Just this week, America’s top cybersecurity experts warned of unprecedented a threat. Today’s threat centers on the CrossC2 command-and-control (C2) framework, which enhances the capabilities of the cringingly familiar Cobalt Strike. This emerging breakthrough is further exciting researchers because it allows for cross-platform system control. This vulnerability affects both Linux and Apple macOS systems. As such, Japan’s Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) reported a number of incidents related to CrossC2 between September and December 2024. This represents just how widespread this attack was, hitting every country but Japan.
The incorporation of CrossC2 represents another, significant advance in the cyber threat landscape. It allows attackers to increase their impact by operating across multiple operating systems, which poses difficulties for cybersecurity defenses. Attackers in the incidents we monitored employed CrossC2 in concert with tools such as PsExec and Plink for lateral movement. This unique combination made it exponentially harder to prevent these attacks.
CrossC2’s Functionality and Applications
CrossC2 is a powerful command-and-control framework that acts as a force-multiplier for Cobalt Strike. By enabling aggressors to dominate multiple environments, it broadens their operational reach and agility. This cross-platform compatibility poses a significant threat for institutions with Linux or macOS machines. Long seen as more vulnerable-proof than their Windows counterparts, this development is a significant cause for concern.
By way of collective analysis of artifacts found on VirusTotal, cybersecurity researchers have consequentially deepened their understanding of the techniques attackers are utilizing. They found that the attackers used a Windows Task Scheduler task to launch a valid java.exe binary on the system. They used this strategy to sideload ReadNimeLoader. The “jli.dll” file was used as a custom malware loader for Cobalt Strike.
Connections to Ransomware Activity
Today, CrossC2 has rapidly became a major player in the cyber threat landscape. As such, it closely aligns with the tactics of other ransomware groups like BlackSuit and Black Basta. Cybersecurity analysts have noted that command-and-control domains and file names were found to be similar between CrossC2 and these ransomware variants. These overlaps suggest that the same state or allied states may be behind these cyber attacks as well. This should alarm us all, particularly in the backdrop of increasingly coordinated cybercriminal enterprises.
In June 2025, Rapid7 reported similar activities, indicating that the threat posed by CrossC2 and its associated malware is part of a larger wave of cyberattacks targeting organizations globally. Beyond the technical aspects, the broader implications of these findings call for increased alertness from cybersecurity teams in all sectors.
Implications for Cybersecurity
The cumulative growth of CrossC2 poses new, serious obstacles for cybersecurity practitioners. Its unique capability to run on multiple different platforms only serves to deepen the challenge that detection and response efforts face against threats. Organizations must remain proactive in their security measures, focusing on comprehensive monitoring and analysis of their systems to detect potential breaches early.
The cyber landscape is changing even faster, with new powerful tools such as CrossC2. To address these challenges, our cybersecurity agencies must work closely with private sector experts to combat these issues. Through a layered approach to counterintelligence, information and intelligence sharing can better inform and reduce risk and improve defenses against these sophisticated threats.