Ransomware gang’s Cobalt Strike servers DDoSed with anti-Russia messages

Cobalt Strike servers used in ransomware attacks flooded with anti-Russia messages

Someone is flooding Cobalt Strike servers operated by former members of the Conti ransomware gang with anti-Russian messages to disrupt their activity.

The operators of Conti ransomware completed turning off their internal infrastructure in May this year but its members have dispersed to other ransomware gangs, such as Quantum, Hive, and BlackCat.

However, former Conti members continue to use the same Cobalt Strike infrastructure to conduct new attacks under other ransomware operations.

Server flood

Someone is now tracking the TeamServers (C2) used by ransomware actors to control the Cobalt Strike (CS) Beacon payloads on compromised hosts (clients), which allow lateral movement on the network.

When flooding the CS servers, these people are using the username “Stop Putin!” on multiple computers and changing their computer name to various messages, such as “Stop the war!,” “15000+ dead Russian soldiers!,” and “Be a Russian patriot!”

ex-Conti Cobalt Strike TeamServer DDoSed with political messagesAnti-Russia notes disrupting ex-Conti Cobalt Strike servers
source: Vitali Kremez (AdvIntel)

Vitali Kremez, the CEO of cyber intelligence company Advanced Intelligence (AdvIntel), told BleepingComputer that whoever is running these attacks initially targeted at least four Cobalt Strike servers allegedly controlled by ex-Conti members.

The researcher says that the messages are flooding the servers at a high rate of about two every second.

As an effect of this large number of pings, TeamServer’s Java application is overloaded and activity is disrupted in a similar way a denial-of-service (DoS) condition would.

Running Cobalt Strike TeamServer from a Java application was possible in versions of the toolkit up to 4.6, released this year in April. In more recent releases, the component runs from an executable image (TeamServerImage).

Kremez says whoever is behind this activity is constantly targeting Cobalt Strike servers believed to be operated by previous Conti ransomware members, resuming the flood whenever a new server is discovered.

Turning the tables on cybercriminals

It is unclear who is behind these messages (it could be anyone from a security researcher, to law enforcement agencies, to a cybercriminal with a grudge for siding with Russia) but it looks like they’re keeping the threat actor busy.

Disrupting ransomware gangs’ activity with denial-of-service has happened before, the LockBit operation being a recent target, allegedly for encrypting systems belonging to digital security company Entrust.

The attack was serious enough for LockBit to shut down its leak sites and start reorganizing its infrastructure. In the meantime, none of the data the gang published was available.

The hackers blamed the DDoS on Entrust since the HTTPS requests came with the message to delete the company’s data.

However, the disruption was temporary and the ransomware actor came online with stronger infrastructure allowing them to keep the stolen data available even when facing distributed denial-of-service (DDoS) attacks.


  • EndangeredPootisBird Photo EndangeredPootisBird – 2 days ago

    Maybe dont make pen testing tools open source? That way cybercriminals cant abuse them, if it was the case almost all cyberattacks against businesses and governments nowadays would never have happened

  • b00meraang Photo b00meraang – 2 days ago

    I am not sure who but Cobalt Strike was leaked in GitHub. So not intentionally made to be open source. Deep Blue for example was a zero day hoarded by US gov and then stolen by apt’s then released in the open.

  • EndangeredPootisBird Photo EndangeredPootisBird – 2 days ago

    Even so, penetration testing companies should be treated as cybercriminals as they have aided in the biggest advancement of cyberattacks in history, even if their intent was benign.

  • h_b_s Photo h_b_s – 1 day ago

    “Even so, penetration testing companies should be treated as cybercriminals as they have aided in the biggest advancement of cyberattacks in history, even if their intent was benign.”

    Sure, let’s through the baby out with the bath water and just lock up every single security researcher out there. Cuz you know… they might have shown a criminal how to break into AD servers. Can’t have that! Oh wait… if you lock up all the security researchers… then the only people attacking systems… will be… those very same criminals (they just had to do a little more work – it’s not difficult to find exploitable flaws in most software)….


    Instead, these PoC allow competent security practitioners to discover if their own software is vulnerable, or it’s mitigated for some other reason. Competence is key. Unfortunately, it’s often hamstrung by management & political decisions. Be very clear, the criminals are the ones carrying out the attacks are the people liable for their own deeds, NOT the people trying to inform the IT and software development communities at large to the existence of these flaws. Many times, the ONLY way to get these corporations and governments to fix their crap, is to make the information public and shame them into fixing it.

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.12 4M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 21,243 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 51,198 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 302,653 Downloads


Related posts

Hackers use Golang source code interpreter to evade detection

Sarah Henriquez

New hacking forum leaks data of 478,000 RaidForums members

Sarah Henriquez

New Redigo malware drops stealthy backdoor on Redis servers

Sarah Henriquez

Leave a Comment