{"id":56481,"date":"2024-07-04T08:30:07","date_gmt":"2024-07-04T08:30:07","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/"},"modified":"2024-07-04T08:30:07","modified_gmt":"2024-07-04T08:30:07","slug":"europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/","title":{"rendered":"Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown"},"content":{"rendered":"<p>Europol just announced that a week-long operation at the end of June dropped nearly 600 IP addresses that supported illegal copies of Cobalt Strike.<\/p>\n<p>Fortra&#8217;s legitimate red-teaming tool is notorious for being widely abused by cybercriminals, who source cracked copies of the tool for use in malware and ransomware operations like <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/02\/10\/conti_ryuk_trickbot_sanctions\/\" rel=\"noopener\">Ryuk<\/a>, <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/01\/25\/trickbot_malware_dev_sentenced\/\" rel=\"noopener\">Trickbot<\/a>, and <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/06\/13\/conti_lockbit_ukraine_arrest\/\" rel=\"noopener\">Conti<\/a>.<\/p>\n<p>Europol said the disruptive action, dubbed Operation Morpheus, is the culmination of work that began three years ago. It was carried out with partners in the private sector between June 24 and 28.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;Throughout the week, law enforcement flagged known IP addresses associated with criminal activity, along with a range of domain names used by criminal groups, for online service providers to disable unlicensed versions of the tool,&#8221; it <a target=\"_blank\" href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike\" rel=\"nofollow noopener\">said<\/a> today.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>&#8220;A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.<\/p>\n<p>&#8220;This investigation was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland, and the United States. Europol coordinated the international activity and liaised with the private partners.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Various private sector partners supported the week-long sprint, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation.&nbsp;<\/p>\n<p>The partners used Europol&#8217;s Malware Information Sharing Platform to submit pieces of evidence and threat intelligence that supported the disruption efforts. The Euro cop shop said more than 730 pieces of threat intel were shared as well as nearly 1.2 million indicators of compromise over the course of the entire operation.<\/p>\n<p>&#8220;Cobalt Strike is the Swiss Army knife of cybercriminals and nation-state actors,&#8221; said Don Smith, vice president of threat intelligence at Secureworks. &#8220;Cobalt Strike has long been the tool of choice for cybercriminals, including as a precursor to ransomware. It is also deployed by nation-state actors, such as Russian and Chinese [groups], to facilitate intrusions in cyber espionage campaigns.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;Used as a foothold, it has proven to be highly effective at providing a persistent backdoor to victims, facilitating intrusions of all forms. This disruption is to be welcomed, removing Cobalt Strike infrastructure used by criminals is always a good thing.&#8221;<\/p>\n<p>Trellix&#8217;s Joao Marques, John Fokker, and Leandro Velasco also blogged about their involvement in Operation Morpheus. They said that while the disruption activity will make criminals rethink their use of Cobalt Strike, its data shows that the work didn&#8217;t touch China.<\/p>\n<p>According to its telemetry, China hosts 43.85 percent of Cobalt Strike resources. To put that in context, the next biggest distributor is the US with a 19.08 percent share.<\/p>\n<p>Contrast that with the country that bears the brunt of the most Cobalt Strike attacks (the US with a 45.04 percent share) and you can take an educated guess as to where the criminals that abuse Fortra&#8217;s tool the most reside.<\/p>\n<p>&#8220;The dismantling of Cobalt Strike infrastructure sends a powerful message to cybercriminals and nation-state actors about the repercussions of malicious cyber activities,&#8221; <a target=\"_blank\" href=\"https:\/\/www.trellix.com\/blogs\/research\/disrupting-cobalt-strike-with-threat-intelligence\/\" rel=\"nofollow noopener\">said<\/a> the researchers.<\/p>\n<p>The NCA said in a statement: &#8220;This disruption activity represents more than two-and-a-half years of NCA-led international law enforcement and private industry collaboration to identify, monitor and denigrate its use.&#8221;<\/p>\n<p>While law enforcement agencies acknowledged the &#8220;significant steps&#8221; Fortra has taken to prevent its powerful post-exploitation tool from being misused, Trellix&#8217;s team wasn&#8217;t as positive.<\/p>\n<p>Marques, Fokker, and Velasco said they welcomed Fortra&#8217;s collaboration with Operation Morpheus and the measures taken to prevent Cobalt Strike&#8217;s misuse, but alluded to lingering concerns.<\/p>\n<p>&#8220;We are very content to see that Fortra, the current owners of Cobalt Strike, have collaborated in the operation and are implementing more sophisticated measures to prevent cracking their software,&#8221; they said.<\/p>\n<p>&#8220;However, it is important to address the longstanding stance of Cobalt Strike under previous ownership, regarding its restrictions to purchase a license for cybersecurity vendors. Many cybersecurity vendors believe this decision has inadvertently fostered a precarious environment where cybercriminals exploit cracked versions of Cobalt Strike for malicious activities and vendors are not able to defend against its misuse.<\/p>\n<p>&#8220;Although these new measures are a very good step in the right direction, we are eager to do more. This situation underscores the need for more integral collaborative efforts to protect organizations against the abuse of Cobalt Strike. We call on Cobalt Strike to reconsider its policies and collaborate with cybersecurity vendors to enhance products and combat the misuse of these powerful tools.&#8221;<\/p>\n<p>We asked Trellix about the specific issues they&#8217;re referring to and will update the article when answers come in.<\/p>\n<h3 class=\"crosshead\">Take two<\/h3>\n<p>Operation Morpheus&#8217;s efforts come just over a year after Microsoft, Fortra, and Health-ISAC <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/04\/10\/microsoft_fortra_cobalt_strike\/\" rel=\"noopener\">took a case to court<\/a>, getting legal permission to take down various IP addresses it located that hosted cracked versions of Cobalt Strike.<\/p>\n<p>This followed Google <a target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/products\/identity-security\/making-cobalt-strike-harder-for-threat-actors-to-abuse\" rel=\"nofollow noopener\">offering<\/a> a different kind of support in the fight against the abuse of Cobalt Strike. In 2022 it worked up and open-sourced a list of 165 YARA rules to help organizations swiftly quash any of the 34 versions the Chocolate Factory identified in circulation at the time.<\/p>\n<p>However, even last year when the first round of IP addresses was neutralized, investigators knew it wasn&#8217;t going to be enough.<\/p>\n<p>&#8220;While this action will impact the criminals&#8217; immediate operations, we fully anticipate they will attempt to revive their efforts,&#8221; said Amy Hogan-Burney, general manager of the Microsoft security unit at the time. &#8220;Our action is therefore not one and done.&#8221;<\/p>\n<p>Since Fortra bought Cobalt Strike in 2020, it has made strides in ensuring criminals don&#8217;t get access to legitimate versions of its tools. For example, it soon started vetting all applicants vigorously before giving licenses out, but cracked versions in hard-to-reach places like China may prove difficult to eradicate for good.<\/p>\n<p>Paul Foster, director of Threat Leadership at the National Crime Agency, said: &#8220;Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes.<\/p>\n<p>&#8220;Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise.<\/p>\n<p>&#8220;Such attacks can cost companies millions in terms of losses and recovery.&#8221;<\/p>\n<p>He urged businesses that have been a victim of cyber crime to &#8220;come forward and report such incidents to law enforcement.&#8221; \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2024\/07\/04\/europol_cobalt_strike_crackdown\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Private sector helped out with week-long operation \u2013 but didn&#8217;t touch China Europol just announced that a week-long operation at the end of June dropped nearly 600 IP addresses that supported illegal copies of Cobalt Strike.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-56481","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-04T08:30:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown\",\"datePublished\":\"2024-07-04T08:30:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/\"},\"wordCount\":1059,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/\",\"name\":\"Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2024-07-04T08:30:07+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/","og_locale":"en_US","og_type":"article","og_title":"Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-07-04T08:30:07+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown","datePublished":"2024-07-04T08:30:07+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/"},"wordCount":1059,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/","url":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/","name":"Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2024-07-04T08:30:07+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zob2dzUHRuCQSZLcnSDRjgAAAMc&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/europol-nukes-nearly-600-ip-addresses-in-cobalt-strike-crackdown\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56481"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56481\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56481"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}