Europol takes down 593 Cobalt Strike servers used by cybercriminals

Share:

Europol coordinated a joint law enforcement action known as Operation Morpheus, which led to the takedown of almost 600 Cobalt Strike servers used by cybercriminals to infiltrate victims’ networks.

During a single week in late June, law enforcement identified known IP addresses associated with criminal activity and domain names that were part of attack infrastructure used by criminal groups.

In the next stage of the operation, online service providers were provided with the collected information to disable unlicensed versions of the tool.

“Older, unlicensed versions of the Cobalt Strike red teaming tool were targeted during a week of action coordinated from Europol’s headquarters between 24 and 28 June,” said Europol.

“A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.”

Operation Morpheus involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States and was led by the United Kingdom’s National Crime Agency.

Private industry partners like BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation also offered their support during this international law enforcement operation, providing help via their enhanced scanning, telemetry, and analytical capabilities to identify Cobalt Strike servers used in cybercriminal campaigns.

This disruptive action coordinated by Europol is the culmination of a complex investigation that started three years ago, in 2021.

“Over the span of the whole investigation, over 730 pieces of threat intelligence were shared containing almost 1.2 million indicators of compromise,” Europol added.

“In addition, Europol’s EC3 organised over 40 coordination meetings between the law enforcement agencies and the private partners. During the week of action, Europol set up a virtual command post to coordinate law enforcement action across the globe.”

Used in ransomware attacks and cyberespionage campaigns

In April 2023, Microsoft, Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) also announced a broad legal crackdown on servers hosting cracked copies of Cobalt Strike, one of cybercriminals’ primary hacking tools.

Cobalt Strike was released by Fortra (formerly Help Systems) over a decade ago as a legitimate commercial penetration testing tool for red teams to scan network infrastructure for security vulnerabilities. However, threat actors have obtained cracked copies of the software, making it one of the most widely used tools in data theft and ransomware attacks.

Attackers use Cobalt Strike during the post-exploitation attack stage to deploy beacons that provide persistent remote access to compromised networks and help steal sensitive data or drop additional malicious payloads.

Microsoft says that various state-backed threat actors and hacking groups are utilizing cracked versions of Cobalt Strike while operating on behalf of foreign governments, such as Russia, China, Vietnam, and Iran.

In November 2022, the Google Cloud Threat Intelligence team also open-sourced a collection of indicators of compromise (IOCs) and 165 YARA rules to help defenders detect Cobalt Strike components in their networks.

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
4:12 am, Jul 11, 2025
weather icon 18°C
L: 16° | H: 19°
scattered clouds
Humidity: 80 %
Pressure: 1021 mb
Wind: 5 mph E
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 45%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:56 am
Sunset: 9:15 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
16° | 19°°C 0 mm 0% 8 mph 76 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
19° | 30°°C 0 mm 0% 10 mph 66 % 1019 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
18° | 30°°C 0 mm 0% 7 mph 71 % 1015 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
18° | 28°°C 1 mm 100% 15 mph 84 % 1016 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
14° | 20°°C 1 mm 100% 14 mph 81 % 1017 mb 0 mm/h
Today 7:00 am
weather icon
18° | 19°°C 0 mm 0% 2 mph 76 % 1021 mb 0 mm/h
Today 10:00 am
weather icon
24° | 27°°C 0 mm 0% 2 mph 57 % 1021 mb 0 mm/h
Today 1:00 pm
weather icon
30° | 30°°C 0 mm 0% 3 mph 32 % 1020 mb 0 mm/h
Today 4:00 pm
weather icon
32° | 32°°C 0 mm 0% 4 mph 26 % 1018 mb 0 mm/h
Today 7:00 pm
weather icon
30° | 30°°C 0 mm 0% 6 mph 29 % 1017 mb 0 mm/h
Today 10:00 pm
weather icon
23° | 23°°C 0 mm 0% 8 mph 49 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
21° | 21°°C 0 mm 0% 5 mph 57 % 1019 mb 0 mm/h
Tomorrow 4:00 am
weather icon
19° | 19°°C 0 mm 0% 5 mph 66 % 1018 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€99,711.92
4.88%
Ethereum(ETH)
€2,534.30
6.46%
Tether(USDT)
€0.85
-0.01%
XRP(XRP)
€2.21
6.74%
Solana(SOL)
€140.98
4.20%
USDC(USDC)
€0.85
-0.01%
Dogecoin(DOGE)
€0.169861
9.70%
Shiba Inu(SHIB)
€0.000012
9.28%
Pepe(PEPE)
€0.000011
15.02%
Peanut the Squirrel(PNUT)
€0.248685
22.27%
Scroll to Top