Analysing Fileless Malware: Cobalt Strike Beacon

This report analyzes a FedEx-themed, multi-stage phishing campaign where a JNLP attachment launched a JAR that downloaded an executable (fedex912.exe → gennt.exe), established persistence under %PROGRAMDATA%, and used PowerShell to decode/decrypt and inject Cobalt Strike shellcode into memory, creating a fileless Beacon that connects to remote C2 infrastructure; the write-up includes JAR decompilation, executable behavior, PowerShell decoding, shellcode emulation, and provides IOCs (SHA256 hashes, domains, run location, and registry key).