Each Cobalt Strike release brings new capabilities, evasion techniques, and quality-of-life improvements driven by operator feedback and ongoing research. Review the release history below to see how the platform has evolved.

Latest Release: 4.12

Cobalt Strike 4.12 focuses on extensibility and operator customization, giving red teamers more control over how they interact with the platform and how their payloads behave in memory. This release also refreshes core evasion capabilities to help operators stay ahead of modern detection strategies.

New features include:

  • Redesigned GUI – Fresh modern interface with selectable themes including Dracula, Solarized, and Monokai
  • REST API – Enables scripting Cobalt Strike in any language, advanced automation, and custom client development
  • User Defined Command and Control (UDC2) – Build custom C2 channels as BOFs that integrate natively with exported payloads
  • Process injection options – Four new techniques including RtlCloneUserProcess and EarlyCascade, plus Aggressor hooks for adding custom methods
  • UAC bypasses – Two new working bypasses compatible with Windows 10 through Windows 11 24H2
  • BeaconDownload BOF API – Exfiltrate in-memory buffers up to 2GB without touching disk
  • Drip loading – New Malleable C2 options to break up payload writes during reflective loading and process injection

4.12 Release Blogs

4.12 Release Demo Videos

Cobalt Strike 4.11

This release marked a strategic shift toward providing novel evasion capabilities out of the box, reducing the configuration burden on operators.

Features:

  • Introduced novel out-of-the-box Sleepmask with automatic Beacon obfuscation
  • Added ObfSetThreadContext process injection technique as default injection method
  • Ported reflective loader to prepend/sRDI style with EAF bypass and indirect syscall support
  • Added transform-obfuscate for automatic payload obfuscation routines
  • Introduced asynchronous BOF execution via async-execute.dll
  • Added DNS over HTTPS (DoH) Beacon for stealthy C2 communication

Release blog:

Cobalt Strike 4.11: Shhhhhh, Beacon is Sleeping

Cobalt Strike 4.11.1

4.11.1 was an out of band update that fixed an issue regarding module stomping that was discovered in the 4.11 release.

Release blog:

Out of Band Update: Cobalt Strike 4.11.1

 

Cobalt Strike 4.10

Cobalt Strike 4.10 equiped operators with the hooks and development templates needed to customize Beacon’s runtime behavior and stay ahead of EDRs increasingly flagging API calls from unbacked memory.

Features:

  • Introduced BeaconGate for dynamically instrumenting Beacon’s API calls
  • Released Postex Kit for custom post-exploitation tradecraft
  • Added Sleepmask-VS template for simplified custom sleep mask development
  • Overhauled Sleepmask API with BeaconGate integration
  • Added support for hot-swapping C2 hosts during operations
  • Updated minimum Java requirement from Java 8 to Java 11

Release blog:

Cobalt Strike 4.10: Through the BeaconGate

Cobalt Strike 4.10.1

4.10.1 was an out of band update that fixed client disconnection issues with multiple team server connections and x86 Beacon crashes when using indirect syscalls on Windows 11.

Release blog:

Out of Band Update: Cobalt Strike 4.10.1

Cobalt Strike 4.9

This release reflected a major architectural investment in loader customization and marks the beginning of official support for prepend-style loaders.

Features:

  • Overhauled post-exploitation DLLs to support User Defined Reflective Loaders (UDRLs)
  • Added ability to export Beacon without a loader for prepend-style UDRLs
  • Introduced Beacon Data Store for caching BOFs and .NET assemblies in memory
  • Added callback support for Aggressor Script functions
  • Introduced HTTP Host Profiles for per-host C2 customization
  • Added client-to-client data sharing via Aggressor Script

Release blog:

Cobalt Strike 4.9: Take Me To Your Loader

Cobalt Strike 4.9.1

4.9.1 was an out of band update that fixed issues with the default post-ex reflective loader not applying obfuscation and cleanup options correctly.

Release blog:

Out of Band Update: Cobalt Strike 4.9.1

Cobalt Strike 4.8

This release gave operators more control over payload execution and evasion with system call support, payload guardrails for targeted delivery, and a token store for managing credentials on the fly.

  • Added support for direct and indirect system calls
  • Introduced payload guardrails (IP, username, hostname, domain restrictions)
  • Added token store for hot-swapping tokens during operations
  • Enabled team server data persistence (screenshots, keylogging, downloads) across restarts
  • Added flexible sleep time syntax (seconds, minutes, hours, days)
  • Introduced clearteamserverdata script for post-engagement cleanup

Release blog:

Cobalt Strike 4.8: (System) Call Me Maybe

Cobalt Strike 4.7

This release celebrated Cobalt Strike’s 10th anniversary and reflects continued investment in the platform following Fortra’s acquisition.

Features:

  • Added SOCKS5 proxy support with DNS resolution and UDP
  • Introduced new BOF memory options (bof_allocator, bof_reuse_memory) to reduce fingerprinting
  • Overhauled Sleep Mask to execute as a BOF with increased size limit (8192 bytes)
  • Refreshed UI with dark mode support
  • Updated module stomping with customizable ordinal search
  • Enhanced steal_token with customizable access mask

Release blog:

Cobalt Strike 4.7: The 10th Anniversary Edition

Cobalt Strike 4.7.1 and 4.7.2

These out of band updates provided fixes for 4.7. 4.7.1 fixed sleep mask memory allocation issues, pivot Beacon size limits, and an XSS vulnerability in the team server. 4.7.2 hardened the client against an RCE vulnerability in Java Swing’s HTML rendering that affects any Java GUI application.

Release blog:

Out Of Band Update: Cobalt Strike 4.7.1

Out Of Band Update: Cobalt Strike 4.7.2

 

Request a Tailored Demo

Ready to see Cobalt Strike 4.12 in action? Request a live demo for insights from our in-house experts today.

Request a Live Demo