Threat Watch

Decompiled Source Code of Cobalt Strike Released on GitHub

On November 11, 2020, a user named FreakBoy allegedly released the source code to Cobalt Strike 4.0. Cobalt Strike is a known closed-source and legitimate post-exploitation toolkit often used by red teams and penetration testers. Incidents like this have occurred and cracked but compiled, versions of the tool have seen releases from various sources. Based on what Binary Defense has seen of the repository, the code used for the paid license has been commented out and is not required to run effectively. Based on Bleeping Computer’s reporting and communication with Advanced Intel’s Vitali Kremez, the repository owner removed the standard dependencies and replaced them with open-source variants.


An investigation into this user shows that the account and the repository are only 13 days old. It was only a matter of time before this repository was discovered and forked with it being so new. At the time of writing, the repository has been copied 388 times, and that number will only continue to grow until the main repository is taken down. With releases such as these, the barrier to entry for threat actors drops even lower, and news of breaches utilizing this code will be sure to time in the future. It should also be said that using this code in any manner presents legal problems for organizations in the hopes of gaining an edge from a defensive perspective.