Cobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure hunt.io/blog/coba…

First seen on June 1, 2025, the script triggered a deeper investigation into post-exploitation infrastructure.

This PowerShell loader reflects an active post-exploitation setup leveraging stealth techniques and Cobalt Strike infrastructure.

In this article, we break down how the shellcode operates, its evasion methods, and how we traced its connection to known Cobalt Strike infrastructure.