A security company was able to track for 4 years, command and control (C&C) traffic generated by several well-known hacking groups thanks to a tiny anomaly in a penetration-testing tool.
This news emerged
in a write-up by Fox-IT
, which described how in 2015 one of its researchers spotted a small ‘whitespace’ error in HTTP responses from the ‘beacon’ NanoHTTPD-based web server that can be implanted inside a target network as part of a tool called Cobalt Strike.
Cobalt Strike is a legitimate pen-testing tool used to simulate adversaries in red team testing scenarios. Unfortunately, in recent years Cobalt Strike has also acquired a following among cybercriminals who use it after first breaking its copy protection.

It’s a ready-made platform that gives an adversary (legitimate or otherwise) a foothold through which they can control sideways movement in the network and serve payloads from the comfort of a GUI.
However, the harmless and almost imperceptible whitespace flaw allowed Fox-IT to turn this communication into an Intrusion Detection System (IDS) fingerprint which allowed its analysts see public Cobalt Strike servers.
That remained true until early January, when Cobalt Strike v3.13 finally noticed and fixed an issue which Fox-IT believes has been in the software since 2012.
The whole point of pen-testing tools (of which Cobalt Strike is only one) is that the advantages of using them to improve security outweigh any negatives arising from their misuse.
‌ 
‌ 
‌