Skip to main content

Cybercriminals are using security tools to facilitate attacks

cyber attack
(Image credit:

Some of the world’s most popular penetration testing tools have been compromised and used to host malware, as well as command and control (C&C) servers, experts are saying.

A new report from threat intelligence firm Recorded Future claims that two tools used to simulate an attacker’s action, Cobalt Strike and Metasploit, have been used for hosting malware C&C servers, the goal of which is to control compromised devices or accept stolen data.

While using open-source software to conduct attacks is nothing new, offensive security tools (or red-team tools) such as these are generally considered among the most complex. Recorded Future believes that these malware operations were the work of either state-sponsored attackers, or financially-motivated groups (or both).

As per a ZDNet report, more than a quarter of all malware C&C servers deployed last year were hosted using these two tools, with Cobalt Strike responsible for 13.5 percent and Metasploit 10.5 percent.

According to the report, more than 10,000 malware C&C servers and 80 malware strains were discovered last year. On average, these servers live for 54.8 days and a third were hosted in the US.

Over the next year, Recorded Future expects criminals to further adopt popular open-source tools, naming Covenant, Octopus C2, Sliver, and Mythic as potential candidates.