This declaration from Microsoft Digital Crimes Unit Principal Manager of Investigations Jason B. Lyons is the case’s investigative roadmap for how Microsoft and its co-plaintiffs identified, attributed, and technically tracked the criminal misuse of cracked Cobalt Strike. Unlike a pure reverse-engineering report, the Lyons declaration focuses on detection methodology, threat intelligence collection, malware telemetry, and the evidentiary process Microsoft used to separate legitimate licensed Cobalt Strike activity from malicious command-and-control infrastructure. Lyons explains that Microsoft analyzed roughly 50,000 unique cracked Cobalt Strike samples, deliberately deployed cracked versions to investigator-controlled systems, and monitored beacon traffic, domains, IP addresses, and infrastructure behavior over time. He also emphasizes the role of Cobalt Strike watermarks, including repeated illegitimate values such as 666 and 1234567890, and describes how Microsoft paired watermark analysis with a dedicated crawler and Microsoft Defender telemetry to identify active malicious servers.

What makes this filing especially significant is that it bridges malware operations and civil litigation strategy. Lyons does not merely say that Cobalt Strike is abused; he explains how Microsoft built a high-confidence process for identifying which C2 nodes should be disabled. He links cracked Cobalt Strike to major ransomware families including Conti, LockBit, Quantum Locker, Royal, Cuba, BlackBasta, BlackCat, and PlayCrypt, showing how the framework functions as a gateway malware dropper, backdoor, and ransomware delivery system. The declaration also highlights the broader victimology, including attacks affecting healthcare institutions, and supports the request for emergency ex parte relief by showing why fast, coordinated action is necessary before operators migrate infrastructure. For cybersecurity researchers, incident responders, ransomware analysts, and lawyers handling botnet disruption, this is a key source on Cobalt Strike watermark intelligence, sinkholing evidence, malware infrastructure tracking, and the use of court-authorized takedowns against globally distributed cybercrime networks.