Each Cobalt Strike release brings new capabilities, evasion techniques, and quality-of-life improvements driven by operator feedback and ongoing research. Review the release history below to see how the platform has evolved.
Latest Release: 4.13
Cobalt Strike 4.13 focuses on evolving post-exploitation capabilities, giving operators the ability to create more dynamic tradecraft to better imitate adversarial tactics and keep pace with increasingly complex defenses. This release also focuses on overhauling workflows with centralised payload management via the Payload Store, as well as enhancements to Malleable C2 workflows and streaming.
New features include:
Beacon Interpreter– Write scriptable C code which can be directly executed by Beacon in a virtual machine
BOF-PE Support – Simplified tradecraft creation in DLL/EXE format that supports error handling, advanced C++ features, external libs, and the BOF API
LLVM Beacon – New Beacon built using the LLVM toolchain which contains a custom C runtime and has a much smaller payload size
Payload Store – Centralised storage and versioning of Beacon payloads to streamline customisation
Malleable Profile Overrides – Modify Malleable Profiles to enable and/or disable specific settings when exporting a
GUI Updates – Docking, customizable tables, new fonts to continue building upon Cobalt’s refreshed GUI
Streaming Capabilities– Full streaming via WebSockets and gRPC to provide better integration with other tooling in the Cobalt Strike ecosystem
Cobalt Strike 4.12 focuses on extensibility and operator customization, giving red teamers more control over how they interact with the platform and how their payloads behave in memory. This release also refreshes core evasion capabilities to help operators stay ahead of modern detection strategies.
Features:
Redesigned GUI – Fresh modern interface with selectable themes including Dracula, Solarized, and Monokai
REST API – Enables scripting Cobalt Strike in any language, advanced automation, and custom client development
User Defined Command and Control (UDC2) – Build custom C2 channels as BOFs that integrate natively with exported payloads
Process injection options – Four new techniques including RtlCloneUserProcess and EarlyCascade, plus Aggressor hooks for adding custom methods
UAC bypasses – Two new working bypasses compatible with Windows 10 through Windows 11
BeaconDownload BOF API – Exfiltrate in-memory buffers up to 2GB without touching disk
Drip loading – New Malleable C2 options to break up payload writes during reflective loading and process injection
Cobalt Strike 4.10 equiped operators with the hooks and development templates needed to customize Beacon’s runtime behavior and stay ahead of EDRs increasingly flagging API calls from unbacked memory.
Features:
Introduced BeaconGate for dynamically instrumenting Beacon’s API calls
Released Postex Kit for custom post-exploitation tradecraft
Added Sleepmask-VS template for simplified custom sleep mask development
Overhauled Sleepmask API with BeaconGate integration
Added support for hot-swapping C2 hosts during operations
Updated minimum Java requirement from Java 8 to Java 11
4.10.1 was an out of band update that fixed client disconnection issues with multiple team server connections and x86 Beacon crashes when using indirect syscalls on Windows 11.
This release gave operators more control over payload execution and evasion with system call support, payload guardrails for targeted delivery, and a token store for managing credentials on the fly.
Added support for direct and indirect system calls
These out of band updates provided fixes for 4.7. 4.7.1 fixed sleep mask memory allocation issues, pivot Beacon size limits, and an XSS vulnerability in the team server. 4.7.2 hardened the client against an RCE vulnerability in Java Swing’s HTML rendering that affects any Java GUI application.
