Although Cobalt Strike was originally developed for ethical hacking and red teaming, the platform’s robust features have increasingly drawn the attention of malicious actors. From state-sponsored APTs to hacktivists and cybercriminals, adversaries leverage Cobalt Strike for sophisticated and stealthy attacks. In this session, we will demonstrate our end-to-end process for:

• Continuously harvesting Cobalt Strike payloads from VirusTotal
• Automating the de-obfuscation of extracted samples
• Identifying and extracting key IOCs, such as C2 infrastructure and configuration details

We will walk through the custom scripts and tooling that power this pipeline, sharing the challenges and lessons learned in scaling up analysis. Attendees will see how to convert vast quantities of malware data into timely, actionable intelligence to enhance detection, incident response, and overall security posture. By studying these real-world payloads, defenders can better understand how threat actors abuse Cobalt Strike and apply those insights to fortify their defences.