From Intel471:
Since its release in 2012, Cobalt Strike has been one of the most popular tools for penetration testers to use when simulating how known threat actor tools will look when targeting an organization’s network. However, there is a downside to that popularity: the criminals love it, too. And if they are using it, it’s definitely not to simulate any sort of attack.
Cobalt Strike has become a very common second-stage payload for many malware campaigns across many malware families.
[…]
Despite the obfuscation techniques, Intel 471 has collected a wealth of information on how the cybercrime underground has refashioned this security tool to its advantage. The following takes a deeper look at which threat actor groups and malware families are dropping Cobalt Strike for post-exploitation.
Read more on Intel471.