Cobalt Strike 4.12 launched on November 24, 2025, bringing major updates for red team operators, including a refreshed graphical user interface, beta REST API, and User Defined Command and Control (UDC2) for custom C2 channels.
The release adds evasion-focused process injection techniques, fresh UAC bypasses, and drip loading to counter endpoint detection and response tools.
It requires Java 17 minimum, up from Java 11, and fixes issues like SSH Beacon support on newer Mac and Linux distributions.
Core Evasion Enhancements
Developers overhauled process injection with four new Beacon Object File (BOF)-based methods: RtlCloneUserProcess clones processes to disrupt EDR hooks on allocate/write/execute patterns; TpDirect and TpStartRoutineStub manipulate Windows thread pools for remote thread creation; EarlyCascade (fork/run only) redirects process initialization to injected payloads.
Users can add custom injections via Aggressor Script hooks, such as PROCESS_INJECT_EXPLICIT_USER.
New UAC bypasses include uac-rpc-dom (AppInfo ALPC via RPC, from UACME #59) and uac-cmlua (ICMLuaUtil COM, UACME #41), working on Windows 10 through 11 24H2 for elevate and runasadmin commands.
Drip loading now applies to reflective loading and process injection, writing payloads in small chunks with configurable delays (e.g., 100ms) to break event correlation detections.
Configured in Malleable C2 profiles like stage { set rdll_use_driploading “true”; set rdll_dripload_delay “100”; } or process-inject { set use_driploading “true”; }.
Pivot Beacons gained 4.11’s Sleepmask with asynchronous I/O via WaitForSingleObject, simplifying custom Sleepmask development but breaking prior entrypoints.
Automation and Infrastructure Upgrades
UDC2 lets operators build C2 channels as BOFs patched into payloads, proxied via a Python server, supporting esoteric egress, such as ICMP, without the named-pipe issues from extc2: Open-source ICMP UDC2 and UDC2-VS toolkit aid development.
The REST API (beta) enables scripting in any language, automation, server-side storage, and custom clients, with the MCP server demo for Anthropic’s Claude AI integration.
Other improvements: BeaconDownload BOF API for 2GB in-memory downloads (e.g., credentials without disk IOCs); IPv6 SOCKS5; unlimited BOF function resolution; task_id logging; beacon_info command for OPSEC checks; UDRL-VS GUI.
The modern GUI offers themes (Dracula, Solarized) and an updated Pivot Graph showing listener/pivot types.
Defenders should monitor these for threat actor adoption, as Cobalt Strike supports advanced research, such as ML post-exploitation see the release notes and docs for complete details.
