- Japan’s CERT coordination center identified attacks using the CrossC2 framework to control Linux and macOS systems.
- Incidents were observed between September and December 2024 across several countries, including Japan.
- Attackers deployed a custom loader called ReadNimeLoader, which loads malicious code directly into memory to avoid detection.
- The campaign showed similarities to previous Ransomware activities, using similar command-and-control domains and files.
- Linux servers were specifically targeted, often lacking security monitoring tools, making them a weak point for attackers.
Japan’s CERT coordination center (JPCERT/CC) reported several incidents where attackers used a Hacking tool named CrossC2 to gain control of computer systems running on Linux and Apple’s macOS. The incidents took place between September and December 2024 in multiple countries, with activity confirmed within Japan.
According to JPCERT/CC, the attackers used CrossC2 along with other hacking tools like PsExec, Plink, and Cobalt Strike to attempt access to Active Directory environments. Researcher Yuma Masubuchi stated that the attackers used custom-made Malware as a loader for Cobalt Strike. The custom loader has been given the name ReadNimeLoader.
CrossC2 is an unofficial extension of Cobalt Strike, a known security testing tool, that enables its use on a wider range of systems. The attacks began by using scheduled tasks to launch the Java program (java.exe) on targeted computers. This legitimate process was then abused to load ReadNimeLoader, identified as “jli.dll.”
ReadNimeLoader, written in the Nim programming language, reads and executes code from a text file directly in memory—a method that reduces the chances of leaving evidence on disk. This loaded code is an open-source loader called OdinLdr, which decodes and runs the main Cobalt Strike Beacon malware in memory. The loader also includes tricks to block security monitoring tools and prevent the code from running if analysis is detected.
JPCERT/CC noted that the command-and-control servers and some files used in the campaign were similar to those seen in ransomware attacks by BlackSuit and Black Basta, as reported by Rapid7 in June 2025. The campaign also featured ELF versions (used for Linux) of SystemBC, a backdoor Trojan often used to set up future ransomware attacks.
Researcher Masubuchi highlighted that Linux servers, which often lack Endpoint Detection and Response (EDR) solutions, were prime targets. “Many Linux servers do not have EDR or similar systems installed, making them potential entry points for further compromise, and thus, more attention is required,” Masubuchi stated.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Paramount Skydance Soars 36% After Jim Cramer “Meme Stock” Call
- OFAC Targets Businesses Using Stablecoins for Russian Sanctions Evasion
- Elon Musk Backs Dogecoin Again as Bitcoin Soars Past $124,000
- Bitcoin Drops Below $120K as US Treasury Rules Out More Purchases
- CISA Adds Two Actively Exploited N-able Flaws to KEV Catalog
