140 Beacons: Mapping Exposed Cobalt Strike Infrastructure Across the Open Internet | Intercept Cell
We scanned the public internet for exposed Cobalt Strike beacon configurations using Shodan and extracted complete malleable C2 profiles from 140 live servers. We clustered operators by watermark and public key, identified a Chinese-speaking threat actor impersonating Google across two US-hosted servers, found an Azure-hosted server silently deploying MSI payloads through post-exploitation, and mapped domain fronting through Baidu CDN and Cloudflare nameservers. Every server ran a cracked license.
Cobalt Strike is the most widely deployed post-exploitation framework in offensive operations. When operators misconfigure their team servers, Shodan indexes the beacon configuration — the complete set of instructions telling an implant how to communicate, what to inject, how to sleep, and where to phone home. We queried Shodan for every exposed beacon configuration on the internet and extracted the full operational playbook from 140 live servers. What we found is a map of offensive infrastructure that no one bothered to hide. We queried Shodan's API for hosts tagged with product:"Cobalt Strike Beacon" that included a watermark field in their raw data, indicating Shodan had successfully parsed the beacon configuration. The search returned 140 servers with fully exposed configs. An additional 42 servers were identified as Cobalt Strike beacons without parseable configs, bringing the total to 182 confirmed beacon listeners on the public internet. The geographic breakdown is immediate: 87 servers in China (62%), 19 in the United States (14%), 16 in Hong Kong (11%), with the remainder scattered across the Netherlands, Taiwan, Japan, Singapore, Russia, Sweden, Italy, Switzerland, and Venezuela. Chinese cloud providers dominate the hosting: Alibaba Cloud hosts 47+ servers across multiple subsidiaries, followed by Tencent Cloud (14), JD Cloud (8+), Beijing Baidu Netcom, Huawei Cloud, and Beijing Volcano Engine Technology. Cobalt Strike embeds a watermark value in every beacon, tied to the license that generated it. Legitimate licenses produce unique watermarks. Cracked distributions use well-known hardcoded values. Every watermark we extracted maps to a known pirated distribution: Watermark 987654321 alone accounts for 48 servers across 9 countries. It is the default watermark in the most widely distributed cracked Cobalt Strike package in Chinese underground forums. Watermark 666666666, present on 25 servers, is the second most common cracked marker. Together, these two w