Cybercriminals using CrossC2 to extend Cobalt Strike beacons to Linux and macOS

Japan’s CERT Coordination Centre (JPCERT/CC) reported on Thursday that it observed incidents involving a command-and-control (C2) framework known as CrossC2. This framework is designed to enhance the functionality of Cobalt Strike across various platforms, including Linux and Apple macOS. The agency detected this activity between September and December 2024, targeting multiple countries, including Japan, through an analysis of VirusTotal artifacts. The attackers utilised CrossC2 alongside tools such as PsExec, Plink, and Cobalt Strike in their attempts to penetrate Active Directory. JPCERT/CC researcher Yuma Masubuchi noted that the attackers employed custom malware, referred to as ReadNimeLoader, as a loader for Cobalt Strike.

The CrossC2 framework, an unofficial Beacon and builder, can execute various Cobalt Strike commands after establishing communication with a specified remote server. In the documented attacks, the threat actor set up a scheduled task on the compromised machine to launch the legitimate java.exe binary, which was then exploited to sideload ReadNimeLoader (“jli.dll”). Written in the Nim programming language, this loader extracts content from a text file and executes it directly in memory, avoiding disk traces. The loaded content includes an open-source shellcode loader called OdinLdr, which decodes and runs the embedded Cobalt Strike Beacon in memory. JPCERT/CC highlighted that this attack campaign shares similarities with BlackSuit/Black Basta ransomware activity reported by Rapid7 in June 2025, particularly in the C2 domain and file naming conventions. The presence of several ELF versions of SystemBC, a backdoor often preceding Cobalt Strike and ransomware deployment, was also noted. Many Linux servers lack Endpoint Detection and Response (EDR) systems, making them potential entry points for further compromise, warranting increased attention.