On Sunday, the Japan Certificate Regulation Center (JPCERT/CC) revealed on Thursday that an incident was observed involving the use of a command-and-control (C2) framework called CrossC2.
The agency said the activity was detected between September and December 2024 and targeted multiple countries, including Japan, based on an analysis of virustotal artifacts.
“In their attempts to penetrate AD, the attackers adopted Crossc2 and other tools such as Psexec, Plink and Cobalt Strike. Further investigation revealed that the attackers used custom malware as the loader of Cobalt Strike.
The custom-made cobalt strike beacon loader is called the readnimeloader. CrossC2, an unofficial beacon and builder, can run various cobalt strike commands after establishing communication with the remote server specified in the configuration.
In an attack documented by JPCERT/CC, scheduled tasks set by threat actors on the compromised machine are used to launch legitimate java.exe binaries, which are then abused and removed readnimeloader (“jli.dll”).
A loader written in the NIM programming language extracts the content of a text file and runs it directly in memory to avoid leaving traces on disk. This loaded content is an open source shellcode loader called Odinldr that will decrypt and run it in memory.
Readnimeloader also incorporates a variety of preventative and anti-analytical techniques designed to prevent Odinldr from being decoded unless the route is clear.
JPCERT/CC said the attack campaign shared some degree of overlap with the BlackSuit/Black Basta ransomware activity reported by Rapid7 in June 2025, citing files with similar names as the duplicates of the command and control (C2) domains used.
Another notable aspect is the presence of several ELF versions of SystemBC. This is a backdoor that acts as a precursor to the deployment of cobalt strikes and ransomware.
“There are many incidents, including cobalt strikes, but this article focused on specific cases where CrossC2, a tool that extends the cobalt strike beacon functionality to multiple platforms, was used in the attack, and compromised Linux servers within the internal network,” says Masubuchi.
“Many Linux servers do not have EDR or similar systems installed, and therefore have a potential entry point for further compromise, so you need to be more careful.”
Source link
