Cobalt Group

The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus operandi includes bypassing User Account Control (UAC) and gaining unauthorized access to targeted networks, as documented in November last year when they exploited CVE-2017-11882. Their activities often overlap with other groups like FIN6 and Evilnum, making it challenging to identify their exact identity. The Cobalt Group, along with FIN6, is known to use Golden Chickens, a malware-as-a-service (MaaS) offering. This MaaS, also referred to as More_eggs, has been dubbed the "cyber weapon of choice" by these Russia-based cyber gangs. eSentire, a cybersecurity firm, identified the second developer of Golden Chickens as a Romanian man known as VENOM SPIDER. The group has also used Storm-0324 for unauthorized corporate network access, primarily to distribute JSSLoader before handing over the keys to the notorious financial and ransomware actor FIN7. In 2017 and 2018, the Cobalt Group utilized badbullzvenoms' (aka: Lucky) VenomKit to deploy Cobalt Strike in attacks on banks. eSentire noted that this malware suite was later leveraged by FIN6 in 2019, the same year when the suite included the PureLocker ransomware plugin. The second developer of the Golden Chickens malware, which has been used extensively by the Cobalt Group, was unmasked by eSentire to be a Romanian named Jack, also known as Lucky and badbullzvenom.