Japan’s CERT coordination center (JPCERT/CC) recently observed a new wave of cyberattacks that leveraged a sophisticated command-and-control (C2) framework known as CrossC2. This framework, a creative extension of Cobalt Strike, is designed to enable cross-platform system control, broadening the scope of attacks to include Linux and Apple macOS devices. The activity was detected between September and December 2024, with JPCERT/CC’s analysis of VirusTotal artifacts indicating that multiple countries, including Japan, were targeted. This discovery highlights the evolving nature of cyber threats, as attackers increasingly seek to expand their reach beyond traditional Windows-based environments.
The attackers employed a variety of tools in this campaign, including CrossC2, PsExec, Plink, and Cobalt Strike, in their attempts to penetrate Active Directory (AD). A key component of the attack was a custom malware loader for Cobalt Strike, which the JPCERT/CC has codenamed ReadNimeLoader. This bespoke loader, written in the Nim programming language, plays a crucial role in the infection chain. It is used to execute Cobalt Strike Beacon, an unofficial C2 agent, which establishes communication with a remote server and enables the attackers to execute various commands on the compromised systems.
The attack’s methodology involved a clever use of legitimate software to evade detection. The threat actor set up a scheduled task on compromised machines that launched the legitimate java.exe binary. This binary was then abused to sideload ReadNimeLoader, which was disguised as a dynamic link library (jli.dll). This technique of using a trusted process to load malicious code is a common evasion tactic. The ReadNimeLoader then extracts the content of a text file and executes it directly in memory, a technique known as fileless malware, to avoid leaving forensic traces on the disk.
The malicious payload delivered by ReadNimeLoader is an open-source shellcode loader called OdinLdr. This loader’s primary function is to decode and run the embedded Cobalt Strike Beacon, also in memory. The developers of ReadNimeLoader also incorporated several anti-debugging and anti-analysis techniques to make it more difficult for security researchers to reverse-engineer the malware and understand its functionality. These techniques ensure that OdinLdr is not decoded unless the execution environment is deemed safe, further complicating the analysis and defense against this threat.
JPCERT/CC’s report also noted a potential link between this attack campaign and BlackSuit/Black Basta ransomware activity that was previously reported by Rapid7 in June 2025. This connection is based on overlaps in the command-and-control domains used and similarly named files. The presence of several ELF versions of SystemBC, a backdoor often used to prepare systems for the deployment of Cobalt Strike and ransomware, further strengthens this potential link. The researchers emphasized the vulnerability of Linux servers, many of which lack EDR (Endpoint Detection and Response) systems, making them prime targets and potential entry points for further compromise.
Reference:
