Between early December and December 18, 2025, Censys observed a large burst of newly appearing Cobalt Strike listeners originating from two distinct autonomous systems: AS138415 (YANCY) and AS133199 (SonderCloud LTD).
| Date | AS138415 Cobalt Strike Hosts | AS133199 Cobalt Strike Hosts |
| 2025-12-01 | 1 | 0 |
| 2025-12-02 | 2 | 0 |
| 2025-12-03 | 1 | 1 |
| 2025-12-04 | 16 | 1 |
| 2025-12-05 | 17 | 1 |
| 2025-12-06 | 119 | 0 |
| 2025-12-07 | 112 | 2 |
| 2025-12-08 | 6 | 117 |
| 2025-12-09 | 5 | 128 |
| 2025-12-10 | 2 | 34 |
| 2025-12-11 | 37 | 5 |
| 2025-12-12 | 239 | 2 |
| 2025-12-13 | 219 | 3 |
| 2025-12-14 | 240 | 2 |
| 2025-12-15 | 407 | 1 |
| 2025-12-16 | 222 | 0 |
| 2025-12-17 | 21 | 1 |
| 2025-12-18 | 226 | 1 |
| 2025-12-19 | 243 | 1 |
| 2025-12-20 | 244 | 2 |
| 2025-12-21 | 14 | 2 |
| 2025-12-22 | 0 | 2 |
| 2025-12-23 | 0 | 2 |
Viewing the timeline above, AS138415 first exhibits limited “seed” activity beginning on December 4, followed by a substantial expansion of 119 new Cobalt Strike servers on December 6. Within just two days, however, nearly all of this newly added infrastructure disappears. On December 8, AS133199 experienced a near mirror-image increase and decrease in newly observed Cobalt Strike servers.
One of the largest contiguous address ranges involved in this activity was 23.235.160.0/19 within AS138415, where more than 150 distinct IPs were observed hosting Cobalt Strike listeners during this window. This netblock was allocated to RedLuff, LLC in September 2025, only a few months before the observed activity according to ARIN registration records.
NetRange: 23.235.160.0 - 23.235.191.255
CIDR: 23.235.160.0/19
NetName: RL-925
NetHandle: NET-23-235-160-0-1
Parent: NET23 (NET-23-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: RedLuff, LLC (RL-925)
RegDate: 2025-09-05
Updated: 2025-09-05
Ref: https://rdap.arin.net/registry/ip/23.235.160.0
OrgName: RedLuff, LLC
OrgId: RL-925
Address: 1603 Capitol Ave, Ste 310-WY291
City: Cheyenne
StateProv: WY
PostalCode: 82001
Country: US
RegDate: 2025-05-06
Updated: 2025-05-20
Comment: Standard NOC hours are 24/7. Website: https://www.yaim.com
Ref: https://rdap.arin.net/registry/entity/RL-925
Although RedLuff claims to have operated since 2020, the company’s domain name was not registered until May 20, 2025, and shows no meaningful web presence prior to that date. The address listed on RedLuff’s website places the company at “Unit 218, Level 3, KL, Gateway Mall, 2, Jalan Kerinchi, Kampung Kerinchi, 59200 Kuala Lumpur, Wilayah Persekutuan Kuala Lumpur,” a commercial shopping mall in Malaysia. This information directly conflicts with the ARIN WHOIS records, which list RedLuff’s address as “1603 Capitol Ave, Cheyenne, Wyoming”. If Google Maps is to be believed, RedLuff is actually an American restaurant in a small town. In other words, the address looks to be incorrect (intentionally or unintentionally).
Additionally, the imagery on RedLuff’s website appears to include a visible “616pic[.]com” watermark across the center, shown in the overlaid red box, suggesting the image is a cheaply acquired stock photograph rather than a legitimate depiction of the company-owned data center.
RIR transfer records show that since September 2025, RedLuff has acquired a large number of IP address blocks from organizations such as Xiaozhiyun LLC and MOACK Co. Without additional context, it is difficult to distinguish between organic growth and address space acquisition through brokerage or leasing mechanisms.
Several of the IP address blocks originating from MOACK were transferred in October 2025 from APNIC into ARIN jurisdiction and subsequently assigned to RedLuff. This inter-RIR transfer process has the effect of obscuring the blocks’ original allocation history, causing the address space to appear US-based despite its prior registration under non-US entities.
This is not an accusation of malicious intent, but a statement of observable fact. The RedLuff organization appears to have established a public internet presence only in May 2025. Within months, multiple IP address blocks were transferred into its ownership, and by December 2025 (roughly seven months after its emergence and only three months after acquiring portions of this address space), Censys observed a sharp, short-lived increase in the number of Cobalt Strike servers originating from those newly allocated networks.
Transfers of IPv4 space from APNIC to ARIN, followed by reassignment to newly established entities, are commonly used to access different markets. While permitted under RIR policies, multi-stange transfers can obscure historical usage and complicate future attribution when the space is later observed hosting abusive infrastructure.
These Cobalt Strike servers appear to be a couple of unique instances spread across hundreds of IP aliases, suggesting there are only three or four physical servers. We observed six unique Cobalt Strike public keys, most of which are no longer in use, as the hosts have shut down (for the moment).
Example: 38.190.198.35 @ 2025-12-19
Beacon Timing Configuration
- Sleep interval: 10,000 ms (10 seconds)
- Jitter: 37%
HTTP GET
- Method: GET
- URI: /jquery-3.3.1.min.js
- Headers:
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Referer: https://code.jquery.com/
- Accept-Encoding: gzip, deflate
- Cookie-based beaconing enabled (__cfduid)
HTTP POST
- Method: POST
- URI: /jquery-3.3.2.min.js
- Headers:
- Same browser-mimicking header set as GET
- Cookie-based data exfiltration enabled
User-Agent:
- Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Example: 156.234.251.12 @ 2025-12-10
HTTP GET:
- Method: GET
- URI: /User/Sub/Server/v5.65/apiv2/3SCXRZP6YUSL
- Headers:
- Accept: image/*, application/xhtml+xml, text/html
- Accept-Language: en-nz
- Accept-Encoding: identity, br
- Cookie-based beaconing enabled (auth_token44FG=)
HTTP POST
- Method: POST
- URI: /User/Download/Server/test/apiv2/6GRBRTFCYL0WU75
- Headers:
Accept: text/html, application/xhtml+xml, image/*- Accept-Language: es
- Accept-Encoding: identity, gzip
- Cookie-based data exfiltration enabled (_FPVFNWLD)
User-Agent:
- Mozilla/5.0 (Windows NT 5.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Example: 208.87.203.61 @ 2025-12-08
Beacon Timing Configuration
- Sleep interval: 45,000 ms (45 seconds)
- Jitter: 37%
HTTP GET
- Method: GET
- URI: /jquery-3.3.1.min.js
- Observed host reference: 208.87.203.40
- Headers:
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Referer: https://code.jquery.com/
- Accept-Encoding: gzip, deflate
- Cookie-based beaconing enabled (__cfduid)
HTTP POST
- Method: POST
- URI: /jquery-3.3.2.min.js
- Headers:
- Same browser-mimicking header set as GET
- Cookie-based data exfiltration enabled (__cfduid)
User-Agent
- Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Example: 208.87.203.61 @ 2025-12-08
Beacon Timing Configuration
- Sleep interval: 45,000 ms (45 seconds)
- Jitter: 37%
HTTP GET
- Method: GET
- URI: /jquery-3.3.1.min.js
- Observed host reference: 208.87.203.40
- Headers:
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Referer: https://code.jquery.com/
- Accept-Encoding: gzip, deflate
- Cookie-based beaconing enabled (__cfduid)
HTTP POST
- Method: POST
- URI: /jquery-3.3.2.min.js
- Headers:
- Same browser-mimicking header set as GET
- Cookie-based data exfiltration enabled (__cfduid)
User-Agent
- Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Example: 103.41.6.34 @ 2025-12-18
Beacon Timing Configuration
- Sleep interval: 3,000 ms (3 seconds)
- Jitter: 31%
HTTP GET
- Method: GET
- URI: /v3/weather/weatherInfo
- Observed host reference: 43.240.239.226
- Headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
- Accept: */*
- Accept-Encoding: gzip, deflate, br
- Accept-Language: zh-CN,zh;q=0.9
- Connection: keep-alive
- Referer: https://www.amap.com/
HTTP POST
- Method: POST
- URI: /v3/assistant/inputtips
- Headers:
- Content-Type: application/x-www-form-urlencoded
- Accept: */*
- Accept-Encoding: gzip, deflate, br
- Accept-Language: zh-CN,zh;q=0.9
- Origin: https://www.amap.com
- Referer: https://www.amap.com/
User-Agent
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
Example: 43.240.30.149 @ 205.12.08
Beacon Timing Configuration
- Sleep interval: 15,000 ms (15 seconds)
- Jitter: 20%
HTTP GET
- Method: GET
- URI (x86): /cdn/jquery-3.6.0.js
- URI (x64): /static/jquery.min.js
- Observed host reference: 192.168.186.133
- Headers:
- Accept: text/javascript, application/javascript, */*
- Accept-Language: en-US,en;q=0.9
- Accept-Encoding: gzip, deflate
- Referer: https://www.example.com/
- Cache-Control: no-cache
- Host: 192.168.186.133
- Cookie-based beaconing enabled (PHPSESSID)
HTTP POST
- Method: POST
- URI: /api/event
- Headers / Parameters:
- Content-Type: application/x-www-form-urlencoded
- POST parameters: uid, data
- Host: 192.168.186.133
User-Agent
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Below are the IP blocks where we saw more than five new servers starting up in a single day:
43.240.239.*
23.248.214.*
23.235.188.*
23.235.187.*
23.235.174.*
23.235.163.*
23.226.48.*
208.87.205.*
208.87.204.*
208.87.203.*
156.234.252.*
156.234.216.*
156.234.209.*
156.234.152.*
156.234.145.*
156.234.101.*
149.30.248.*
103.48.135.*
103.41.6.*