIT, RAILLOAD, RAILSETTER, and COBEACON to establish persistence, steal credentials, and maintain command and control.
Command and Control
2 techniquesCommand and Control T1071: Application Layer Protocol
"China-Linked Earth Alux Uses VARGEIT and COBEACON in Multi-Stage Cyber Intrusions"
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware used in multi-stage intrusions attributed to the China-linked actor Earth Alux.
Penetration testing tool often abused as a backdoor for command and control, lateral movement, and post-exploitation activities.
Custom malware/tool used by Earth Alux for command-and-control and persistent access during espionage operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.