C0d0so0, also known as Codoso, is a notable threat actor group that has been identified through the AutoFocus threat intelligence platform by Unit 42. This group is recognized for their sophisticated tactics and tools, including the use of zero-day exploits in conjunction with watering hole and spear phishing attacks. They have shown an ability to compromise legitimate websites, which are then used as traps for selected victims, demonstrating their advanced capabilities and strategic approach to cyber warfare.
Two distinct malware variants associated with C0d0so0 have been discovered. One uses HTTP for command and control (C2) communications, while the other employs a custom network protocol over port 22. These two methods highlight the group's technical adaptability and their ability to deploy different strategies based on the specific requirements of their operations or the characteristics of their targets.
The initial delivery of these attacks likely occurred via spear-phishing emails, a method previously used by C0d0so0, or through compromised legitimate websites serving as watering holes. The group's persistent activity and evolution of techniques suggest a high level of capability and intent. The sophistication and adaptability of C0d0so0's tactics underline the necessity for robust cybersecurity measures and continuous monitoring to mitigate such threats.