BEACON
BEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework. Across the provided reporting it appears as a widely used post-compromise implant and backdoor used for persistence and command-and-control, including over HTTPS and SMB named pipes, and it can be staged or loaded directly into memory by other malware. Reported behaviors include use as an HTTPS stager, in-memory execution, DLL-based deployment, SMB BEACON lateral movement, and use with malleable C2 profiles such as Safebrowsing, chches_APT10, and Havex. One referenced Beacon variant associated with GOVERSHELL could enable PowerShell command execution.
The content links BEACON to numerous threat actors and intrusion sets. Mandiant reported UNC2165 used Beacon payloads and infrastructure linked to suspected Evil Corp activity. UNC2447 used the Cobalt Strike BEACON HTTPSSTAGER implant for persistence and C2 over HTTPS during intrusions involving SOMBRAT and FIVEHANDS ransomware. UNC2198 used Cobalt Strike BEACON alongside METERPRETER, KOADIC, and PowerShell EMPIRE in ICEDID-enabled intrusions that led to MAZE and EGREGOR ransomware deployment. APT29 used Cobalt Strike BEACON, including SMB BEACON delivered by the SharedReality.dll memory-only dropper, for lateral movement and persistence in diplomatic espionage operations. APT40 used BEACON as a first-stage backdoor before downloading additional payloads. APT32/OceanLotus frequently co-deployed Cobalt Strike BEACON with custom malware families such as WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL. APT41 used BEACON for C2 communication, including payloads loaded by DUSTPAN.
The malware is associated with multiple infection and deployment vectors in the provided material. It was delivered via WARPRISM PowerShell dropper, DUSTPAN in-memory loader, SharedReality.dll, Meterpreter, and modified Artifact Kit DLL payloads. One article describes converting beacon.dll into a proxy DLL for DLL search order hijacking / DLL proxy attacks by forwarding legitimate exports while executing the Beacon payload. Other reporting places BEACON in spear-phishing-driven espionage campaigns, ransomware intrusions following ICEDID access, exploitation of SonicWall SMA 100 CVE-2021-20016, and broader post-exploitation activity after initial compromise.
Targeting linked to BEACON in the content spans diplomatic entities, foreign governments, dissidents and journalists, consumer products, hospitality, manufacturing, engineering, transportation, defense, maritime-related organizations, and ransomware victims across North America, Europe, Asia Pacific, and South America. Known infrastructure and indicators directly mentioned include communication with 80.255.3[.]87 using a Safebrowsing malleable C2 profile; SMB BEACON over named pipe \.\pipe\SapIServerPipes-1-15-21-07836; and APT41 cases where DUSTPAN-loaded BEACON payloads communicated through self-managed infrastructure behind Cloudflare or via Cloudflare Workers.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
UNC2165 also reportedly has used Beacon payloads and a command-and-control (C2) server other information security firms have linked to suspected Evil Corp activity...
"GOVERSHELL has already spawned five variants, including the most recent Beacon malware that could enable PowerShell command execution."
UNC2447 uses the Cobalt Strike BEACON HTTPSSTAGER implant for persistence to communicate with command-and-control (C2) servers over HTTPS...
UNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE offensive security tools during this phase as well.
UNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE offensive security tools during this phase as well.
Meterpreter then loaded Cobalt Strike BEACON, configured to communicate with 80.255.3[.]87 using the Safebrowsing malleable C2 profile.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
UNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE offensive security tools during this phase as well.
“The DUSTPAN samples were configured to load BEACON payloads into memory… The BEACON payloads, once executed, communicated using either self-managed infrastructure hosted behind Cloudflare or utilized Cloudflare Workers as their command-and-control (C2) channels.”
"BEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework."
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesBEACON C&C domains used by FIN12 have most commonly been registered via NameCheap or Hosting Concepts B.V. d/b/a Openprovider
the group has continued to host a significant proportion of the C&C infrastructure in the networks of Choopa, a U.S.-based VPS hosting provider
Initial Access
4 techniques"APT40 has been observed leveraging a variety of techniques for initial compromise, including web server exploitation..."
In instances where FIN12 leveraged UNC2053 for initial access, we observed BAZARLOADER payloads distributed via malicious email campaigns.
In one intrusion, a threat cluster distributed internal phishing emails that contained a malicious Excel attachment which used an ETTERCELL macro downloader to retrieve a copy of Remote Utilities remote access software.
The TTPs used to distribute BEACON have significant overlaps with UNC2053 distribution campaigns observed between March 2020 and February 2021, including similar lure themes, phishing emails that contain links to malicious PDFs hosted on Google Documents, and the use of legitimate web services for payload hosting.
Execution
7 techniquesRUN_task.ps1 creates a scheduled task that executes the ransomware payloads five minutes after scheduled task creation.
UNC2165 also reportedly has used Beacon payloads and a command-and-control (C2) server other information security firms have linked to suspected Evil Corp activity.
"built-in Windows capabilities such as... PowerShell"; "PowerShell script named comps2.ps1 which uses the Get-ADComputer cmdlet"
“The Base64 encoded ActiveMime data also contained an OLE file with malicious macros.”
“Although the files had ‘.doc’ file extensions, the recovered phishing lures were ActiveMime ‘.mht’ web page archives that contained text and images.”
For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names.
"built-in Windows capabilities such as PsExec"; "methods for lateral movement including... PsExec"
Persistence
1 techniquePrivilege Escalation
2 techniquesStealth
6 techniquesSince at least February 2020, FIN12 has leveraged a series of in-memory droppers including, MALTSHAKE, ICECANDLE, WHITEDAGGER, WEIRDLOOP, and templates associated with Cobalt Strike's Artifact Kit to deploy various malware payloads.
“When opened, many lure files displayed fake error messages in an attempt to trick users into launching the malicious macros.”
FIN12 has also used process injection to execute payloads in a more privileged context.
“decrypts and executes an embedded payload… external payload… encrypted… BEACON payloads… encrypted using chacha20”; “AES-128-CFB decrypts an encrypted on-disk PE… Decryption relies on… MachineGUID… decrypting an embedded configuration and… embedded plugin DLLs”
Does the spawnto_ value make network connections? Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?
"TERMITE in-memory dropper"; "BUGHATCH has been loaded in-memory"
Defense Impairment
1 techniqueFIN12 has frequently leveraged code-signed payloads in their operations.
Discovery
1 techniqueGet-DataInfo.ps1 is a reconnaissance PowerShell script that has been used regularly by FIN12. This script scans the network to identify all active hosts...
Lateral Movement
3 techniques"methods for lateral movement including RDP"
FIN12 has most commonly moved laterally across victim environments using valid credentials in combination with BEACON, EMPIRE, RDP, and SMB.
"allowing unauthenticated attackers to execute arbitrary code on vulnerable servers via a single crafted HTTP request" / "manipulating prototype chains" / "trigger the `Function()` constructor with attacker-controlled code"
Collection
1 technique"ATT&CK... T1074.002: Remote Data Staging"; "exfiltrate data to their BEACON infrastructure"
Command and Control
4 techniquesUNC2165 also reportedly has used Beacon payloads and a command-and-control (C2) server other information security firms have linked to suspected Evil Corp activity.
The content discusses collecting C2 IPs for Cobalt Strike and extracting beacon configs from servers. Example config fields include "Beacon Type": "8 (HTTPS)", "Method 1": "GET", "Method 2": "POST", "C2 Server": "thefaithfulamerican.com...", and ports 80, 443, 8080 were scanned. | The sample beacon configuration shows web-based communications: "Beacon Type": "8 (HTTPS)", "Method 1": "GET", "Method 2": "POST", "Port": 443, and the Nmap script was run against ports 80,443,8080.
“BEACON payloads… communicated using either self-managed infrastructure hosted behind Cloudflare or utilized Cloudflare Workers as their command-and-control (C2) channels.”
These loaders then downloaded a corresponding BAZARBACKDOOR payload that was used to subsequently deliver a FIN12 BEACON payload.
Exfiltration
1 technique"they prefer to exfiltrate data to their BEACON infrastructure"
IOCs tracked for this family
68 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A GOVERSHELL variant described as enabling PowerShell command execution.
BEACON is the main payload of Cobalt Strike, used for post-exploitation, command and control, and lateral movement. It is widely abused by threat actors for advanced attacks.
Beacon payload used by UNC2165 in activity linked to suspected Evil Corp operations.
Cobalt Strike Beacon is described as a DLL payload/loader that can be modified via the Artifact Kit and embedded into a proxy DLL so it executes a malicious payload while forwarding legitimate DLL exports to preserve application functionality.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.