BEACON
BEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework. The content repeatedly refers to it as Cobalt Strike BEACON and describes it as a post-compromise implant/backdoor used for command-and-control, persistence, lateral movement support, and payload delivery across multiple intrusion sets. Reported capabilities and behaviors include HTTPS and SMB-based C2, use of HTTPSSTAGER, execution as an in-memory payload, loading by droppers such as DUSTPAN, deployment via scheduled tasks and rundll32, and use with malleable C2 profiles including Safebrowsing, chches_APT10, and Havex. One report also describes a Beacon DLL being modified for DLL proxying, and another notes SMB BEACON communicating over a named pipe. The content also mentions an AdaptixC2 agent named Beacon, but the most widely recognized malware name in the provided material is Cobalt Strike Beacon.
Observed infection and delivery contexts in the content include spear-phishing, exploitation of vulnerabilities, staged malware chains, and memory-only execution. APT32 used spear-phishing ActiveMime lure documents that led to Meterpreter and then Cobalt Strike BEACON communicating with 80.255.3[.]87 using a Safebrowsing malleable C2 profile. UNC2447 used the Cobalt Strike BEACON HTTPSSTAGER implant for persistence after exploiting SonicWall SMA 100 series zero-day CVE-2021-20016. UNC2198 used Cobalt Strike BEACON alongside METERPRETER, KOADIC, and PowerShell EMPIRE during ransomware-linked intrusions. APT29 deployed SMB BEACON via SharedReality.dll, a Go-based memory-only dropper, using a scheduled task named SharedRealitySvcDLC and a named pipe \.\pipe\SapIServerPipes-1-15-21-07836. APT41 used DUSTPAN to decrypt and load ChaCha20-encrypted BEACON payloads into memory, with C2 routed through self-managed infrastructure behind Cloudflare or via Cloudflare Workers.
The malware is associated in the content with multiple threat actors and campaigns, including APT29, APT32, APT40, APT41, UNC2165/Evil Corp-linked activity, UNC2198, and UNC2447. It appears in both espionage and financially motivated operations, including ransomware intrusions and long-term intelligence collection. Targeting mentioned in the surrounding reports spans diplomatic entities, consumer products, hospitality, manufacturing, engineering, transportation, defense, maritime-related organizations, and victims across North America, Europe, Asia Pacific, and South America.
High-confidence indicators and artifacts directly mentioned in the content include C2 IP 80.255.3[.]87; named pipe \.\pipe\SapIServerPipes-1-15-21-07836; and malleable profile names Safebrowsing, chches_APT10, and Havex. Additional directly mentioned behaviors include BEACON payloads encrypted with ChaCha20, use of Cloudflare and Cloudflare Workers for C2, and use as a first-stage backdoor by APT40 before downloading additional payloads.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The DUSTPAN samples were configured to load BEACON payloads into memory that were encrypted using chacha20. The BEACON payloads, once executed, communicated using either self-managed infrastructure hosted behind Cloudflare or utilized Cloudflare Workers as their command-and-control (C2) channels.
UNC2165 also reportedly has used Beacon payloads and a command-and-control (C2) server other information security firms have linked to suspected Evil Corp activity...
"GOVERSHELL has already spawned five variants, including the most recent Beacon malware that could enable PowerShell command execution."
UNC2447 uses the Cobalt Strike BEACON HTTPSSTAGER implant for persistence to communicate with command-and-control (C2) servers over HTTPS...
UNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE offensive security tools during this phase as well.
UNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE offensive security tools during this phase as well.
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
5 techniques
Initial Access
The remote script convinced users to download a fake installer, which led to workstations being infected with a Cobalt Strike BEACON backdoor.
"APT40 has been observed leveraging a variety of techniques for initial compromise, including web server exploitation..."
In instances where FIN12 leveraged UNC2053 for initial access, we observed BAZARLOADER payloads distributed via malicious email campaigns.
In one intrusion, a threat cluster distributed internal phishing emails that contained a malicious Excel attachment which used an ETTERCELL macro downloader to retrieve a copy of Remote Utilities remote access software.
The TTPs used to distribute BEACON have significant overlaps with UNC2053 distribution campaigns observed between March 2020 and February 2021, including similar lure themes, phishing emails that contain links to malicious PDFs hosted on Google Documents, and the use of legitimate web services for payload hosting.
Execution
8 techniques
Execution
RUN_task.ps1 creates a scheduled task that executes the ransomware payloads five minutes after scheduled task creation.
UNC2165 also reportedly has used Beacon payloads and a command-and-control (C2) server other information security firms have linked to suspected Evil Corp activity.
"built-in Windows capabilities such as... PowerShell"; "PowerShell script named comps2.ps1 which uses the Get-ADComputer cmdlet"
“The Base64 encoded ActiveMime data also contained an OLE file with malicious macros.”
Beacon is a C++ implant... Its primary capability beyond standard C2 tasks is BOF (Beacon Object File) execution ... lets operators run compiled C code in-process without touching disk.
“Although the files had ‘.doc’ file extensions, the recovered phishing lures were ActiveMime ‘.mht’ web page archives that contained text and images.”
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
6 techniques
Stealth
Since at least February 2020, FIN12 has leveraged a series of in-memory droppers including, MALTSHAKE, ICECANDLE, WHITEDAGGER, WEIRDLOOP, and templates associated with Cobalt Strike's Artifact Kit to deploy various malware payloads.
“When opened, many lure files displayed fake error messages in an attempt to trick users into launching the malicious macros.”
DUSTPAN may be configured to inject the decrypted payload into another process or create a new thread and execute it within its own process space.
DUSTPAN is an in-memory dropper written in C/C++ that decrypts and executes an embedded payload.
Defense Impairment
1 technique
Defense Impairment
Discovery
1 technique
Discovery
Lateral Movement
3 techniques
Lateral Movement
Collection
2 techniques
Collection
Command and Control
5 techniques
Command and Control
AdaptixC2 is an open-source post-exploitation framework... The framework ships two agent families... listeners as loadable plugins (“extenders”) covering HTTP/S, DNS/DoH, SMB named pipes, and raw TCP transports. | BeaconHTTP : HTTP/S callback with configurable URIs, headers, and User-Agent rotation... BeaconDNS : DNS-based callback channel... BeaconTCP : Bind-style TCP channel for internal pivots
The three .exe samples from 2.26.229[.]254 all call back to the same listener: C2: hxxp://2.26.229[.]254:4433 Callback URIs: /api/v1/status , /updates/check.php , /content.html Custom header: X-ISS
BeaconDNS : DNS-based callback channel. The listener replies with TXT "OK" to any short-label or unrecognized query... Querying a random short hostname returns TXT "OK" ... while a query formatted as a beacon-check-in ... returns A 127.0.0.1 on a genuine listener.
IOCs tracked for this family
68 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cross-platform C++ implant used by AdaptixC2 that supports BOF execution and multiple callback transports including HTTP/S, DNS, SMB named pipes, and TCP. It checks in with operator-controlled listeners for tasking and can execute commands and payloads in-memory.
A GOVERSHELL variant described as enabling PowerShell command execution.
BEACON is the main payload of Cobalt Strike, used for post-exploitation, command and control, and lateral movement. It is widely abused by threat actors for advanced attacks.
Beacon payload used by UNC2165 in activity linked to suspected Evil Corp operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.