Security News > 2023 > May > Open-source Cobalt Strike port 'Geacon' used in macOS attacks
Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices.
Both Geacon and Cobalt Strike are utilities that legitimate organizations use to simulate attacks against their networks and improve defenses, but threat actors have also relied on them for attacks.
When Geacon first appeared on GitHub as a promising port for Cobalt Strike that could work on macOS, hackers appeared to pay little attention to it.
SentinelOne reports that this changed in April, after anonymous Chinese developers published on GitHub two Geacon forks: Geacon Plus - free and publicly available, and the private, paid version, Geacon Pro.
In this case, the C2 server IP address that Geacon communicates with is based in Japan and VirusTotal has connected it to past Cobalt Strike operations.
While SentinelOne agrees that some of the observed Geacon activity is likely linked to legitimate red team operations, there is a good chance that real adversaries "Will make use of the public and possibly even the private forks of Geacon."