Investment holding · Cobalt Strike Malleable C2 · APT41 · undetected for 4 months · USOM coordination
An investment holding's SOC analyst noticed an anomalous jitter pattern in HTTPS traffic: a Cobalt Strike Malleable C2 profile (Amazon mimicking) had been used. Inside for 4 months, 23 endpoints infected. An APT41 TTP match. With 2 weeks of passive observation + USOM coordination + coordinated eradication DSET achieved 24 months of clean operation and national threat intel sharing.
01 The Challenge
Zeek/Suricata: a C2 beacon polling every 60s ± 10s (Cobalt Strike default). JA3 fingerprint 72a589da586844d7f0818ce684948eea (Cobalt Strike defaults). 23 endpoints infected, including the CFO + CEO + 4 investment analysts. Sensitive investment strategies at risk.
02 DSET's Approach
T+0 · Start passive observation
DSET was called in urgently, a 2-week passive observation TTP collection plan. Early movement triggers APT41.
T+2 weeks · Full TTP map
The C2 server identity (a Chinese VPN) + the exfil channel + IOCs were fully mapped. USOM coordination, joint work with the authorities of 4 countries.
T+15 days · Coordinated eradication
Simultaneous cleanup of 23 endpoints (without the attacker noticing). A joint C2 takedown with USOM (coordination with the Chinese VPN provider).
T+18 days · AD reset
krbtgt rotation × 2, DA reset, all credentials reset. The attacker was completely kicked out.