South Korean Organizations Targeted by Cobalt Strike ‘Cat’ Delivered by a Rust Beacon

Hunt researchers identified a publicly exposed web server containing tools linked to an intrusion campaign targeting South Korean organizations. The server, accessible for less than 24 hours, hosted a Rust-compiled Windows executable delivering Cobalt Strike Cat (CS Cat).

Alongside the modified version of the popular penetration testing tool, we found instances of SQLMap, Web-SurvivalScan, and dirsearch, suggesting the actor leveraged open-source tools to identify and exploit vulnerable web applications. Metadata and file contents indicate that some of the attacks may have been successful, with government and commercial entities appearing to be primary targets.

Combining a Rust-compiled loader with a modified version of Cobalt Strike-first circulated on a predominantly Chinese-language hacking forum-provides a clear view of the actor's approach to malware delivery and post-exploitation.

Hunt.io analysts reviewed the server's contents to better understand the tools and methods used in these attacks. We'll break down our findings in the following sections.

Open Directory Observations: Attacker Infrastructure & Tools

On March 8th, our scanners identified an open directory at 144.48.4[.]219:8000, hosted on the EDGENAP LTD network in Japan. The server, which was briefly exposed, used the SimpleHTTP/0.6 Python/3.12.3 header, indicating it was running Python's built-in SimpleHTTPServer.

In a previous blog post, we detailed how AttackCapture™ scans and automatically downloads files from open directories, which are available to preview or save to the user's computer.

Files with specific extensions are submitted to Hatching Triage for analysis, and a tag is applied, which assists in quick identification. Before we discuss Cobalt Strike Cat, we'll first cover the open-source tools found on the server:

• dirsearch - A command-line tool used to brute-force directories and files on web servers, helping attackers identify hidden paths, admin panels, and exposed resources.

• sqlmap - An automated SQL injection tool designed for detecting and exploiting SQL vulnerabilities, often used for dumping database contents and gaining unauthorized access.

• Web-SurvivialScan - A subdomain enumeration tool that allows attackers to identify active domains within a target environment, supporting proxy integration to evade detection.

Though Web-SurvivalScan has been publicly available for years, it has rarely appeared in public reporting where it was used in malicious activity. The project on GitHub allows operators to rapidly scan and enumerate active subdomains, printing out a list for reconnaissance and further exploitation. A proxy feature is also included, enabling users to mask their scanning activity.

Target Selection

The threat actor compiled a file named targ.txt, listing over 1,000 Korean domains associated with government agencies, local municipalities, and private businesses. The list included domains belonging to the Ministry of Health and Welfare, regional government offices, and companies spanning multiple industries.

The file was likely used as input for Web-SurvivalScan, allowing the operator to enumerate live subdomains for further analysis.

Reconnaissance Automation: urls.py and res.txt

A Python script titled urls.py, containing Simplified Chinese comments, was also present in the directory. The script processes the output of Web-SurvivalScan queries, taking identified subdomains from res.txt and exporting them into a structured CSV file. This step automates the organization of reconnaissance data, streamlining subdomain discovery and likely supporting follow-on exploitation efforts.

SQLMap for Initial Access

The sqli subfolder contains output from SQLMap, documenting SQL injection activity against multiple South Korean websites. Files 1.txt through 4.txt contain extracted database entries from four targeted domains. However, it is unclear if these were the only sites successfully exploited or if they represent a subset of broader activity before the directory was taken offline.

Another file, bbs_admin.csv, holds user credential data exfiltrated from an unnamed South Korean bulletin board system.

Cobalt Strike Cat: Operator Activity and Additional Infrastructure

The threat actor used Cobalt Strike Cat, a modified variant of the post-exploitation tool based on version 4.5. Previous research has noted that CS Cat was first distributed on t00ls[.]com, available for download in a password-protected zip archive. Reviewing the bash history on the server shows the operator extracting the project files from 123.zip.

Although the open directory indicates a momentary lapse in operational security, the actor used one of the framework's features, Google 2FA, to log in to the command-and-control server. The team server's configuration details in CatServer.properties include additional information detailing how the malicious infrastructure was managed.

Attack Logs: Victim Beacons and Operator Access

Logs labeled 250307 and 250308 contain recent beacon activity, with events.log confirming check-ins from compromised hosts. The timestamps indicate that intrusions were ongoing when the server was accessible.

The log data reveals that the attacker used Scripted Web Delivery (PowerShell) to stage a payload on http://144.48.4[.]219:80/a before disconnecting and later rejoining the server from 104.167.222[.]106, likely to maintain access. Shortly after, two victim machines successfully established Cobalt Strike beacons.

Beacon metadata shows that both infected systems executed payloads ( 123.exe and ma.exe), with one running under LOCAL SERVICE privileges and the other under an Admin account.

With evidence of active intrusions using CS Cat, we'll examine the malware components used in this campaign in the following section. As of the time of writing, we were unable to identify what, if any, actions were taken on the victim system, such as lateral movement or exfiltration of credentials/data.

Malware Analysis

While hunting for malware samples within the Cobalt Strike Cat folder and the broader directory, we identified ma.exe, a Cobalt Strike beacon, and several .txt files-some as large as 1MB. Most of these files were Windows executables, likely staged to evade detection during download onto a victim system.

0101.txt and ma.exe (SHA-256: f635f424b967e3df6bec0e6bd4643d5b19bb6e3e3d9c925d91124b80f85e8d1b) are almost identical, except for some minor differences. Both are 288 KB in size and compiled using MinGW. All the beacons we encountered use the jQuery malleable C2 profile and communicate with the directory server on port 443.

Sandbox analysis identified a watermark of 100000000, a common identifier in cracked/leaked Cobalt Strike builds.

What really caught our attention was the unusual network behavior. The initial request to /jquery-3.3.1.min.js resulted in an HTTP 301 redirect to the official CIA website (https[:]//www.cia[.]gov). Follow-on requests triggered an 'unsupported browser' page from the same domain.

This behavior suggests the redirection was either:

• An execution environment check to disrupt analysis in sandboxes.

• A diversion tactic to mask actual C2 node communications.

The remaining files- 88.txt, 882.txt, and 888.txt-are Rust-compiled executables that serve as Cobalt Strike Cat beacon loaders. Unlike the previously analyzed MinGW-compiled binaries, these do not exhibit the redirect behavior to the CIA website but follow a similar execution flow.

Using the open-source FLOSS tool by Mandiant, we extracted encoded data from the Rust binaries. Among the output were strings separated by hyphens, which, when processed through CyberChef, revealed a Windows PE file header (MZ). After reconstructing the extracted data and submitting it to VirusTotal, it was identified as Marte beacon shellcode.

These binaries effectively act as an intermediate execution layer, decoding and running shellcode instead of dropping a standalone payload to disk.

Conclusion

Our research identified an intrusion using Cobalt Strike Cat and Marte shellcode, deployed via MinGW- and Rust-compiled loaders. Analysis of the open directory revealed tooling for reconnaissance, SQL injection exploitation, and malware delivery, along with logs confirming beacon activity from compromised hosts.

Defenders should monitor for unusual network traffic over uncommon ports, irregular HTTP requests mimicking benign web traffic, and repeated connections to external infrastructure.

Given the attacker's use of SQL injection for initial access, organizations should enforce input validation, apply security patches for web applications, and log database queries for signs of exploitation attempts.

Cobalt Strike Cat Open Directory Network Observables and IOCs

Cobalt Strike Cat Open Directory Host Observables and IOCs