Cobalt Gang

Threat Actor Profile Updated a month ago

Download STIX

Preview STIX

The Cobalt Gang, also known as GOLD KINGSWOOD, is a highly capable, sophisticated, and financially driven criminal threat group that has been actively compromising financial organizations since at least 2016. The group is notorious for its advanced tactics and techniques, including the use of the More_eggs backdoor, which has been linked to their operations. Interestingly, recent findings by X-Force IRIS suggest some degree of confusion or misdirection regarding the group's identity, with a variable in More_eggs samples stating, "We are not cobalt gang, stop associating us with such skids!" The evolution of the Cobalt Gang can be observed in their transition from Cobalt Gang 1.0 to Cobalt 2.0. While the former extensively used ThreadKit, a popular tool for launching phishing campaigns, the latter iteration adds a layer of sophistication to its delivery method. Cobalt 2.0 borrows elements of the network infrastructures used by other well-known threat groups, namely APT28 (also known as Fancy Bear) and MuddyWater. This increased complexity illustrates the group's adaptability and the escalating threat they pose. Another group, ExCobalt, has been active since at least 2016 and researchers believe there are connections between this group and the Cobalt Gang. The exact nature of these links remains unclear, but it is another indication of the broad reach and potential influence of the Cobalt Gang within the cybercriminal landscape. As such, understanding and tracking the activities of the Cobalt Gang and related entities remain a significant priority in cybersecurity efforts.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
GOLD KINGSWOOD	1	Gold Kingswood is an advanced persistent cybercrime group that has been successfully targeting financial organizations since at least 2016. The group is highly sophisticated, financially motivated, and uses a tool called SpicyOmelette during initial exploitation of an organization. Once installed, S
ITG08	1	ITG08 is a notable threat actor in the cybersecurity landscape, known for its malicious activities and strategic partnerships with other threat actors. This group has been linked to a series of attacks through Tactics, Techniques, and Procedures (TTPs) consistent with their known modus operandi. Whi
Excobalt	1	ExCobalt, an active cybercrime group since at least 2016, is a significant threat actor known for targeting Russian organizations across multiple sectors. Researchers believe that ExCobalt is linked to the notorious Cobalt Gang, a connection supported by their shared use of the CobInt tool, which be

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

JavaScript

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
More_eggs	Unspecified	1	More_eggs, also known as Golden Chickens, is a malware suite utilized by financially motivated cybercrime actors such as Cobalt Group and FIN6. This malware-as-a-service (MaaS) offering has been identified as the "cyber weapon of choice" by Russia-based cyber gangs. It was first seen in email campai

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Fancy Bear	Unspecified	1	Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
APT28	Unspecified	1	APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
MuddyWater	Unspecified	1	MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Cobalt Gang Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securityaffairs	a month ago	ExCobalt Cybercrime group targets Russian organizations in multiple sectors
MITRE	a year ago	ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
MITRE	a year ago	Cobalt Group 2.0
MITRE	a year ago	Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish