Cobalt Gang

The Cobalt Gang, also known as GOLD KINGSWOOD, is a highly capable, sophisticated, and financially driven criminal threat group that has been actively compromising financial organizations since at least 2016. The group is notorious for its advanced tactics and techniques, including the use of the More_eggs backdoor, which has been linked to their operations. Interestingly, recent findings by X-Force IRIS suggest some degree of confusion or misdirection regarding the group's identity, with a variable in More_eggs samples stating, "We are not cobalt gang, stop associating us with such skids!" The evolution of the Cobalt Gang can be observed in their transition from Cobalt Gang 1.0 to Cobalt 2.0. While the former extensively used ThreadKit, a popular tool for launching phishing campaigns, the latter iteration adds a layer of sophistication to its delivery method. Cobalt 2.0 borrows elements of the network infrastructures used by other well-known threat groups, namely APT28 (also known as Fancy Bear) and MuddyWater. This increased complexity illustrates the group's adaptability and the escalating threat they pose. Another group, ExCobalt, has been active since at least 2016 and researchers believe there are connections between this group and the Cobalt Gang. The exact nature of these links remains unclear, but it is another indication of the broad reach and potential influence of the Cobalt Gang within the cybercriminal landscape. As such, understanding and tracking the activities of the Cobalt Gang and related entities remain a significant priority in cybersecurity efforts.