Cobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure

A PowerShell shellcode loader (y1.ps1) found in an open directory on a Chinese host executes decrypted shellcode entirely in memory (using reflective techniques and API hashing), contacts a Baidu Cloud Function endpoint to download a second-stage payload, and ultimately deploys a Cobalt Strike Beacon that communicates with IP 46.173.27.142 (Beget LLC, Russia). The report provides technical analysis of the loader and shellcode, associated IOCs (SHA-256 hashes, domains, and multiple IP hosts across regions), SSL certificate metadata referencing "cobaltstrike", hunting queries used to find related scripts, and recommended mitigations such as tightening PowerShell policies, blocking IOCs, and enabling EDR/ASR protections.