On May 12, 2025, Fortra released Cobalt Strike version 4.11.1, an out-of-band update addressing critical issues identified in the recent 4.11 release. This update focuses on resolving module stomping complications, enhancing SSL certificate functionality, and introducing deprecation warnings for legacy features.
Resolution of Module Stomping Crash
A significant fix in this release addresses a critical issue where Beacon would crash under specific conditions when using module stomping alongside the new ObfSetThreadContext injection technique introduced in version 4.11. This crash occurred particularly when targeting processes with Control Flow Guard enabled. The official release announcement stated:
We fixed an issue which caused Beacon to crash in edge cases when module stomping was used in conjunction with ObfSetThreadContext injection when the target process had Control Flow Guard enabled.
To mitigate this issue, a patch has been implemented. For users implementing User Defined Reflective Loaders (UDRL) that perform module stomping, Fortra recommends explicitly setting the METHOD_MODULESTOMP parameter as part of the ALLOCATED_MEMORY structure in their UDRL implementation. This ensures Beacon remains aware of potential Control Flow Guard-related issues. The team suggests referencing the bud-loader in UDRL-vs, included in the Cobalt Strike arsenal kit, for implementation examples.
Enhancement of ‘Enable SSL’ Checkbox Functionality
The update also resolves a significant usability issue with the Enable SSL checkbox functionality. Previously, when users configured a self-signed certificate via the ‘https-certificate’ setting, the ‘Enable SSL’ checkbox would become disabled, preventing HTTPS from being enabled. With version 4.11.1, self-signed certificates properly enable the checkbox functionality, allowing users to implement secure communications with their Beacon infrastructure.
Cobalt Strike documentation provides two approaches for SSL certificate implementation:
– Self-signed SSL certificates, configurable through parameters including Country (C), Common Name (CN), Organization (O), and validity period.
– Valid SSL certificates using Java Keystore files with proper certificate information.
Deprecation Warnings for Stomp Reflective Loaders
The release introduces explicit deprecation warnings for stomp reflective loaders in the c2lint program. This follows the team’s announcement in the 4.11 release that they are transitioning to prepend loaders as the default mechanism. The c2lint utility will now display warnings when stomp loaders are used, reinforcing the pending end of support in future releases.
Background on Cobalt Strike 4.11 Enhancements
The 4.11.1 update comes just two months after the major 4.11 release, which introduced significant new functionality, including:
– A novel Sleepmask for runtime obfuscation.
– The ObfSetThreadContext process injection technique.
– DNS over HTTPS (DoH) Beacon capabilities.
These enhancements aimed to improve evasion capabilities and operational flexibility for red teams.
Availability and Recommendations
Licensed users can download version 4.11.1 immediately from Fortra’s website. Organizations managing existing Cobalt Strike environments that don’t require immediate updating can alternatively obtain a new authorization file using the Authorization Generation page rather than performing a full update.
This rapid out-of-band release demonstrates Fortra’s commitment to quickly addressing critical issues in their red team simulation platform, which has become an essential tool for security professionals conducting advanced adversary emulation exercises.
