Beyond Windows: How Attackers Are Using CrossC2 to Infiltrate Linux Networks

by · Published · Updated

Japan has been struck by a new wave of cyberattacks involving CrossC2, a tool that extends the capabilities of Cobalt Strike to Linux and macOS platforms. According to the JPCERT/CC Coordination Center, these attacks took place between September and December 2024 and affected several countries, including Japan.

Analysis of artifacts uploaded to VirusTotal revealed that the attackers combined CrossC2 with other utilities such as PsExec, Plink, and Cobalt Strike itself in order to infiltrate Active Directory infrastructures. The deployment of Cobalt Strike was facilitated by a custom loader, dubbed ReadNimeLoader.

CrossC2 is an unofficial variant of the Beacon payload and its builder, enabling Cobalt Strike commands to be executed across multiple operating systems once a connection to a remote server, specified in the configuration, has been established. In documented cases, the attackers created a scheduled task on compromised machines that launched the legitimate executable java.exe, which in turn was exploited for side-loading ReadNimeLoader via the jli.dll library.

ReadNimeLoader, written in the Nim programming language, loads the contents of a text file directly into memory, thereby avoiding disk writes. The injected code is OdinLdr, an open-source shellcode loader that decodes and executes an embedded Cobalt Strike Beacon entirely in memory. This mechanism incorporates anti-debugging and anti-analysis techniques that prevent OdinLdr from being decoded until the surrounding environment is thoroughly verified.

JPCERT/CC highlighted strong similarities between this campaign and the activity of the BlackSuit/Black Basta operators, as reported by Rapid7 in June 2025. Overlaps were observed in the use of command-and-control domains and file naming conventions. Investigators also uncovered several ELF variants of the SystemBC backdoor, which frequently precede Cobalt Strike deployments and ransomware execution.

Experts emphasized that attackers were aggressively compromising Linux servers within corporate networks. Many of these systems lack EDR solutions or equivalent detection mechanisms, making them convenient entry points for further attack escalation. This raises the likelihood of widespread intrusions and underscores the urgent need for stricter monitoring and defense of these critical infrastructure segments.

Tags: