Trojan:Win32/CobaltStrike.SG represents a detection name for malicious implementations of Cobalt Strike, a legitimate penetration testing framework that has been weaponized by threat actors. While Cobalt Strike itself is a commercial tool designed for authorized security assessments, cybercriminals frequently deploy cracked or stolen versions to establish command-and-control channels, move laterally through networks, and deploy additional payloads. The ".SG" suffix indicates a specific detection signature variant, but the underlying threat follows the established patterns of Cobalt Strike Beacon malware — sophisticated, memory-resident, and designed to evade traditional antivirus scanning.
This threat is particularly dangerous because it leverages a tool originally built for legitimate red team operations. Attackers gain powerful post-exploitation capabilities including credential harvesting, process injection, keylogging, and the ability to download and execute additional malware. Unlike simple trojans that perform one malicious action, CobaltStrike.SG establishes persistent backdoor access that allows attackers to conduct reconnaissance, escalate privileges, and ultimately compromise sensitive data or deploy ransomware.
Threat Profile
| Attribute | Details |
|---|---|
| Threat Family | Trojan-Backdoor / Command & Control Framework |
| Also Known As | CobaltStrike Beacon, Trojan.CobaltStrike, Win32/Cobalt, Beacon Backdoor |
| Platform | Windows (all versions); variants exist for Linux and macOS |
| First Observed | Original Cobalt Strike released 2012; malicious use widespread since 2015+ |
| Distribution Methods | Phishing attachments, exploit kits, malicious macros, software vulnerabilities, drive-by downloads |
| Persistence Mechanisms | Registry Run keys, scheduled tasks, service installation, DLL hijacking, WMI event subscriptions |
| Primary Capabilities | Remote code execution, credential theft, process injection, keylogging, lateral movement, payload delivery |
| Memory Behavior | Typically fileless or reflectively loaded; operates in memory to evade disk-based scanning |
| Network Communication | HTTPS C2 beacons (often to legitimate-looking domains), DNS tunneling, SMB named pipes for lateral movement |
| Indicators of Compromise | Injected processes (rundll32.exe, svchost.exe with network activity), suspicious scheduled tasks, unusual outbound HTTPS to non-standard ports |
| Data at Risk | Credentials, browser saved passwords, corporate VPN tokens, file server access, email data |
| Removal Difficulty | High — requires advanced forensic analysis to identify all persistence mechanisms and injected processes |
How It Spreads
Trojan:Win32/CobaltStrike.SG typically arrives through targeted phishing campaigns or as a secondary payload dropped by initial access trojans. Attackers rarely distribute Cobalt Strike as the first-stage malware; instead, they use simpler droppers to establish an initial foothold, then deploy CobaltStrike Beacons to maintain persistent, interactive access. This staged approach helps bypass email security gateways and reduces the risk of exposing the more valuable Cobalt Strike infrastructure during the initial compromise.
Many infections begin with socially engineered documents attached to business emails — invoices, shipping notifications, or HR-related documents that contain malicious macros. When the victim enables content, the macro downloads and executes a lightweight loader, which then retrieves the CobaltStrike payload from a command server. Other common delivery mechanisms include exploit kits targeting browser or plugin vulnerabilities, compromised software updates, and malicious advertisements on legitimate websites.
Common distribution vectors for this threat include:
- Malicious email attachments — Office documents with embedded macros, password-protected ZIP archives containing executables
- Drive-by downloads — Compromised websites or malvertising campaigns that exploit browser vulnerabilities to drop the initial loader
- Software supply chain attacks — Compromised installers for legitimate software, particularly freeware or utilities downloaded from unofficial sources
- Remote Desktop Protocol (RDP) compromise — Brute-force attacks or credential stuffing against exposed RDP services, followed by manual deployment
- Exploitation of unpatched vulnerabilities — CVEs in Windows services, Microsoft Exchange, or VPN appliances used for initial access
- Lateral movement from other infected machines — Once established on one network device, CobaltStrike excels at spreading to additional systems using stolen credentials
What It Does On Your Machine
Once executed, Trojan:Win32/CobaltStrike.SG establishes a communication channel to an attacker-controlled command and control (C2) server. The malware typically operates as a "Beacon" — a lightweight agent that checks in periodically for instructions, executes commands, and reports results. Unlike noisy malware that immediately performs obvious malicious actions, CobaltStrike is designed for stealth. It may remain dormant for hours or days while attackers assess the compromised environment, identify high-value targets, and plan their next moves.
The malware frequently uses process injection to hide within legitimate Windows processes. You might see normal system processes like rundll32.exe, svchost.exe, or even explorer.exe making unusual network connections or consuming unexpected amounts of CPU. CobaltStrike can inject itself into these processes without creating its own visible executable file, making detection significantly more challenging. This fileless operation means traditional antivirus software that relies on scanning files on disk may completely miss the infection.
CobaltStrike provides attackers with an extensive post-exploitation toolkit. Common activities include credential dumping (harvesting passwords stored in Windows memory or the SAM database), keylogging to capture typed passwords and sensitive information, taking screenshots to monitor user activity, and accessing files across the network. The malware can execute arbitrary commands, download additional tools, and serve as a proxy for further network penetration. In many ransomware incidents, investigators find that CobaltStrike was the tool used to map the network, exfiltrate sensitive data, and ultimately deploy the ransomware payload across the organization.
The malware's network behavior is deliberately designed to blend with legitimate traffic. It may beacon to the C2 server every few hours using HTTPS connections to domains that appear innocuous, or even piggyback on legitimate cloud services. Some configurations use DNS tunneling to exfiltrate data or receive commands encoded in DNS query responses. This makes network-based detection challenging without specialized security monitoring tools that can identify behavioral anomalies rather than just known-bad IP addresses or domains.
Manual Removal — Step by Step
Immediately Disconnect from All Networks
Before attempting any removal steps, disconnect the infected computer from all networks. Unplug the Ethernet cable and disable Wi-Fi completely. CobaltStrike is designed for network infiltration and gives attackers real-time access to your machine. Staying connected during removal allows them to observe your actions, reinstall the malware, or pivot to other devices. For business networks, also consider temporarily isolating any systems that may have been accessed from the infected machine.
Boot Into Safe Mode with Networking
Restart your computer and boot into Safe Mode with Networking (you'll need networking to download security tools in later steps). In Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart, and select option 5. Safe Mode loads only essential Windows components, which prevents many malware persistence mechanisms from activating and makes it easier to identify malicious processes.
Identify and Terminate Suspicious Processes
Open Task Manager (Ctrl+Shift+Esc) and examine running processes carefully. Look for suspicious instances of rundll32.exe, svchost.exe, or other system processes that are making network connections or consuming unusual resources. CobaltStrike often injects into these legitimate processes. However, be extremely cautious — terminating critical system processes can cause instability. If you're uncertain about a process, note its name and PID but leave it running until you've identified it definitively. Take screenshots of suspicious processes and their properties (right-click > Properties to see file locations).
Remove Registry-Based Persistence Mechanisms
Press Win+R, type "regedit" and press Enter to open the Registry Editor. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries you don't recognize, particularly any that invoke rundll32.exe with DLL parameters or executables in unusual locations like %LOCALAPPDATA% subdirectories or the Temp folder. Before deleting anything, export a backup of the entire Run key. Remove suspicious entries, then check the same paths under RunOnce and Explorer\Shell Folders for additional persistence.
Examine and Remove Malicious Scheduled Tasks
Open Task Scheduler (search for it in the Start menu) and carefully examine scheduled tasks. Look for tasks created recently that have vague names (especially under Microsoft\Windows paths that don't match known Windows tasks) or tasks that run rundll32.exe, powershell.exe with encoded commands, or executables from temp directories. Right-click suspicious tasks and select Delete. CobaltStrike frequently uses scheduled tasks for persistence because they're less commonly checked than registry Run keys. Pay particular attention to tasks set to run at startup or with SYSTEM-level privileges.
Check for Malicious Services
Open an elevated Command Prompt (search for cmd, right-click, Run as Administrator) and type "services.msc" to open the Services console. Sort by Status and Startup Type to identify services that start automatically. Look for services with random names, vague descriptions, or no publisher information. CobaltStrike may install itself as a Windows service for SYSTEM-level persistence. If you find a suspicious service, note its name, stop it (right-click > Stop), then set its startup type to Disabled. You can later delete the service using "sc delete [servicename]" from an elevated command prompt, but disabling it first prevents accidental system instability.
Delete Malicious Files and Directories
Based on the processes, registry entries, and scheduled tasks you've identified, locate and delete the actual malware files. Common locations include subdirectories of %LOCALAPPDATA%, %APPDATA%, C:\Windows\Temp, and user temp directories. CobaltStrike DLLs and executables often have random names or GUIDs. Delete the entire containing folder if it only holds malware. Be thorough — check for multiple copies across different directories. You may need to take ownership of some files or boot into Safe Mode to delete files locked by running processes.
Run Comprehensive Anti-Malware Scans
Temporarily connect to the internet (understanding the risk) to download and update Malwarebytes, along with a secondary scanner like HitmanPro or ESET Online Scanner. Run full system scans with each tool. CobaltStrike is sophisticated enough that manual removal may miss memory-resident components or secondary payloads. Let each scanner complete fully and quarantine all detected threats. Malwarebytes specifically has behavioral detection capabilities that can identify CobaltStrike Beacons even when they're fileless. After scanning, disconnect from the network again until you're confident the system is clean.
Reset Browser Settings and Check Extensions
CobaltStrike often leads to credential theft, including browser-stored passwords. Open each installed browser and reset settings to defaults. In Chrome, go to Settings > Advanced > Reset and clean up > Restore settings to their original defaults. In Firefox, Help > More Troubleshooting Information > Refresh Firefox. Review all installed extensions and remove any you don't recognize or didn't intentionally install. Clear all browsing data, cookies, and cached credentials. This step helps remove any browser-based persistence mechanisms that may have been installed alongside the primary threat.
Change All Passwords and Monitor for Compromise
After you're confident the system is clean, change passwords for all important accounts — especially email, banking, work systems, and any accounts accessed from the infected machine. Use a different, known-clean device for the most critical password changes if possible. Enable two-factor authentication everywhere it's available. CobaltStrike can capture credentials in multiple ways, so you must assume any password typed or saved during the infection period has been compromised. Monitor your accounts closely for suspicious activity over the following weeks.
Reboot and Verify Clean Status
Restart your computer normally (not in Safe Mode) and carefully observe startup behavior. Check Task Manager again for any suspicious processes. Verify that the scheduled tasks and registry entries you removed haven't reappeared. Run one more quick scan with your anti-malware tools. Monitor network connections using Resource Monitor (search for "resource monitor" in Start) and look for any unexpected outbound connections. If everything appears clean and stable after 24-48 hours of normal use, the threat has likely been successfully removed.
Prevention
- Maintain strict email security practices. Never enable macros in Office documents from unknown senders. Be deeply skeptical of any email attachment that requires you to "enable content" or "enable editing" to view properly. Most legitimate business documents don't require macros. When in doubt, contact the sender through a separate communication channel to verify they actually sent the file.
- Keep all software rigorously updated. Enable automatic updates for Windows, browsers, and all plugins (Java, Adobe Reader, Flash if still installed). Many CobaltStrike infections begin with exploitation of known vulnerabilities that have available patches. Attackers rely on users running outdated software. Set aside time monthly to verify critical applications are current, especially for small business environments where update management may be informal.
- Deploy endpoint protection that includes behavioral detection. Traditional signature-based antivirus is insufficient against modern threats like CobaltStrike that operate in memory or use legitimate tools. Business environments should implement endpoint detection and response (EDR) solutions. Home users should use reputable security suites that include behavioral analysis, not just signature matching. Keep these tools updated and actually monitor their alerts rather than dismissing them reflexively.
- Implement network segmentation and monitoring. For businesses, segment your network so that workstations can't directly access file servers or other critical infrastructure without passing through monitored chokepoints. Implement network monitoring that can identify unusual lateral movement, repeated authentication failures, or connections to suspicious external IPs. Home users with NAS devices or home servers should place them on separate VLANs from everyday computing devices if their router supports it.
- Disable unnecessary services and restrict administrative privileges. Turn off Remote Desktop Protocol if you don't actively use it, or at minimum place it behind a VPN and use strong, unique passwords. Don't run daily computing tasks with administrator privileges — use a standard user account for web browsing, email, and routine work. Malware that lands on a limited account has significantly reduced ability to establish persistence and move laterally.
- Maintain offline backups of critical data. Regular, tested backups stored offline or in immutable cloud storage protect you from both ransomware (which often arrives after CobaltStrike reconnaissance) and data theft. Follow the 3-2-1 rule: three copies of your data, on two different media types, with one copy offline. CobaltStrike infections often culminate in ransomware deployment after attackers have mapped your network — backups are your insurance policy.
- Educate all users about social engineering tactics. Technical controls alone are insufficient when humans remain the weakest link. Train family members or employees to recognize phishing attempts, suspicious links, and pressure tactics ("urgent invoice," "account suspended"). Create a culture where people feel comfortable asking IT or a knowledgeable family member to verify suspicious communications rather than clicking first and asking questions later.
- Monitor for indicators of compromise proactively. For businesses, implement security information and event management (SIEM) solutions that can correlate events across systems and identify patterns consistent with CobaltStrike activity — unusual authentication patterns, process injection behaviors, beaconing network traffic. Home users can periodically review startup items, scheduled tasks, and unusual processes as a basic hygiene practice, even when nothing seems wrong.
When Computer Repair Roswell removes malware from your system, you're covered by our 90-day warranty. If the same infection returns within 90 days of service completion, we'll remove it again at no additional charge. We stand behind our work because we do it right the first time — complete removal, not just symptom suppression.
Bring It In
Trojan:Win32/CobaltStrike.SG is not a typical home-user malware infection you can reliably eliminate with a quick scan. This is an advanced persistent threat tool designed for network infiltration and long-term compromise. If you've identified this threat on your system — or suspect you may be infected based on the symptoms described — professional remediation is strongly recommended. Our technicians have the forensic tools and experience to identify all components of CobaltStrike infections, including memory-resident payloads, secondary persistence mechanisms, and evidence of lateral movement that may indicate other compromised devices on your network.
Computer Repair Roswell is located at 1240 Alpharetta St., Suite A, Roswell, GA 30075, and we handle these sophisticated threats routinely. We'll perform a complete analysis to determine the infection's entry point, what data may have been compromised, and whether other security measures need to be implemented. Call us at (770) 637-1435 to schedule an appointment, or bring your machine directly to our shop during business hours. For business customers dealing with potential network-wide compromise, we offer on-site assessment services. Don't let CobaltStrike remain on your system — the longer it persists, the more damage attackers can do.