CrossC2 and ReadNimeLoader: Inside the Multi-Stage Intrusions Targeting Linux and Windows Environments
Ddos 
Flow of Cobalt Strike execution | Image: JPCERT/CC
Between September and December 2024, JPCERT/CC uncovered a sophisticated cyber campaign leveraging CrossC2, an extension tool designed to generate Cobalt Strike Beacons for Linux, in tandem with a custom loader known as ReadNimeLoader. The findings reveal how attackers combined open-source tooling with custom malware to compromise both Linux and Windows environments, escalating their foothold inside corporate networks.
According to JPCERT/CC, “CrossC2 is an unofficial Beacon and builder compatible with Cobalt Strike version 4.1 and above, developed in C language. It is designed to operate on Linux (x86, x64) and macOS (x86, x64, M1) architectures.”
Unlike traditional Cobalt Strike implants, CrossC2 comes equipped with anti-analysis features such as single-byte XOR string encoding, junk code insertion, and encrypted configuration blocks hidden within the binary. This makes reverse engineering more difficult for analysts while allowing attackers to operate stealthily within Linux environments, often lacking the same level of endpoint detection deployed on Windows hosts.
While CrossC2 expanded adversary reach into Linux, Windows systems were infiltrated through a loader written in Nim, dubbed ReadNimeLoader. JPCERT/CC explains, “ReadNimeLoader reads a data file named readme.txt from the same directory, decrypts it, and executes its content in memory. This file contains OdinLdr, an open-source Shellcode-format loader, which decodes the embedded Cobalt Strike Beacon and executes it in memory.”
ReadNimeLoader employs multiple anti-analysis techniques, including debugger checks, timing discrepancies, and exception-based detection. Furthermore, its decryption routines rely on keys embedded inside these anti-analysis functions, meaning the malware payload cannot be fully unlocked unless the checks execute under normal runtime conditions.
The decrypted OdinLdr payload is key to executing Cobalt Strike Beacons while avoiding detection. JPCERT/CC notes, “To avoid detection, the Beacon is periodically re-encrypted using a randomly generated XOR key and stored in newly allocated heap memory. It is a distinctive characteristic that there is the string ‘OdinLdr1337’ at the beginning of the heap memory.”
This constant re-encryption strategy makes memory forensics more challenging and gives attackers persistence within compromised environments.
The adversaries deployed a broad arsenal of tools beyond CrossC2 and ReadNimeLoader. JPCERT/CC identified SystemBC (ELF versions), PsExec for lateral movement, Plink for tunneling, and GetNPUsers to conduct AS-REP Roasting attacks against Active Directory. These capabilities underscore the attackers’ ability to operate across multiple platforms and domains, from Linux servers to Windows-based Active Directory infrastructures.
Interestingly, JPCERT/CC uncovered operational overlaps with known ransomware operators. “Despite architectural differences, confirmed identical characteristics suggest that this attacker and the attack campaign have a potential connection to BlackBasta. More specifically, the domain confirmed to be used for the C2 in this campaign matches the one listed in Rapid7’s report on BlackBasta.”
This hints at possible ties between financially motivated ransomware groups and advanced intrusion campaigns involving CrossC2.
To aid defenders, JPCERT/CC has released a CrossC2 configuration parser on GitHub, enabling analysts to extract and decrypt embedded configuration data. The advisory warns, “Many Linux servers do not have EDR or similar systems installed, making them potential entry points for further compromise, and thus more attention is required.”
Related Posts:
- Vulnerable Microsoft SQL Server are being targeted by hackers
- Cyberattackers Unleash LockBit Ransomware Using Cobalt Strike and Proxy Tools
- Kaspersky Uncovers Stealthy Cyberespionage: Russia & Asia Targeted by DLL Hijacking & Social Media C2
- Attackers Leveraging Public Cobalt Strike Profiles to Evade Detection
- JPCERT/CC Warns: MirrorFace LODEINFO & NOOPDOOR Malware Targeting Industry
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
