Cross-platform attacks can now target underprotected Linux and macOS systems, raising risks of ransomware and stealthy intrusions to new heights.
Hackers have just been caught extending the reach of the notorious Cobalt Strike Beacon to Linux and macOS systems — by using a command-and-control (C2) framework called CrossC2.
This cross-platform capability dramatically broadens the attack surface, allowing hackers to penetrate and control diverse environments that often lack sufficient endpoint detection.
Between September and December 2024, a campaign leveraging CrossC2 demonstrated highly sophisticated techniques, including stealthy memory execution and anti-analysis measures, to infiltrate networks and evade detection, according to Japan’s CERT coordination center (JPCERT/CC).
The attackers had used a custom loader named ReadNimeLoader, which abuses a legitimate java.exe process to load malicious payloads invisibly. This method was paired with traditional tools like PsExec and Plink to break into Active Directory environments quietly.
Notably, this campaign shares infrastructure and tactics with ransomware groups such as BlackSuit and Black Basta, as well as the use of SystemBC backdoors that facilitate further malicious deployment.
The expansion of Cobalt Strike’s operational scope to Linux and macOS servers is particularly alarming because many of these systems are underprotected, creating critical vulnerabilities within internal networks. Experts warn that these techniques could become widespread as cybercrime groups continue to exchange tradecraft and infrastructure. The overlap with known ransomware actors increases the risk of data exfiltration and extortion, raising the stakes for any business or organization relying on Linux or macOS in their network.
Many incident response teams and system administrators now face mounting challenges in detecting and stopping such cross-platform threats. This latest cybercriminal development underscores the evolving tactics of cyber adversaries that leverage advanced frameworks such as CrossC2 to maintain persistence and control across multiple platforms. By utilizing loaders written in languages such as Nim, and leveraging open-source shellcode tactics, attackers can blend in with legitimate activity and evade forensic investigation.
To address this broader threat landscape organizations will need to escalate their security posture by implementing monitoring and defensive solutions beyond traditional Windows environments.