Unknown threat actors have launched attacks leveraging a Linux version of the Cobalt Strike beacon against numerous organizations in different sectors around the world since last month, BleepingComputer reports.
Intezer researchers found that the attacker-developed Linux beacons compatible with Cobalt Strike have enabled persistence and remote command execution on machines running on Windows and Linux.
The Linux implementation, dubbed "Vermillion Strike," has an identical configuration format as the Windows beacon despite not using any Cobalt Strike code, as well as the same command-and-control servers and functionality as Windows DLL files, indicating that the developers may be the same.
Researchers added that the Linux malware has not been detected in VirusTotal.
"The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn't been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor," said Intezer.