CrossC2

CrossC2 is an unofficial Cobalt Strike Beacon/builder used to extend Cobalt Strike to UNIX-like platforms, including Linux and macOS. The provided reporting describes it as a Linux-compatible beacon framework and a Linux version of the Cobalt Strike implementation, with payloads observed as ELF executables for x86 and x64 systems. JPCERT/CC reported incidents involving CrossC2 from September to December 2024, and additional reporting tied its deployment to exploitation of CVE-2025-55182 (React2Shell) in late 2025.

Capabilities and behavior directly described in the source material include command execution and broader post-exploitation support after initial compromise. CrossC2-generated beacons are developed in C, compatible with Cobalt Strike 4.1+, and designed for Linux (x86/x64) and macOS (x86/x64/M1). On execution, CrossC2 forks itself and performs main processing in the child process. It can obtain its C2 host and port from the CCHOST and CCPORT environment variables. Configuration data is stored at the end of the file, located via the string "HOOK," and decrypted with AES-128-CBC using OpenSSL routines. Anti-analysis features noted by JPCERT/CC include single-byte XOR string encoding and insertion of large amounts of junk code. CrossC2 beacons are packed with UPX by default, and standard UPX unpacking can fail because configuration data is appended to the file.

Observed infection and deployment vectors in the provided content include exploitation of React2Shell, after which attackers downloaded Bash scripts such as check.sh to retrieve architecture-specific ELF payloads named a_x86 and a_x64. In those cases, the payload was saved as rsyslo under /usr/local/rsyslo when run as root or ${HOME}/.rsyslo with standard privileges, and persistence was established via a systemd service named "Rsyslo AV Agent Service." JPCERT/CC also documented installation of SNOWLIGHT downloader (javas) and CrossC2 (rsyslo) on a compromised server, identifying rsyslo as the CrossC2 RAT. In another campaign, CrossC2 was part of a broader post-exploitation toolkit used after compromise of telecom environments.

Associated threat activity in the content includes use by the China-linked Red Menshen cluster in long-running telecom espionage operations. Rapid7 reported that after initial access to telecom providers in the Middle East and Asia, attackers deployed CrossC2 for command execution and post-exploitation, alongside BPFDoor, TinyShell, Sliver, SSH brute-forcers, keyloggers, and credential theft utilities. JPCERT/CC assessed a separate 2024 intrusion set involving CrossC2 as potentially connected to BlackBasta based on overlapping infrastructure and tradecraft. CrossC2 was also observed in non-Russia-focused React2Shell exploitation campaigns documented by BI.ZONE.

Targeted environments and sectors explicitly mentioned include Linux and macOS systems, compromised Linux servers, and telecommunications providers and telecom core environments in the Middle East and Asia. The content also places CrossC2 in campaigns affecting organizations outside Russia via React2Shell exploitation.

High-confidence indicators and technical details directly provided include observed CrossC2 C2 server 154.89.152[.]240:443 in React2Shell-related cases; AES-128-CBC decryption of embedded configuration using key aaaabbbbccccdddd and IV abcdefghijklmnop in one analyzed payload set; filenames a_x86, a_x64, and rsyslo; persistence via the "Rsyslo AV Agent Service" systemd unit; and configuration parsing based on the trailing "HOOK" marker.