Listen to this Post

A Silent Shift in Cyber Warfare
From late 2024, a shadowy and highly coordinated cyberattack campaign swept across multiple countries, marking a dangerous turning point in the evolution of cyber threats. Security experts at JPCERT/CC uncovered that attackers had adopted CrossC2, a powerful unofficial extension of the Cobalt Strike penetration testing framework, capable of operating not just on Windows, but also Linux and macOS systems. This breakthrough effectively dismantles the long-standing perception that Cobalt Strike is primarily a Windows threat, giving cybercriminals a new arsenal for multi-platform infiltration.
How the Attacks Unfolded
Between September and December 2024, hackers combined CrossC2 with a custom-built malware loader named ReadNimeLoader, targeting Active Directory environments to gain control of enterprise networks. Written in C, CrossC2 works with Cobalt Strike version 4.1 and higher, supporting both x86/x64 Linux systems and Intel/M1 macOS machines. Upon execution, the tool forks itself and pulls its command-and-control (C2) details from environment variables or embedded configurations, ensuring flexibility and stealth.
Though parts of CrossC2 are openly available on GitHub, the true code remains locked away, with deliberately restricted features. Security researchers found sophisticated anti-analysis measures, including XOR-based string encoding, junk code insertion, and AES128-CBC encryption of configuration data stored at the file’s end. This setup forces defenders to identify a unique “HOOK” marker before they can even begin decrypting its hidden payload.
A Multi-Stage, Deceptive Malware Loader
The campaign’s second weapon, ReadNimeLoader, written in the Nim programming language, executes a multi-stage infiltration process. It hijacks legitimate java.exe operations, sideloads a malicious jli.dll, then decrypts a disguised readme.txt file to launch OdinLdr, an open-source shellcode loader.
To resist analysis, ReadNimeLoader employs four advanced evasion tactics:
1. PEB debugging checks
2. CONTEXT_DEBUG_REGISTER detection
3. Timing-based anti-sandboxing
4. Exception-handling verification
These anti-analysis layers cleverly hide parts of the decryption key, making it nearly impossible to unlock the malware without running it in a live environment — a dangerous move for analysts.
Possible Link to BlackBasta Ransomware Group
The investigation also pointed toward BlackBasta, a prolific ransomware group. Overlapping C2 domains, similar attack techniques (including AS-REP Roasting and the SystemBC remote access trojan), and identical file naming conventions all hint toward this connection. BlackBasta is already infamous for its devastating ransomware campaigns, and if confirmed, this would mark a significant expansion of its target platforms.
Why This Matters
The most alarming implication is the vulnerability of Linux servers, many of which lack advanced Endpoint Detection and Response (EDR) protections. By expanding beyond Windows, attackers now have a far wider attack surface, enabling them to compromise systems that have historically been harder to breach at scale.
To counter these evolving threats, JPCERT/CC released a CrossC2 configuration parser to help defenders detect and analyze malicious samples. Still, the findings underline a chilling reality — in modern cyberwarfare, no operating system is truly safe.
What Undercode Say:
This attack campaign represents more than just a technical upgrade — it’s a strategic shift in how cybercriminals operate. Historically, Windows systems have been the primary targets for Cobalt Strike due to their prevalence in corporate environments. By adding Linux and macOS to the hit list, hackers are removing one of the few remaining operational limitations of the framework.
The technical implementation of CrossC2 is a masterclass in stealth and persistence. The forking execution method, combined with flexible C2 retrieval, allows attackers to blend into legitimate processes while retaining adaptability. Its anti-analysis mechanisms — from XOR obfuscation to AES-encrypted configurations — add layers of complexity, delaying detection and increasing the window of exploitation.
The use of ReadNimeLoader amplifies this threat. Written in Nim, a language less commonly targeted by malware detection tools, it benefits from the element of novelty. The sideloading of malicious DLLs through trusted processes like java.exe makes it extremely challenging for traditional antivirus solutions to distinguish between legitimate and malicious operations. Furthermore, embedding decryption keys within anti-analysis functions forces researchers into a dangerous cat-and-mouse game, as the malware resists static analysis entirely.
The suspected BlackBasta connection is equally concerning. This group has a history of sophisticated ransomware deployment, and its adoption of multi-platform Cobalt Strike operations could dramatically increase the reach and profitability of their attacks. The overlapping indicators — C2 domains, tooling choices, and methodologies — suggest this was not a random alignment but part of a deliberate strategic expansion.
From a cyber defense perspective, the biggest weakness exposed is the lack of robust detection tools for Linux environments. Many organizations rely on Linux for critical infrastructure, believing it to be inherently more secure due to its architecture and smaller market share compared to Windows. That assumption no longer holds. Attackers now possess frameworks that can pivot seamlessly between platforms, meaning a breach in one OS can cascade into others.
Security teams should interpret this as a wake-up call to extend EDR and SIEM coverage beyond Windows systems. Additionally, threat hunting teams must familiarize themselves with the specific behaviors of CrossC2 and ReadNimeLoader to preempt potential breaches. Adopting behavioral-based detection rather than relying solely on signature-based tools will be crucial in identifying these stealthy, modular threats.
This campaign also reinforces the economic evolution of cybercrime. Cross-platform compatibility increases the potential victim pool, making attacks more cost-effective and profitable for threat actors. When combined with ransomware’s double-extortion tactics, these expanded capabilities could push financial damages into unprecedented territory.
In essence, CrossC2 marks a new era of cyberattack tooling, where operating system boundaries mean little. Organizations must adapt now or risk being left defenseless against a threat that is as flexible as it is persistent.
🔍 Fact Checker Results
✅ CrossC2 exists as an unofficial extension for Cobalt Strike targeting Linux/macOS
✅ ReadNimeLoader uses advanced anti-analysis and multi-stage loading techniques
✅ Indicators link this campaign to the BlackBasta ransomware group
📊 Prediction
Given its stealth and cross-platform nature, CrossC2 (or future variants) will likely see widespread adoption among advanced threat actors within the next 18 months. Linux-targeted ransomware operations could surge, especially in industries with high reliance on unprotected servers such as finance, healthcare, and manufacturing. Without urgent improvements to Linux EDR solutions, the next wave of ransomware attacks could be far more devastating than those of recent years.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




