Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity

Hunt researchers identified a cluster of Cobalt Strike 4.10 team servers linked by watermark 688983459 and a shared public key, hosted mainly in U.S. cloud infrastructure; the operators use brand-impersonating domains and specific beacon configurations (endpoints, user-agents, submitURI) to blend with legitimate traffic. The report enumerates IPs, domains, certificate details, public keys, and SHA-256 hashes of extracted payloads for detection, and briefly notes a separate cluster using watermark 1 (commonly associated with leaked/cracked builds).