Cobalt Gang

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
The Cobalt Gang, also known as GOLD KINGSWOOD, is a significant threat actor identified in the cybersecurity industry. This financially motivated criminal group has been successfully compromising financial organizations since at least 2016, demonstrating high levels of capability and sophistication. They have notably utilized the More_eggs backdoor, a tool that has become almost synonymous with their operations. However, recent findings suggest a shift in tactics and an attempt to disassociate from their notorious reputation. X-Force IRIS, a threat intelligence service, has discovered a message embedded within other More_eggs samples attributed to ITG08: a variable called “Researchers” stating, “We are not cobalt gang, stop associating us with such skids!” Furthermore, the RKey in the final sample, “wearenotcobaltthanks,” also indicates a conscious effort by this group to distance itself from the Cobalt Gang identity. These findings suggest that the group is either trying to mislead researchers or genuinely attempting to separate from its past activities. In terms of technical evolution, while the original Cobalt Gang (Cobalt 1.0) extensively used ThreadKit for their cyber attacks, the new iteration (Cobalt 2.0) has added sophistication to its delivery method. It has borrowed some of the network infrastructures previously used by both APT28 (also known as Fancy Bear) and MuddyWater, indicating an increasing level of complexity and potential risk associated with their activities. This progression underscores the need for continuous vigilance and updated security measures to counter evolving threats.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Cobalt Gang Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish
MITRE
a year ago
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
MITRE
a year ago
Cobalt Group 2.0