← Dispatches

TLP:CLEAR · 2026-02-27

140 Beacons: Mapping Exposed Cobalt Strike Infrastructure Across the Open Internet

We scanned the public internet for exposed Cobalt Strike beacon configurations using Shodan and extracted complete malleable C2 profiles from 140 live servers. We clustered operators by watermark and public key, identified a Chinese-speaking threat actor impersonating Google across two US-hosted servers, found an Azure-hosted server silently deploying MSI payloads through post-exploitation, and mapped domain fronting through Baidu CDN and Cloudflare nameservers. Every server ran a cracked license.

Cobalt Strike is the most widely deployed post-exploitation framework in offensive operations. When operators misconfigure their team servers, Shodan indexes the beacon configuration, the complete set of instructions telling an implant how to communicate, what to inject, how to sleep, and where to phone home. We queried Shodan for every exposed beacon configuration on the internet and extracted the full operational playbook from 140 live servers. What we found is a map of offensive infrastructure that no one bothered to hide.

The Scan

We queried Shodan's API for hosts tagged with product:"Cobalt Strike Beacon" that included a watermark field in their raw data, indicating Shodan had successfully parsed the beacon configuration. The search returned 140 servers with fully exposed configs. An additional 42 servers were identified as Cobalt Strike beacons without parseable configs, bringing the total to 182 confirmed beacon listeners on the public internet.

The geographic breakdown is immediate: 87 servers in China (62%), 19 in the United States (14%), 16 in Hong Kong (11%), with the remainder scattered across the Netherlands, Taiwan, Japan, Singapore, Russia, Sweden, Italy, Switzerland, and Venezuela. Chinese cloud providers dominate the hosting: Alibaba Cloud hosts 47+ servers across multiple subsidiaries, followed by Tencent Cloud (14), JD Cloud (8+), Beijing Baidu Netcom, Huawei Cloud, and Beijing Volcano Engine Technology.

Every License Is Cracked

Cobalt Strike embeds a watermark value in every beacon, tied to the license that generated it. Legitimate licenses produce unique watermarks. Cracked distributions use well-known hardcoded values. Every watermark we extracted maps to a known pirated distribution:

WatermarkServersNotes
98765432148Most prevalent cracked watermark globally
66666666625Second most common, includes "Google Spider" operator
1000009Common in Chinese crack distributions
3911449389Specific Chinese CS crack package
12345678903Generic crack
3708482312Azure Italy MSI deployer (unique, possibly leaked license)
6666662Variant
4263527811Singular
13595933251Singular

Watermark 987654321 alone accounts for 48 servers across 9 countries. It is the default watermark in the most widely distributed cracked Cobalt Strike package in Chinese underground forums. Watermark 666666666, present on 25 servers, is the second most common cracked marker. Together, these two watermarks cover 52% of all exposed infrastructure. The cracked tooling pipeline is enabling offensive operations at industrial scale with zero licensing cost.

The Google Spider: A Chinese Operator Impersonating Google

The most brazen finding is a threat actor running two Cobalt Strike servers on US-hosted infrastructure while impersonating Google. Server 38[.]49[.]57[.]15 on KURUN CLOUD (AS8796) presents an SSL certificate with CN=Google Spider, O=Alphabet Inc, OU=Google.com, and L=Sacramento, California. The certificate is self-signed. The serial number is 269367925. The SHA-256 fingerprint is a82bd2ecad1cfee66b6f6d568a29a646cec50842e7bd709fad5e3bbe65529083.

The full beacon config tells the rest of the story. The Accept-Language header hardcoded into both GET and POST requests is zh-CN,zh;q=0.9,en;q=0.8, Chinese-language primary, English secondary. The C2 endpoints are REST-style API paths (/api/v1/get and /api/v1/post) designed to blend with legitimate API traffic. The post-exploitation module spawns into %allusersprofile%\CrashReport\CrashReport64.exe, disguising injected processes as crash reporters. The process injection chain uses ntdll:RtlUserThreadStart, CreateThread, NtQueueApcThread-s, CreateRemoteThread, and RtlCreateUserThread with a minimum allocation of 10,192 bytes. The user agent spoofs Chrome 125 on macOS.

The sleep interval is 300,240 milliseconds (approximately 5 minutes) with 45% jitter, making beacon callbacks irregular enough to evade simple frequency analysis. The server public key MD5 is 1331821cc1c6d6873c56d1b90ccc20fa. The inject stub hash is e781a4479f7c5a03b2dcfe4bd436366f.

We found the operator's second server by searching for matching configuration characteristics. 172[.]245[.]242[.]117 on RackNerd (AS36352) runs an identical malleable C2 profile: same API endpoints, same cookie names (_UK= and _ZF=), same zh-CN Accept-Language, same CrashReport spawn-to paths, and the same inject stub hash. The domain him[.]10s[.]is resolves to this server and appears in the beacon's host header. The listening port shifted from 443 to 8443, and the sleep interval dropped from 300 seconds to 1 millisecond, a configuration likely used for testing or active operations rather than long-dwell persistence.

Different public key MD5 values (3bd0d90fbf36f5e7743db93c55d18906 vs the first server's key) confirm these are separate Cobalt Strike instances, but the identical malleable profile, shared watermark, matching inject stubs, identical spawn-to paths, and common language preference confirm a single operator running both.

Azure Italy: The MSI Deployer

A different operator is running a Cobalt Strike beacon on Microsoft Azure's Italy North region at 72[.]146[.]31[.]117, resolving to lcowpowerlite[.]italynorth[.]cloudapp[.]azure[.]com. The beacon config reveals a distinctive tradecraft choice: the post-exploitation spawn-to is set to msiexec.exe /i TranslateUS.msi /quiet, meaning every time the operator spawns a new post-exploitation job, it executes a silent MSI installation. This is not a standard CS configuration, someone customized the framework to deploy additional payloads through Windows Installer as a post-exploitation step.

The malleable C2 profile impersonates Google Analytics traffic. The GET beacon URI is /__utm.gif with fake Google Analytics parameters (utmac=UA-2202604-2, utmcn=1, utmcs=ISO-8859-1, utmsr=1280x1024, utmsc=32-bit, utmul=en-US). The POST channel uses /___utm.gif (triple underscore). Beacon data is stored in a fake __utma cookie, and exfiltrated data masquerades as additional utm parameters. This is a known Cobalt Strike malleable profile template (google_analytics.profile from the public Malleable-C2-Profiles repository), but the MSI deployment is custom.

The process injection chain uses ntdll.dll:RtlUserThreadStart, ntdll:TppWorkerThread, and SetThreadContext, a less common combination that aboids the more heavily monitored CreateRemoteThread. The watermark 370848231 does not appear in common cracked distributions, suggesting either a lesser-known crack or a potentially leaked legitimate license. The beacon runs over plaintext HTTP (not HTTPS), a significant OPSEC failure for an operator otherwise showing some sophistication.

Domain Fronting and Infrastructure Abuse

Several operators are abusing cloud CDN and DNS infrastructure to mask their C2 traffic:

Baidu CDN Fronting: Server 8[.]138[.]167[.]123 (Alibaba Cloud, China) uses dakk5rnsax46s[.]cfc-execute[.]su[.]baidubce[.]com as its beacon host header, routing C2 traffic through Baidu Cloud's CDN edge network. The C2 endpoints are /api/x (GET) and /api/y (POST). The spawn-to is WerFault.exe (Windows Error Reporting), the sleep time is 1 second with 50% jitter, and the watermark is 666666666. This server shares the watermark with the Google Spider operator but uses a different public key (f4484f18f41b0106a5e0bd99b24f7081), indicating a different team using the same cracked distribution.

Cloudflare Nameserver Abuse: Server 107[.]150[.]105[.]91 (UCLOUD, US) sets its beacon host header to magali[.]ns[.]cloudflare[.]com, a legitimate Cloudflare authoritative nameserver hostname. The beacon is configured to use /jquery-3.3.1.min.js as its GET URI, mimicking a jQuery library request. The spawn-to target is notepad.exe, an unusual choice that suggests a less experienced operator or a testing configuration. The public key MD5 ca1c5ee4c6f4451759972387cacad5ac appears on three other servers, all on Alibaba Cloud in China, indicating a shared key across multiple deployments.

Fake Baidu Host: Server 8[.]219[.]76[.]168 (Alibaba Cloud, Singapore) uses baidu[.]com as a host header with the URI /updates. A legitimate Baidu request path, routed to a CS beacon.

Operator Clustering

Beyond watermarks, shared server.publickey_md5 values and identical malleable profiles reveal multi-server operators:

Cluster A: Public key ca1c5ee4c6f4451759972387cacad5ac appears on 4 servers: 107[.]150[.]105[.]91 (US), 8[.]159[.]146[.]72 (CN), 8[.]138[.]222[.]215 (CN), and 39[.]104[.]78[.]25 (CN). All use watermark 666666666. Domains include missmovie[.]lol and magali[.]ns[.]cloudflare[.]com. A single operator running infrastructure across two countries.

Cluster B: Public key f37b63e281f4d8f9ba757771bf73090b appears on 3 servers in Hong Kong: 143[.]92[.]43[.]153, 143[.]92[.]43[.]246, and 143[.]92[.]43[.]231, all on CTG Server Ltd. Same watermark (100000), same URI (/ca), same spawn-to. A small dedicated farm.

Cluster C: Public key f09fbfdb3631dbb827cfaa7485f01b42 on 101[.]132[.]173[.]62 (Alibaba Cloud, CN) connects to an external C2 at 38[.]182[.]168[.]169 and also uses the domain www[.]quick-shares[.]com. The spawn-to is WerFault.exe and the URI pattern /api/v1/servlet/getuserinfo mimics a legitimate Java servlet path. Watermark 100000.

The Spawn-To Fingerprint Gallery

The post-ex.spawnto_x64 field tells Cobalt Strike which process to inject post-exploitation jobs into. Most operators default to rundll32.exe (79 of 140 servers). The exceptions reveal tradecraft differentiation:

Spawn-To BinaryServersAssessment
%windir%\sysnative\rundll32.exe79Default, minimal customization
%windir%\sysnative\dllhost.exe5COM surrogate disguise
%windir%\sysnative\WerFault.exe4Error reporting disguise
%windir%\sysnative\gpupdate.exe3Group policy disguise
%allusersprofile%\CrashReport\CrashReport64.exe2Custom binary (Google Spider operator)
%windir%\sysnative\msiexec.exe /i TranslateUS.msi /quiet2MSI deployment (Azure Italy)
%windir%\sysnative\notepad.exe1Likely testing
%windir%\sysnative\wbem\wmiprvse.exe -Embedding1WMI provider host disguise
%windir%\system32\gpupdate.exe1x86 variant
%windir%\sysnative\msiexec.exe1MSI host

The Google Spider operator's custom CrashReport64.exe is particularly notable. Unlike the Windows system binaries used by other operators, this is a custom path under %allusersprofile%, meaning the operator deployed their own decoy binary to the victim's machine before configuring Cobalt Strike to inject into it. This represents additional operational investment beyond default CS configuration.

URI Pattern Analysis

The beacon GET URIs cluster into recognizable impersonation categories. The most popular is /jquery-3.3.1.min.js (used by 9 servers) from the default jQuery malleable profile. Others impersonate Microsoft services (/fwlink, /IE9CompatViewList.xml), web analytics (/pixel.gif, /dot.gif, /__utm.gif, /ga.js), or generic APIs (/api/v1/get, /api/x, /ca, /cx). One server at 107[.]149[.]192[.]54 uses a GET URI that mimics a Baidu search query: /siie=utf-8&f=8&rsv_bp=1&rsv_idx=1&ch=&tn=baidu&bar=&wd=.

What This Means

Every one of these 140 servers is an exposed offensive tool. The operators behind them, whether state-sponsored, criminal, or red team, left their full configurations readable by anyone with a Shodan API key. The beacon configs contain their C2 domains, their inject techniques, their sleep patterns, their spawn-to targets, and in many cases, cryptographic material (public key MD5, inject stubs) that enables tracking across infrastructure changes.

The scale of cracked Cobalt Strike in Chinese cloud infrastructure is particularly notable. 87 servers across Alibaba, Tencent, JD, Baidu, Huawei, and Volcengine, all running pirated licenses, represent an ecosystem where offensive capability costs nothing and accountability is minimal. The watermark clustering confirms these are not isolated actors but participants in a shared underground tooling pipeline.

For defenders: the IOCs below are directly actionable. The JARM fingerprints, SSL certificate details, URI patterns, and public key MD5 values can be used for network detection rules. For cloud providers: these servers are identifiable and terminable. For the operators themselves: your configs are public. We read them.

IOC Summary

Google Spider Operator

IndicatorTypeNotes
38.49.57.15C2 IPKURUN CLOUD (AS8796), US
172.245.242.117C2 IPRackNerd (AS36352), US
him[.]10s[.]isC2 DomainResolves to 172.245.242.117
a82bd2ecad1cfee66b6f6d568a29a646cec50842e7bd709fad5e3bbe65529083SSL SHA-256Fake Google cert
2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4daJARM38.49.57.15
1331821cc1c6d6873c56d1b90ccc20faPublic Key MD5Server 1
3bd0d90fbf36f5e7743db93c55d18906Public Key MD5Server 2
e781a4479f7c5a03b2dcfe4bd436366fInject StubShared across both servers

Azure Italy MSI Deployer

IndicatorTypeNotes
72.146.31.117C2 IPAzure Italy North (AS8075)
lcowpowerlite[.]italynorth[.]cloudapp[.]azure[.]comC2 HostnameAzure cloud hostname
711a55f8a7b07a59dc36d386179da161Public Key MD5Unique
c0f5928c29401663a7e585dabdabd1c0Inject StubUnique

Domain Fronting Infrastructure

IndicatorTypeNotes
8.138.167.123C2 IPAlibaba Cloud, China
dakk5rnsax46s[.]cfc-execute[.]su[.]baidubce[.]comC2 DomainBaidu CDN fronting
107.150.105.91C2 IPUCLOUD, US
8.219.76.168C2 IPAlibaba Cloud, Singapore
missmovie[.]lolC2 DomainCluster A domain
www[.]quick-shares[.]comC2 DomainCluster C domain

Operator Clusters (Public Key MD5)

KeyServersWatermark
ca1c5ee4c6f4451759972387cacad5ac107.150.105.91, 8.159.146.72, 8.138.222.215, 39.104.78.25666666666
f37b63e281f4d8f9ba757771bf73090b143.92.43.153, 143.92.43.246, 143.92.43.231100000
f09fbfdb3631dbb827cfaa7485f01b42101.132.173.62 (→ 38.182.168.169)100000

Network Detection

IndicatorContext
/api/v1/getGoogle Spider GET URI
/api/v1/postGoogle Spider POST URI
/__utm.gifAzure Italy GET URI (GA impersonation)
/___utm.gifAzure Italy POST URI
_UK=Google Spider GET cookie name
_ZF=Google Spider POST cookie name
%allusersprofile%\CrashReport\CrashReport64.exeSpawn-to path (Google Spider)
TranslateUS.msiMSI payload filename (Azure Italy)

Intercept Cell Research is a Cipher Cortex research program. Hooked Scams is a scam investigation series from Intercept Cell Research.