Security News > 2021 > June > How legitimate security tool Cobalt Strike is being used in cyberattacks
Analyzing the illegitimate use of Cobalt Strike, Proofpoint said it found that the tool is increasingly being used by attackers as an initial access payload, meaning it's enlisted to deploy the initial malicious payload onto victimized machines.
This is a change from past instances when Cobalt Strike was used more as a second-stage tool that played a role once the targeted systems had already been accessed.
Cobalt Strike first surfaced in 2012 as a tool to help organizations detect gaps in their security defenses.
In the past, the use of Cobalt Strike in cyberattacks was largely confined to well-funded cybercriminal groups and advanced persistent threat groups.
Between 2019 and 2021, that percentage plummeted to just 15%, indicating that Cobalt Strike is now being used by more commonplace attackers.
Looking ahead, Proofpoint said it expects Cobalt Strike will continue to be used in cyberattacks.