Japan’s CERT coordination center (JPCERT/CC) on Thursday revealed it observed incidents that involved the use of a command-and-control (C2) framework called CrossC2, which is designed to extend the functionality of Cobalt Strike to other platforms like Linux and Apple macOS for cross-platform system control.
The agency said the activity was detected between September and December 2024, targeting multiple countries, including Japan, based on an analysis of VirusTotal artifacts.
“The attacker employed CrossC2 as well as other tools such as PsExec, Plink, and Cobalt Strike in attempts to penetrate AD. Further investigation revealed that the attacker used custom malware as a loader for Cobalt Strike,” JPCERT/CC researcher Yuma Masubuchi said in a report published today.
The bespoke Cobalt Strike Beacon loader has been codenamed ReadNimeLoader. CrossC2, an unofficial Beacon and builder, is capable of executing various Cobalt Strike commands after establishing communication with a remote server specified in the configuration.
In the attacks documented by JPCERT/CC, a scheduled task set up by the threat actor on the compromised machine is used to launch the legitimate java.exe binary, which is then abused to sideload ReadNimeLoader (“jli.dll”).
Written in the Nim programming language, the loader extracts the content of a text file and executes it directly in memory so as to avoid leaving traces on disk. This loaded content is an open-source shellcode loader dubbed OdinLdr, which ultimately decodes the embedded Cobalt Strike Beacon and runs it, also in memory.
ReadNimeLoader also incorporates various anti-debugging and anti-analysis techniques that are designed to prevent OdinLdr from being decoded unless the route is clear.
JPCERT/CC said the attack campaign shares some level of overlap with BlackSuit/Black Basta ransomware activity reported by Rapid7 back in June 2025, citing overlaps in the command-and-control (C2) domain used and similarly-named files.
Another notable aspect is the presence of several ELF versions of SystemBC, a backdoor that often acts as a precursor to the deployment of Cobalt Strike and ransomware.
“While there are numerous incidents involving Cobalt Strike, this article focused on the particular case in which CrossC2, a tool that extends Cobalt Strike Beacon functionality to multiple platforms, was used in attacks, compromising Linux servers within an internal network,” Masubuchi said.
“Many Linux servers do not have EDR or similar systems installed, making them potential entry points for further compromise, and thus, more attention is required.”
