If you see this page, you are at the right place to find details about some scraped in the wild CobaltStrike configuration.
What you will find there? Addresses IP hosting beacons and the decoded configurations of the payload associated. You also will be able to do some pivot on some fields ;)
Cobalt Strike is a commercial red-team tool used to simulate intrusions. Attackers also use cracked copies because it provides an end-to-end framework for post-exploitation.
A Beacon is its payload: a small implant dropped on a compromised machine. It maintains command-and-control (C2) communication, executes commands, moves laterally, and retrieves data. Beacons can communicate over HTTP(S), DNS, or other channels to blend into normal traffic.
They appear on malicious IPs because threat actors deploy their cracked Cobalt Strike servers on rented VPS infrastructure. Those servers expose the C2 endpoints that beacons call back to, making the IPs visible through scans, telemetry, or threat-intel feeds.