COBALT DICKENS

COBALT DICKENS is a notable threat actor group known for its malicious activities in the realm of cybersecurity. This group has been particularly active in hosting phishing websites, with significant operations noted in July and August 2019. CTU researchers discovered this large global phishing operation, which involved sending phishing messages containing links to COBALT DICKENS domains. To mimic legitimate sites, the group used publicly available tools such as the SingleFile plugin and the HTTrack Website Copier to copy the login pages of targeted resources, notably universities. The group's tactics include creating spoofed web pages that closely resemble the original ones, often using older copied versions of target websites. Metadata from these spoofed pages indicated that an Iran-based threat actor might be behind these operations. The lack of standardization in the naming conventions within the cybersecurity industry makes it challenging to definitively attribute these activities. However, the consistent targeting of certain entities, such as universities, suggests a persistent and organized threat actor at work. In response to the escalating threat posed by COBALT DICKENS, CTU researchers have compiled a list of all known domains associated with the group's operations to raise awareness and limit their activities. Despite these efforts, numerous organizations, including universities, have been repeatedly targeted by COBALT DICKENS, as seen in the campaigns of August 2018 and August 2019. This underlines the importance of continued vigilance and proactive measures to counter this persistent cyber threat.