Tricks, Treats, and Threats: Cobalt Strike & the Goblin Lurking in Plain Sight

Hunt.io discovered an open directory on 199.187.25.57:8899 exposing Cobalt Strike 4.2, Goblin phishing configurations, and BrowserGhost/HackBrowserData credential-extraction tools; the report documents Cobalt Strike team servers, a shared TLS certificate (SHA-256 DFA9B3E8...), a common Cobalt Strike watermark (1359593325) seen across multiple IPs, and payloads targeting historical CVEs—indicating an operator or coordinated infrastructure focused on exploitation and credential theft and providing associated IOCs.