BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

CrossC2 Enables Multi-Platform Cobalt Strike Attacks on Linux Servers

Attackers Use CrossC2 Framework and Custom Loader to Target Linux and macOS Systems in Global Campaign, Says Japan’s JPCERT/CC

  • Japan’s CERT coordination center identified attacks using the CrossC2 framework to control Linux and macOS systems.
  • Incidents were observed between September and December 2024 across several countries, including Japan.
  • Attackers deployed a custom loader called ReadNimeLoader, which loads malicious code directly into memory to avoid detection.
  • The campaign showed similarities to previous Ransomware activities, using similar command-and-control domains and files.
  • Linux servers were specifically targeted, often lacking security monitoring tools, making them a weak point for attackers.

Japan’s CERT coordination center (JPCERT/CC) reported several incidents where attackers used a Hacking tool named CrossC2 to gain control of computer systems running on Linux and Apple’s macOS. The incidents took place between September and December 2024 in multiple countries, with activity confirmed within Japan.

- Advertisement -

According to JPCERT/CC, the attackers used CrossC2 along with other hacking tools like PsExec, Plink, and Cobalt Strike to attempt access to Active Directory environments. Researcher Yuma Masubuchi stated that the attackers used custom-made Malware as a loader for Cobalt Strike. The custom loader has been given the name ReadNimeLoader.

CrossC2 is an unofficial extension of Cobalt Strike, a known security testing tool, that enables its use on a wider range of systems. The attacks began by using scheduled tasks to launch the Java program (java.exe) on targeted computers. This legitimate process was then abused to load ReadNimeLoader, identified as “jli.dll.”

ReadNimeLoader, written in the Nim programming language, reads and executes code from a text file directly in memory—a method that reduces the chances of leaving evidence on disk. This loaded code is an open-source loader called OdinLdr, which decodes and runs the main Cobalt Strike Beacon malware in memory. The loader also includes tricks to block security monitoring tools and prevent the code from running if analysis is detected.

JPCERT/CC noted that the command-and-control servers and some files used in the campaign were similar to those seen in ransomware attacks by BlackSuit and Black Basta, as reported by Rapid7 in June 2025. The campaign also featured ELF versions (used for Linux) of SystemBC, a backdoor Trojan often used to set up future ransomware attacks.

- Advertisement -

Researcher Masubuchi highlighted that Linux servers, which often lack Endpoint Detection and Response (EDR) solutions, were prime targets. “Many Linux servers do not have EDR or similar systems installed, making them potential entry points for further compromise, and thus, more attention is required,” Masubuchi stated.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

RWAs Overtake Bitcoin as Hyperliquid’s Largest Open Interest

Hyperliquid's RWA perpetuals hit a record $3.6 billion in open interest, overtaking Bitcoin and...

SK Hynix ADR gains vanish in under a day

SK Hynix's ADRs rose 12.7% on Nasdaq debut Friday but the entire gain was...

Binance futures hit 2026 high as spot market lags

Binance recorded $1.6 trillion in futures trading volume in June, its highest level of...

CISA adds two critical Joomla extension flaws to KEV list

U.S. CISA added two maximum-severity Joomla extension flaws to its Known Exploited Vulnerabilities (KEV)...

Russia, India push de-dollarization to hit $100 billion trade target

Russia and India are accelerating a bilateral trade deal to reach a $100 billion...

Must Read

17 Best Audiobooks On Blockchain Technology For Beginners

If you're looking to dive into the world of blockchain technology, you're in for a treat. The field is rapidly evolving and the potential...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading