Recap of a Suspicious Surge in Cobalt Strike

Censys observed a rapid, short-lived burst of Cobalt Strike listeners in early–mid December 2025 concentrated in two ASes (AS138415 and AS133199), with hundreds of ephemeral hosts spanning newly acquired address blocks (notably 23.235.160.0/19 assigned to RedLuff, LLC). The report documents timeline counts, lists affected IP blocks and six unique Cobalt Strike public keys, and highlights suspicious RIR transfer activity and inconsistent registration/website data for RedLuff that may indicate abuse of freshly transferred IP space for malicious infrastructure.