This declaration by Microsoft Digital Crimes Unit investigator Christopher Coy is the foundational technical filing in the Microsoft, Fortra, and Health-ISAC action targeting cracked Cobalt Strike infrastructure. Whereas other declarations in the case drill into particular ransomware families or investigative techniques, the Coy declaration provides the architecture-level explanation of how unauthorized Cobalt Strike operates as a criminal command-and-control ecosystem. Coy walks the Court through legitimate Cobalt Strike functionality, the distinction between licensed and cracked versions, and the ways threat actors weaponize beacon payloads, team servers, domains, and IP-based command infrastructure to compromise victim machines, move laterally, steal credentials, deploy malicious modules, and launch ransomware. He describes cracked Cobalt Strike as a globally distributed malware infrastructure and states that Microsoft observed more than 1.5 million infected computers over a twenty-four month period.

What makes the Coy declaration unique is its breadth. It frames the defendants not as isolated actors but as a coordinated cybercrime enterprise that develops, commercializes, and supports malicious Cobalt Strike instances. Coy explains the infrastructure model in detail: infected victim computers, specialized command-and-control servers, communications channels, modular post-exploitation tooling, and the use of malware components such as credential theft, screenshots, desktop control, keylogging, Mimikatz, and hash harvesting. He also ties the activity to victims in New York, including the Eastern District of New York, and describes harm to healthcare organizations, financial institutions, Microsoft customers, and the broader internet ecosystem. Critically, the declaration supports emergency injunctive relief by explaining why simultaneous disabling of domains and IP addresses is necessary to prevent rapid migration of the botnet infrastructure. For searchers looking for Microsoft Cobalt Strike lawsuit details, ransomware infrastructure evidence, beacon malware analysis, or ex parte TRO botnet takedown filings, this declaration is one of the central technical records in the case.