Emotet + Cobalt Strike — Dissecting a Multi-Stage Attack in Wireshark

How I identified Cobalt Strike C2 servers using Host header masquerading detection, found 3 payload domains via time-bounded TLS SNI hunting, and traced a malspam campaign — all from a single PCAP in the TryHackMe Carnage room.