Japan has been hit by a new wave of cyberattacks using CrossC2, a tool to extend the functionality of Cobalt Strike to Linux and macOS platforms. The JPCERT/CC Coordination Center reported that the attacks took place between September and December 2024 and affected several countries, including Japan.
Analysis of artifacts uploaded to VirusTotal showed that the attackers combined CrossC2 with other tools such as PsExec, Plink, and Cobalt Strike itself to penetrate the Active Directory infrastructure. Cobalt Strike was loaded using specially developed malware called ReadNimeLoader.
CrossC2 is an unofficial version of Beacon and its builder that allows the execution of Cobalt Strike commands on different operating systems after establishing a connection to a remote server specified in the configuration. In the reported cases, attackers created a scheduled task on infected computers to run a legitimate java.exe executable file, used to sideload ReadNimeLoader in the “jli.dll” library.
ReadNimeLoader is written in Nim and loads the contents of a text file into memory, avoiding writing data to disk. The loaded code is OdinLdr, an open shellcode loader that decodes the embedded Cobalt Strike Beacon and executes it in memory. The mechanism includes anti-debugging and anti-analysis techniques that prevent OdinLdr from being decoded until the environment is fully vetted.
JPCERT/CC has detected similarities between this campaign and the BlackSuit/Black Basta activity reported by Rapid7 in June 2025. Similarities were found in the C&C domain used and filenames. Additionally, several ELF versions of the SystemBC backdoor have been detected, which often precedes the installation of Cobalt Strike and the distribution of ransomware.
Experts have paid particular attention to the fact that attackers have actively compromised Linux servers within corporate networks. Many of these systems are not equipped with EDR solutions or similar detection tools, making them a convenient entry point for further attack developments. This increases the risk of large-scale penetration and requires greater control over these infrastructure segments.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
